We use cookies and other similar technologies (Cookies) to enhance your experience and to provide you with relevant content and ads. By using our website, you are agreeing to the use of Cookies. You can change your settings at any time. Cookie Policy.

ebizQ's Business Agility Watch

Kaitlin Brunsden

Social Media in the Federal Government: Talking with Fidelis Security Systems

Vote 0 Votes

What follows is my podcast with David Etue, Vice President of Products and Markets at Fidelis Security Systems. We talk about the use of social media and other collaborative technologies, like Facebook, LinkedIn, and Skype, in the federal government. More specifically, how they are embracing it and safely adopting it.

Listen to or download my 12:04 podcast below:

Download file

KB: Can you please provide us with a brief overview of your company?

DE: Fidelis Security Systems is a next generation network security company bringing deep session inspection technology to life basically helping organizations protect their sensitive information whether it's from data breaches, cyber attacks, and other new and (indiscernible) threats to their networks.

KB: Today's topic is the use of social media and other collaborative technologies like Facebook, LinkedIn, Skype, etc. in the federal government. This includes how they are embracing it and safely adopting it. So David, social networking is pervasive in the private sector. Government agencies have a reputation of being laggards on adoption of new technologies. Is that the case with social networking?

DE: I think social networking is a place where actually the government has done some interesting work in some case being a pioneer but also looking at the potential value it can provide. If you look at the government role beyond protecting our country, this is a variety of citizen against constituent services and the reality is that there's a lot of platforms out there now from a social media perspective that have created great gathering to these constituents that when they are -- take Facebook for example.

There are hundreds of millions of folks on Facebook that the likelihood of voters and constituents that are having service provided being there is high and so while there's been a lot of concern in the government with using tools run by third parties and providing that type of outreach and services it's also clearly obvious that there is the new open government issues that there's appreciation for the value of those and I think really that the exciting piece is your GSA really and their (indiscernible) initiative has actually created custom terms of services where federal agencies have actually gone out and taken a leadership role in negotiating how they could interact with sites like Facebook, LinkedIn, MySpace.

And of the end of last year, I think it was somewhere near, I think it was 27 federal government agencies that actually signed terms of service agreements with Facebook and we're actually leveraging those technologies and so there is -- there's still definitely a lot of work to do but it's a place where they have taken some thought leadership but they are still very concerned about the risks. DHS has some interesting things with our border. There are many folks in the US Armed Forces have used particular areas and so they're doing some really interesting things.

KB: Government agencies handle huge amounts of personally identifiable information as well as classified data. What are the top security concerns faced by agencies that use social networking applications?

DE: Obviously, protecting that sensitive information is paramount to but too many cases our national security and in many cases in citizen trust in the government. And so social networking is not an appropriate place end user citizen, PII is likely or should be appearing particularly in classified information obviously. It should (indiscernible) be traversing public network. But really the interesting risk comes in that the likelihood of I think someone having a classified conversation in Facebook is low but there are a lot of other risks in the really the sensitive but unclassified area where people can really use social networking to understand more about programs and things that would let them then begin to plan either a malicious activity or other knowledge they're trying to gain.

And so one of the things to be really careful about from a social networking perspective is what information is shared and when that information is put together. What type of picture can you put together about a program or agency? And so, hopefully, we won't be having a lot of conversations about PII or classified data being posted to social networking sites so that is something that Fidelis can help prevent. I think the more important part of the conversation is looking at operational security and other information about programs and employees and making sure that an intelligent information sharing process is used to leverage social networking for good while mitigating the risks of inappropriate information sharing.

KB: How should government agencies mitigate risk be able to safely utilize the positive aspects found in social networking applications?

DE: As I look at the risk equation, I think there's really four key areas where there risks that need to be mitigated and I'll just go through each risk real quick and then talk about some of the ways we can unlock them. So the first is making sure that and this is much less technical but making sure that the appropriate users are speaking on the agency's behalf. Obviously, anyone can create a Facebook account even it's blocked. From the office, we have mobile versions and home computers, and so making sure that people understand who is appropriate to be able to speak on the agency's behalf. I'm someone who can speak on behalf of Fidelis.

In our example, we wouldn't want a developer launching, announcing a new product release. So making sure people understand much like in the PR, the media outlet call and asking questions that PR should handle. Making sure that the right folks are speaking on the agency's behalf. And the last question we talked obviously about posting of sensitive information and making sure that it's very clear where information should or shouldn't be shared. Generally, talking about PII, the government's had the Privacy Act of 1974 for obviously quite some time, and its protection of citizens and employee PII is fairly well ingrained in the culture so hopefully that's not a risk.

But you talk about national security interests, there's been a lot of interesting conversations particularly on the DOD side where social networking and other technology tools have allowed troops who are often forward deployed in a military wartime situations to have better connectivity back to their family and someone saying, oh, well, I'm picking up and moving to this location tomorrow or hey, my battalion just got called in to get these immunization could actually compromise operational security so making sure sensitive information isn't posted. We're seeing a lot of move of malicious code distribution and so whether viruses or malware or various types of attacks that used to be sent in e-mail is now moving to social media though.

