The DoD's social media policy, titled, "Directive-Type Memorandum (DTM) 09-026 - Responsible and Effective ..." will expire on March 1, 2011. Through discussions with people in DoD, I've learned that the stated plan to replace this policy with a long-term Instruction has been shelved indefinitely, and all resources associated with this effort have been terminated. This raises many questions.
This policy was result of a very contentions internal and eventually public fight in 2009 about whether people in the military other than recruiters and public affairs officers should be able to access sites like Facebook, Youtube, Skype and Twitter. On one side of the debate, US Strategic Command (STRATCOM), the Marine Corps and the Air Force (initially) supported blocking access to social networking sites, while the DoD CIO, OSD Public Affairs, the Navy, Army, and many of the Combatant Commands advocated a more open stance. Many other components engaged in this process, with specific topics of interest ranging from intelligence concerns, privacy, innovation, security and records management. In the end, the Joint Chiefs and Deputy Secretary decide upon a posture that advocated an open stance that took both security risks and operational opportunities into account. My part in this effort (as a contractor to DoD CIO) was as one of the principal authors of the draft policy that senior leaders took and modified over a period of months, eventually leading to the final version.
While the malicious actions of Pfc. Manning have certainly shifted the debate regarding information sharing and "Need to Know" versus "Need to Share", I think its worth revisiting the rationale behind the stance of DoD's social media policy. The reasons for stating that the "NIPRNET shall be configured to provide access to Internet-based capabilities across all DoD Components" have not gone away, nor have the faults associated with the proposed remedy to close down access. As anyone involved in policy writing knows, the actual policy statements provide an approach to resolve the issues identified, yet the problems and goals are often not part of the actual policy itself. From my own perspective, here were key issues that the Internet-based Capabilities policy addressed:
Military Families access to Facebook, Youtube, Twitter, Skype, etc: During the formulation of this policy, for the first time ever, DoD engaged with the public in true open government fashion to solicit guidance from the public. The DoD Web 2.0 Guidance Forum generated significant interest, with over 280 responses alone from military families relaying heart-wrenching stories attesting to the need for access to these tools, even outside of MWR facilities.
From Robert Dozier:
With Facebook and Twitter, a deployed Soldier has the opportunity to speak in relative-time to their friends and loved ones, without the limitations of real-time methods.Imagine the words “heading to the hospital” as they are shared in text form vs. voice form. Could be a spouse going to deliver a baby, or a Soldier being med-evaced. In the face of reality, these words may never get through except through the use of Social Media. Keep it open, keep it safe, and keep it real.
From Tina Hayes:
My daughter is in Iraq and used the net cam to watch her son’s first birthday party. These sites are the way most family members can find out how their soldiers are doing. This is my daughters second tour and using the computer is much easier than using the phone to find out how she is doing and what she needs me to send her. Please don’t take this mode of communication away from the families of our soldiers.
From Kelly Awtrey:
These social media tools are invaluable while stationed overseas where communication, contrary to popular belief and what the media will have you believe, is spotty AT BEST. Even if I am not actually chatting with my husband we can exchange necessary information through “wall posts” that keep us informed, such as bank transfers, equipment I need to send him, etc. It is also a HUGE morale booster to be able to communicate with family and loved ones. As my husband’s missions are extremely dangerous just getting a quick post lets me know he’s alive which is an IMMENSE stress reliever for me.
If you care about this issue or even have a passing interest, do yourself a favor and read through a some of these posts - the need is clear. Bottom line, its clear that social media has had an immense impact in allowing families to maintain a sense of normalcy. This has a direct impact to military readiness.
DoD Policies have not kept pace with the opportunities and risks of internet technologies: The policy uses the term Internet-based Capabilities for a specific reason - We might be concerned about the risks of social networking sites today, but tomorrow will provide a whole new set of innovations that have new security concerns, and new ways of improving our work. When this policy expires, the associated actions in the roles and responsibilities with tracking the risks and opportunities also disappear. If DoD doesn't track this, it will both lose out on the opportunities, while yet again being blindsided by the new vulnerabilities.
