, ,

How Social Media Is Both a Tool and Risk to Government InfoSec

No matter your personal relationship with social media, there is no doubt about its impact on government agencies. Not everyone believes it’s all been good. For example, just a few days ago the Arizona Senate Transportation and Technology Committee approved SB1687. This bill would prohibit any governmental entity in Arizona from using a social media platform for any official purposes. Regardless of my opinion, it’s clear that social media is perceived as a double-edged sword by both sides of the political aisle.

On one hand, government is about meeting the needs of its constituents. It’s important for us to understand how our residents and businesses want to consume our services. Part of our objectives at Maricopa County is to become the first “all-digital” county in the United States. This is because, in large part, it is how a significant portion of our 4.6 million residents conduct their daily lives. If they can order food to be delivered to their front door, why can’t they submit their request to inspect a new add-on to their home? Conversely, we need to make sure that as government, we do our best to reach everyone when it comes to communications and services. This includes those who don’t have access to the internet or elect not to use it, like my mother-in-law.

Needless to say, social media is a huge part of governmental communications – ask anyone in your public information office (PIO) or communications department. However, this has created a whole new vector for potential information security (infosec) risk and, frankly, has forced a lot of cyber teams to rethink their portfolio of services.

As I have mentioned in previous blogs, the 2020 election cycle was at the top of our priority list last year. Other than our response to COVID-19 and its downstream ramifications, the elections were our top infosec priority. While we saw a variety of cyber activity (perhaps a future blog topic itself), hands down our biggest challenge was with social media misinformation and disinformation.

Let’s take a moment to delineate the two, because the difference has a direct correlation on how my security team treats and responds to potential threats.

According to Dictionary.com, misinformation is “false information that is spread, regardless of intent to mislead.” Disinformation is “deliberately misleading or biased information; manipulated narrative or facts; propaganda.” The big difference is intent. From an infosec perspective, intent is what distinguishes between the level of risk being observed.

Let’s put it another way. Who would you be more concerned about – a group that passes along information about your agency that is false but which they believe is accurate? Or a group that knowingly spreads incorrect information? Why would someone purposely spread false information? Is there a bigger agenda at play in this scenario? Who poses the greater risk to your agency in this example?

It was one thing when the way to spread misinformation and disinformation was through word of mouth or the newspaper. With social media being so ubiquitous in everyone’s lives, this problem has grown in size and complexity. With this said, is this really an infosec problem, or is it more a problem for your PIO/communications director? The answer is both.

Obviously, this is a communications challenge. But how does infosec play into this? There are multiple facets to this question.

  1. Your communications department is responsible for sharing information on behalf of your organization. But oftentimes, the security of the information your agency has or creates is the purview of your IT department (specifically your infosec team, assuming you have one).
  2. From an infosec perspective, we tend to say cyber events can turn into kinetic events. What we mean is that what we see from information sharing via social media or cyber attacks like DDOS may indicate a higher likelihood of physical events like protests, riots or, worse, attacks.
  3. Knowing all of these, both communications and infosec should be sharing information with one another so the other side can take the appropriate steps to respond and prepare. If your agencies don’t regularly share information, this is something you should consider revisiting.

Here is an example that illustrates the above. In the 2018 election cycle (before I joined Maricopa County), someone on Election Day tweeted that a particular polling location was closed and turning away voters. It turned out this was not true. Our Recorder’s Department quickly sent updated information via social media, countering this disinformation campaign. At the same time, InfoSec jumped in and notified our Arizona Counter Terrorism Information Center (ACTIC), which also functions as our regional cyber fusion center. From there the ACTIC reached out to the FBI, who coordinated with Twitter and had the account in question suspended within an hour.

Another example is how we have observed social media as a tool to coordinate activities amongst hacktivists, etc. People will use social media to tell others where to find doxxed information about a government official or employee.

As a result of all of this, monitoring social media has become a critical part of my team’s daily situational awareness. We even went so far as creating unique social media incident response playbooks for the 2020 elections. While the vast majority of what is regularly posted on social media is relatively benign, it has proven too consistent a measure of potential cyber risk to ignore.

So, to summarize – social media is an important tool for government agencies. With this technology though comes a number of challenges, both communication- and information security-related. As with other examples of how infosec should support your business objectives, your agency should try to take a tactical approach to monitoring social media. One of the best ways to start is to have your communications and infosec (or IT) teams collaborate, review tools and processes, but more importantly, establish a plan for information sharing.

Interested in becoming a Featured Contributor? Email topics you’re interested in covering for GovLoop to [email protected]. And to read more from our Winter 2021 Cohort, here is a full list of every Featured Contributor during this cohort.

Lester Godsey is the Chief Information Security and Privacy Officer for Maricopa County, Arizona, which is the fourth most populous county in the United States. With over 25 years of higher education and local government IT experience, Lester has spoken at local, state and national conferences on topics ranging from telecommunications to project management to cybersecurity and data. His current areas of professional interest center around IoT (Internet of Things) technology and data management and the juxtaposition of these disciplines with cybersecurity. You can follow Lester on LinkedIn.

Leave a Comment

One Comment

Leave a Reply