I got some stats recently about that Facebook and LinkedIn and other places are becoming popular places for both phishing and malware distribution. And then, social engineering is one that is also a big risk that being able to impersonate. Someone can set up an account saying, hey, I'm with this government contractor. I work for, pick one of the large government system integrators. I'm working on this account, might create some other fake accounts that I friend that also appear to be valid in that area and then I use that to try to create relationships and ask questions and learn things from a government employee or other system integrator, other person involved in a project to gather information that individually might not be useful but when I aggregate all of this sensitive but unclassified information together can begin to put together pictures of information that I shouldn't have had access to.

And so, social engineering has move -- it used to be phone calls and things of that sort. Social networking has really enabled an interesting online risk of that and things like third party applications have been a big area of that. I always tell people if you get a quiz be careful of what questions you're being ask because many people will give up a lot of things about themselves and share a question like how great a government employee are you or how great of a Marylander, or you answer things like what street did you grow up on. What elementary school did you go to, revealing things about yourself. So I think those are the four key risk areas. Fortunately, there are some things that can be done about them.

KB: What are the best methods a government agency can employ to achieve the risk reduction?

DE: There's a couple of key areas and really that (indiscernible) technology companies so I do enjoy talking about technology but the key that it needs to be every component has both people, process, and technology and they're all necessary. One of the things I tell folks is that blocking social networking isn't realistic, particularly, (indiscernible) as a recruiting issue in many organizations that if the new college graduate don't have access to social media tools that they're used to using they think companies or organizations are old and stagnate and the reality is that they might get the computer but the cell phone everyone in the office has a cell phone likely has access to a wide variety of social media sites.

So we think instead of saying no, a mitigated yes is a much better answer. And so the first area I always talk about is making sure that existing policies cover social networking. Hopefully, when organizations policies are addressing things like who can speak on the agency's behalf. There initially might not have to be a social networking policy. I've worked with organizations where their existing information disclosure or public affairs or other, except we use policies to cover these areas, but making sure that people understand that the policies and guidelines of how they conduct (indiscernible) and making sure that you're comfortable that covers the social world.

The next component once you have those policies is training the end users so they understand the goals of what the agencies is trying to accomplish that here's the benefit we see in using social media. It might be something like we're going to be using something as simple as YouTube to publish videos to provide knowledge about what our agency is doing and better share information with constituents and get their feedback. It could be using Facebook to provide outreach in a particular instance like an emergency or (indiscernible) along those lines. Making sure the end users understand what's trying to be accomplished and then what the risks are and how they should conduct themselves within the policy, the agency's policies that exists. That's a really important piece that people are really a key component to this and educating them and making it clear both from a goals and risks is important.

The next thing I always tell folks is particularly around social engineering is to make sure that both the agency itself, or the sub agencies as well as the key executives have accounts on the social networking site. Social engineering is a big issue and if I can go in and create an account for the secretary of XYZ and impersonate that person, that can create risk. And so, frankly, even if you're still saying no to social networking making sure that the agency as well as the key executives have profiles created for them even if they're not using them. You can even mark them as such saying this is the profile for secretary of XYZ, this account is not in use just so that it can't be at impersonated. So I think that's very important to do.

Then we get to technology. There are some existing security tools like whether it's AV or (indiscernible) things that aren't the greatest technologies against (indiscernible) attacks that in many cases AV recently has been seeing on the sub 50% effective in attacks. But if you have invested in those, making sure that updates are applied in a timely manner and they're configured to support the social networking sites is probably a good use of time. The other important control I think is being able to control how the social network site is used and what content is posted. This is something where Fidelis has spent a lot of time and investment working with our customers both making sure that our technology has the capabilities to do this but also in working with customers to understand how they should do this.

So rather than saying, a Facebook example, no one can have access to Facebook, saying, okay, well, we'll have everyone fax to Facebook. We're concerned about third-party applications because they use for social engineering or create other risks we're going to block social engineering, only these people, these approved users can speak on the agency's behalf. So a technology to say, hey, only these users can post with these types of keywords or content, and then other organizations have controls around perhaps can people use -- can they upload documents to something like a LinkedIn or photos to Flickr, or use an instant messaging feature inside of Facebook, but implementing (indiscernible) controls to say, here's the people who can share these types of information and turning off on or off areas of the site that are not -- the different sites that are or aren't appropriate. Those technical controls are really controlled granularly how the sites are used (indiscernible) technology control along with the policy and training those attributes (indiscernible) very successful program.

ebizQ’s expert blog team covers a broad range of BPM, business integration, business analytics/monitoring, collaboration, content and related issues.

Peter Schooff

Peter Schooff is Contributing Editor at ebizQ, and manager of the ebizQ Forum. Contact him at pschooff@techtarget.com

Recently Commented On

Monthly Archives