DoD is already using Internet Technologies outside of the DoD network for critical mission oriented work: One of the key questions during the policy development process concerned whether DoD personnel and organizations could conduct critical mission oriented work outside of the DoD Network. Jack Holt captured the question best by asking whether we should look at the Internet as a fortress to defend from, or whether we consider it a field of maneuver. If its a fortress to defend from, than yes, we should build the walls. The problem is by doing so, we will be ceding the internet to our opponents and adversaries who will use it for misinformation, disinformation and impersonation. The current policy allows the following types of things to occur:
DoD's approach to interacting with the internet is fractured and inconsistent: Prior to the Internet-based Capabilities policy, if you were in the Marine Corps, sites like Youtube and Facebook were blocked. But if you were in the Army, you just might have full access to them. The policy addressed this by requiring the same level of access across DoD. On March 1, I wouldn't be surprised to see YouTube and other sites cut off once again.
The threats posed by social networking services (social engineering and malware) are not unique: While there are concerns with social networking services, most internet security experts will tell you that the number of attacks via email far outnumber the rest of the web. Social engineering and malware occur across the internet, not just through Facebook. And truly, the companies comprising the "Main street" of the internet have top quality security teams who work tirelessly to make their sites safe. Compare these with the far more dangerous "side streets" of the internet if you want to quantify risk. In other words, the risk is the connection to the web itself, not just social networking sites.
Blocking access to Social Networking Sites doesn't work: During the policy development process, we were able to change the debate by shifting the definition from "Social Networking Sites" to "Social Networking Services". As part of this effort, I asked David Recordon, Co-founder of OpenID, current Facebook Open Source Programs Manager, and all around Uber Alpha-Geek, to write about the problem with the remedy STRATCOM was proposing. David's blog post on O'Reilly Radar, titled, "Dear DoD, the Web Itself is Social" was distributed and read at the highest levels during the policy debate. In describing the problem with blocking social networking sites, David made the case that its virtually impossible to separate social networking sites from the rest of the internet. In this post he made the following statement:
It's my belief that even if the DoD tried to block all access to social networking sites it would be a never ending and ultimately unsuccessful battle as social is becoming a core component of the web itself.
Even if you block Facebook, people can still interact on Facebook by using HuffingtonPost, WashingtonPost.com, or the New York Times site, or one of hundreds, if not now thousands of other sites. Social networking "sites" is not a relevant term, as their "services" now pervade the internet. As an example, we've now gotten to the point where its out of place for a smaller website to ask the user to create a unique login. We EXPECT to use our Facebook, Twitter or Google account to login. So in essence, the question isn't really whether we should block the social networking sites, the question is whether we block access to the internet. This is truly where the argument will end up, and in fact, was exactly where it ended up during the Internet-based Capabilities policy development phase.
The sad part in all this is that Washington Headquarter Services (WHS), the organization in DoD that manages the policy Directives process, recommended that the language submitted in the DTM go straight to a Directive (a permanent document) instead of a Directive Type Memorandum (a transient document that lasts only 180 days). Had this recommendation been accepted, like most good policy, this would have had an enduring effect.
What's Next? Given that the Internet-based Capabilities policy was the first policy in DoD to actually engage the public in the policy formulation process, it stands to reason that the public should have a chance to weigh in on its dismissal. There were reasons that USG shifted toward a "Need to Share" mindset. Those reasons haven't diminished, nor has innovation on the internet.
I would love to see DoD senior leadership address this issue. Specifically, I would love to them to say that they will not allow blockage of military family communications, that DoD Components can still conduct mission oriented work outside of DoD networks (again, would be nice to see the current policy statement that will back this up) and that they are devoting resources to keeping pace with the risks AND opportunities that internet technologies will continue to serve up. I am positive that DoD is taking appropriate actions to protect the network, but would love to be just as reassured that they are still plan on taking advantage of the opportunities, and not ceding the internet space to our adversaries.
Note: I am no longer working for DoD, and have not since the middle of last year. These views are solely my own and only relate to my time working with DoD CIO in the policy development process. I claim no special knowledge other than recent anecdotal conversations and the experience I had during the policy formulation process, nor have I looked at any documents that provide details on current plans.