The Department of Defense is particularly vulnerable to compromise over social media. Despite Robin Sage and the hijacking and defacing of the official Twitter account of the US Central Command incidents, the Department of Defense has been slow to formalize a department-wide policy on official and personal social media use. Meanwhile, threat actors ranging from low-level scammers to foreign intelligence agencies have exploited US social media companies for financial crimes and espionage. As a result of these two incidents and many others, the Department of Defense eventually created a department-wide social media policy, DoD Order 5400.17, to govern both external official presence (EOP) and personal social media use by DoD personnel.
Over the past year, ZeroFox Threat Intelligence analysts have observed a significant increase in both the number of targets and financial losses due to what the FBI has dubbed a “trust/romance” scam – a type of scam within the broader category of “social engineering” . These scammers use the military uniform as a symbol of trust to play on human emotions, either to create a romantic relationship with civilian victims or to lure soldiers into a relationship with fake dating profiles. Unsurprisingly, the criminals have no qualms about using deceased soldiers. We are prosecuting scammers posing as a Medal of Honor recipient who sadly died of cancer while lobbying in Congress for law changes. Another data point demonstrating the magnitude of the problem — a now-retired four-star general has been known to have been impersonated over 52,000 times on social media — the most impersonations of a single person tracked by ZeroFox to date. Only 15,000 of those times occurred while the general was on active duty.
Romance scam impersonators targeting US service members and their families are growing exponentially. Service members have submitted more than 700,000 reports to the FTC’s 2021 Consumer Sentinel Network Data Book since 2018. Total losses were $718.7 million, nearly double what was reported in the 2020 databook over a four-year period. Actual incidents and casualties are likely an order of magnitude higher as most victims do not report these crimes. From a national security perspective, these statistics should be a wake-up call. The scale of the military love story scam is diminishing confidence in the US military and reducing preparedness at a time when our competition with both Russia and China is at its highest in decades.
Romance and trust fraud are not the only targets of social media threat actors. In August, an unknown threat actor copied the text of an official US Army post about IPPS-A – the Army’s new integrated payroll and personnel system – and published it under a fake profile of a current four-star general, but changed the E- Mail address address from army.mil to gmail.com. We can conclude that the goal of the threat actor responsible for the impersonation was to steal the personal data of US Army soldiers, but for what purpose – financial gain or espionage?
If this post were part of a spy campaign, it wouldn’t be the first time a foreign intelligence agency has created a social media profile posing as a DoD official. In the defection and espionage case of former US Air Force counterintelligence agent Monica Witt, her Iranian co-conspirators created a profile posing as DoD employees and used this fake profile to target other DoD employees with access to national security information.
Leaders at all levels need to start over when using social media. Military leaders tend to be shy about social media for obvious OPSEC reasons. However, the US armed forces must tell their story, or someone else will tell it for them. More units and executives need to create official and verified social media profiles. Staying one step ahead of threats can be as simple as detecting your presence before they do it for you.
That doesn’t mean that everyone who gets paid to wear the uniform should use photos of “cool guys” as their profile pictures. Unless the individual is officially using social media in accordance with EOP guidelines, all service members should refrain from wearing profile photos in uniform or using titles and ranks on their profiles. Other photos and posts should be created with strict privacy controls to limit opportunities for scammers to lift content and move it to a fake profile or display posts that could impact OPSEC. Leaders must demonstrate responsible use of social media by being present where members of their unit are and discouraging them from posting security clearance information.
DoD also needs to update the policy to require official social media managers to use EOP with multi-factor authentication and a unique password to prevent account takeover. The current version of DODI 5400.17 does not require specific security controls around official social media accounts. These standard security controls are necessary to prevent incidents such as the takeover of CENTCOM’s Twitter account.
The DoD should create a new directive that closes the gap between 5400.17 and O-2000.22 (Designation and Physical Protection of DoD High Risk Personnel) and focuses solely on protecting digital people. The new directive would serve the purpose of protecting the digital personalities of certain high-ranking individual soldiers, political appointees, Medal of Honor recipients and other soldiers whose likenesses are known to have been misused.
Fake social media accounts have been a problem for years. Investors, advertisers, and policymakers should urge social media companies to identify likely fake and spam accounts and warn anyone impersonated. Integrity on these platforms is critical to building trust with investors, advertisers and policy makers.
Right now, the US Armed Forces are the most trusted organization in the United States. That trust is at stake if the Department of Defense fails to manage social media risks like account takeovers and identity theft. DoD also has a tremendous opportunity to improve its image and expand the pool of applicants. Leaders at all levels are key to success even on the battlefield of social media.
The views expressed here are those of the author and are not necessarily endorsed by Homeland Security Today, which welcomes a wide range of viewpoints in support of securing our homeland. To submit an article for consideration, email [email protected].