Fortune recently published an article raising concerns about the tendency of some U.S. federal workers and military personnel to post information about their security clearances on LinkedIn. Fortune found multiple LinkedIn accounts belonging to Americans who were using the platform to publicize the fact that they had access to top-secret information. But how much of a problem is it that employees are posting such information on social media, especially if it is routinely included in resumes posted on job boards? It can be significant, both from a cybersecurity and national security perspective.
The concern over the practice of employees posting clearance information online stems from the idea that this provides our adversaries an easy and efficient way to identify attractive targets for influence campaigns and lets them efficiently map social and professional networks to enable deeper targeting. Given the national security risk this practice exposes us to, it might seem reasonable for the U.S. government or federal contractors to prohibit employees from posting such information. But, how practical or advisable would it be for the U.S. government to ban this practice?
To enforce a prohibition on the posting of clearance information on social media, the government would need a technical method of monitoring employees’ social media accounts. Although commercial tools exist that could do this, we must ask whether the benefit to the government would justify a practice that would constitute a fairly considerable invasion of employee privacy. Many employees very legitimately include their clearance information on their resumes. For most cleared jobs, you must already have a clearance to even have your resume looked at. Employees post their resumes containing this information on employment websites that are no more difficult for adversaries to access than social media. Several employment websites cater exclusively to employers seeking cleared individuals.
Given this, the idea that we could prevent adversaries from discovering employees’ clearance information simply by banning the practice of including it on social media is an empty hope. Still, it doesn’t mean we should do nothing. We should use the opportunity of the Fortune piece to have a constructive conversation about what we can do to frustrate adversaries who aggressively utilize social media and therefore mitigate the risk they pose. Two ideas jump immediately to mind.
The first is that organizations that employ cleared personnel must have greater insights into what adversaries can see about their employees. They need to understand how our adversaries use non-public and public information, including social media information, to map their organizations and how they target employees. Organizations should use that intelligence to understand which personnel are likely to be most targeted and then provide additional training to and security controls for those key positions.
The second is that organizations must have a far better understanding of how adversaries employ false or deceptive social media accounts that are used to make outreach to their personnel with the intent of compromising them. Otavio Freire, CTO and co-founder of SafeGuard Cyber notes that they are “Seeing a steady increase of language-based attacks that use impersonation, deception, urgency, and semantic tactics to convince their targets to take actions that they shouldn’t.” False and deceptive outreach could aim to simply gather information from individuals, but it can also be used to send files and links that contain malware that can infect computers and provide adversaries with further access to sensitive systems. Organizations must have the ability to identify these types of campaigns and targeted connections in real time to protect themselves and their personnel. Tools exist today to help them do this, including the SafeGuard Cyber platform which can identify and block actions even when messages have been deleted.
The practice of cleared employees posting their clearance information in the open presents a challenge, but we need not be bystanders. Instead of focusing on preventing this practice, we must focus on how we can ensure that adversaries cannot leverage that information to get what they are really after: sensitive government information. Federal agencies and contractors should reach out for technologies that allow them to understand how adversaries leverage social media to target their organizations so they can take steps to manage the risk just as they do with other attack vectors.
Katherine Gronberg is the Head of Government Services at NightDragon, a venture capital firm focused on cybersecurity, security, safety and privacy technologies
Max Everett is the Chief Information Security Officer at Shaw Industries and the former Chief Information Officer of the Department of Energy