The CIO Council recently published guidance on how to think about Web 2.0 and security, and the Defense Department is getting ready to release its own guidelines on using the same tools within that agency.
Rob Carey is CIO at the Department of the Navy and co-chair of the CIO Council’s security committee, which created the Council’s document.
On the Daily Debrief, he talked more about the new guidance, why it’s being circulated and what both agencies and the private sector can learn from it.
In addition, he discussed how the DoD plans to use the guidance for its own agency objectives.
Carey said the government has policy for just about everything else, so why not social networking?
“Most social networking tools come with no rules of the road. So, the way the Internet has moved towards user-generated content, we felt that there was a void that we could help fill regarding . . . best practices. What are some guidance and helpful hints and just suggestions to mitigate some of the security risks associated with social media in . . . doing your job or just at home?”
Carey said the guidelines are not quite at the level of risk management, though raising awareness of potential risks could lead to users being more wary of what they do online.
“Social media has a powerful collaboration engine associated with it and the ability to reach out and touch folks in different ways we never thought possible and stay connected with them. At the same time, when you’re in — and I won’t name any specific applications — when you’re in certain applications and you click on a link, are you sure what’s going to happen when that link is clicked even though you know it came from one of your friends?”
Thus, the impetus for the recommendations.
Carey said the CIO Council hopes theypromote discussions about being safe online, while also understanding what might not happen with regards to Web 2.0 tools.
DoD, for its part, also wanted to get ideas from the companies and groups that created the tools themselves.
Carey said DoD CIO David Wennergren held a social network summit with Facebook, LinkedIn, YouTube and several others to learn more about what is inherently in each tool in terms of security.
“There was a good discussion about . . . the kinds of protections that are built in — that the tools use to make sure privacy is recognized and some other features of security — malware, things like that. At the same time, the real discussion was — how best can we take advantage of these tools, maybe inside our own firewall? That debate is on-going. We learned a lot . . . and I think they learned a little bit more about where certainly the DoD is coming from.”
In addition to the CIO Council’s document, DoD is planning to release policy about how it plans to address Web 2.0 across the agency.
“As a matter of fact, this document — [Navy Deputy CIO] Brian Burns . . . was one of the principal authors of this document and he has also been helping Dave Wennergren and his team write and help craft the right set of policies and implementation directives so, not only — ok, here’s the rule set — but here’s how I want you to now engage these tools for the foreseeable future. That is getting ready to pop in the coming weeks.”
The DoD is trying to make sure it is making the correct, risk-based decisions as they write policy.
Carey said everyone at the agency is aware of the benefits, but that there is also risk involved.
“If you’re aware of them, and the benefits outweigh the risks, then your decision is clear. If the benefits do not outweigh the risks, then you have to make sure you’re doing the right thing.”
Transparency, of course, is another buzz word associated with Web 2.0. This has been a challenge particularly for the DoD, considering they often deal with sensitive information.
Carey said he understand both sides of the issue because he does wear both security and sharing hats, so to speak.
“We need to be able to balance this polarity. . . . You have to have both. You have to be able to share, securely, information that you need an collaborate securely. Notice I said securely on both sides. . . . We need to work the problem with both results in mind so that we get to the right answer. If I completely open up our information,. I have a different problem. If I lock it down securely, I don’t collaborate and I don’t get anywhere so, we need to make sure both [sides] are talking and are part of the solution.”
Carey did make the point that leaking Operational Security — or classified — information is a different problem altogether.
“There are rules and regulations that govern that very carefully and, occasionally, does the system trip and stumble? Yes, but the [document] is really about the controlled, unclassified . . . type of information — our business information. How do you share it? How do you put it out? Do these tools serve that purpose?”
Carey said, for example, the Chairman of the Joint Chiefs, Admiral Mike Mullen, regularly updates his facebook and Twitter accounts, though clearly no classified information is shared.
Overall, DoD is looking for new opportunities to take its unclassified .Gov and .Mil networks to expand on the Internet to get the job done.
“We need to be able to manage and provide advice and council through this document [with] some thoughts on how best to hit various aspects of that.”