Web service users face OPSEC risks

  • Published
  • By Darren Tillman
  • OSI Detachment 419 Commander
TYNDALL AIR FORCE BASE, Fla. --  With more than 80 million users, MySpace service and other personal Web site providers empower users to communicate with a world-wide online network of friends, and unfortunately, potential enemies.  

Operational security is the Air Force Office of Special Investigations' primary concern with Air Force members' who use MySpace and other services. 

"Our military and civilian members need to be aware that extremist and terrorist groups are actively seeking to gain information from them using the internet as a source," said Capt. Mike Garrett, 325th Fighter Wing Plans deputy chief and base anti-terrorism officer. 

"What you do on these sites may be personnel, but when you expose information about the government and release operationally secure information it becomes a threat to our national security," he said.  

MySpace, and other services, don't charge users to set up profiles or establish an account.  What can be more alarming, is that some sites don't independently verify the identity of its users.  

Utilizing the anonymity of the service, opposing intelligence services, terrorist organizations and enterprising criminals can use the service to target Air Force members.  They "become" anyone they want to be in order to target Air Force personnel who may have access to secure information they are seeking.  

"Our enemy has a unique method of piecing information together, so they may find vulnerabilities in our defense systems," said Capt. Garrett. "Don't help them. Do not place photos that identify you as a military member. Do not advertise what your Air Force job is and do not ever release OPSEC information.  

Be cautious before answering e-mails. Always think about force protection and ask yourself, 'Why is this person asking more about me and what I do?'" 

The free online social networking service Web sites allow users to create their own profile pages with lists of their favorite musicians, books and movies, photos of themselves and friends. This information can act as a database that criminals as well as intelligence or terrorist organizations can utilize to "datamine" for potential targets.  

For instance, if a perpetrator is looking for an Air Force member who works in a particular specialty in order to gather information regarding a program or aircraft, he can search the Web service to identify a specific person based on that individual's profile.  The perpetrator can then use the information in the Airman's profile to develop a plan to build rapport.  

If the Air Force member's profile said "enjoys fishing as a hobby," the perpetratorwill also assume interest in fishing in order to develop a relationship with the Airman. The "friendship" may develop to a point where the perpetrator asks for more information about the Air Force member's specific duties and knowledge of other secure topics (i.e. weapons systems that Airmen may have access to.) 

Airmen disclosing OPSEC information are subject to the U.S. Code of Military Justice.
"At a minimum, disclosure of OPSEC information would most likely be an offense that violates Article 92 of the UCMJ for dereliction of duty," said Capt. Rosemary Gilliam, 325th FW Assistant Staff Judge Advocate.  

"There are some other articles of the UCMJ that could potentially be violated," she said.  "However, this would depend on the facts and circumstances surrounding the disclosure of information on MySpace (and other Web sites)." 

The bottom line is that Airmen need to be aware that some individuals will use an online service like MySpace for criminal or intelligence gathering endeavors.  

From an OPSEC perspective, Air Force members should never include any photographs or information that may provide insight to Air Force tactics, techniques, procedures or capabilities.  Members should not describe current or impending deployments,aircraft capabilities or installation facilities. 

Additionally the use of language construed as racially or sexually disparaging is unacceptable and inappropriate for Air Force members, whether online or in person.
Airman who observe questionable information online should notify Tyndall OSI at 283-3261 or Capt. Garrett at 283-4664.

SIDEBAR

In accordance with AFI 71-101, Vol 4, Counterintelligence, Air Force personnel should report the following to OSI:  

- Personal contact with an individual (regardless of nationality) who suggests that a foreign intelligence or any terrorist organization may have targeted them or others for possible intelligence exploitation. 

- A request by anyone (regardless of nationality) for illegal or unauthorized access to classified or unclassified controlled information. 

- Contact with a known or suspected intelligence officer to include attachés from any country. 

- Contact for any reason, other than for official duties, with a foreign diplomatic establishment, whether in the United States or abroad. NOTE: Certain Air Force members and civilian employees in positions designated as "sensitive" by their Air Force component also may be required to notify their commanders or supervisors in advance of the nature and reason for contacting a foreign diplomatic establishment. 

- Activities related to planned, attempted, actual, or suspected espionage, terrorism, unauthorized technology transfer, sabotage, sedition, subversion, spying, treason, or other unlawful intelligence activities targeted against the Department of the Air Force, other U.S. facilities, organizations, or U.S. citizens. 

- Information indicating military members, civilian employees or DoD contractors have contemplated, attempted, or effected the deliberate compromise or unauthorized release of classified or unclassified controlled information. 

- Unauthorized intrusion into U.S. automated information systems, whether classified or unclassified; unauthorized transmissions of classified or unclassified controlled information without regard to medium, destination, or origin. 

- Unauthorized attempts to bypass automated information systems security devices or functions, unauthorized requests for passwords, or unauthorized installation of modems or other devices into automated information systems (including telephone systems) whether classified or unclassified.