Fort Riley, Kansas



Protecting Soldiers, families through proper use of operations security

By Season Osterfeld | 1ST INF. DIV. POST | June 09, 2017

     A family is on vacation, enjoying the fresh air, warm sun and crystal clear ocean waters. From time to time, they update their friends and family with pictures and posts about their week at the beach. With each post, someone else they didn’t intend to notify of their trip is viewing and reading. This person knows how long they’re away and their home is empty. When the family returns from their trip, they find their home ransacked and burglarized.

     This is one example of real scenarios described by the Interagency Operations Security Support Staff when people do not use social network sites smartly and safely.

     Social networking and media sites and applications like Facebook, Twitter, Instagram, Flickr, Snapchat and more have become a staple in most people’s lives. They can be used as tools to connect friends and families, share photos, exchange information, market products and so forth. However, they have also become a gold mine for adversaries — like terrorists, criminals and spies — to gather information and use that information to cause damage from identity theft to terrorist attacks, the Interagency Operations Security Support Staff said.

     To protect service members as they are deploying and redeploying, Pat Burch, anti-terrorism officer at Fort Riley, advises to post nothing on social media past “I’m coming home soon” or “I’m excited my spouse returns too” and so forth. Travel schedules, dates, times and locations should never be posted.

     “These are the things we don’t want to put out there — travel schedules, itineraries,” he said. “The biggest things are deployment and redeployment.”

     In that same vein, Burch recommends keeping all posts and conversations online ambiguous, especially with people one has never met in person. Although, he recommends never friending or allowing anyone one does not know in person.

     “I want you to think about when you are online is, one, if you don’t have a physical relationship prior to a physical relationship, you need to be very, very careful,” he said. “After that … when you do post, learn to be ambiguous. It’s okay to say ‘hey, I’m doing great. Kids are fine. Family is doing great.’ That’s all fine, but try not to say ‘Johnny, who is 8, is going to school.’ Or you want to avoid ‘Oh, my husband is having a tough time with this aircraft.’”

     Posting the names and ages of children should always be avoided, as well as where they go to school or have clubs and activities, Burch said. Other information, such as place of employment, one’s own birthday, address, contact information and so forth should also be excluded for social networking sites or restricted to friends only.

     With all information, videos and posts made, one’s privacy settings should be checked to verify everything is set to friends/followers only or other, with the settings customized. Never post anything publicly, he said.

     “The other golden rule is making sure you know how to do the privacy settings correctly,” Burch said.

     Most social networking sites, like Facebook, are in the business of selling the information users provide to advertises, Burch said.

     “Most people don’t realize that the way Facebook makes their money is through micro and macro marketing,” he said. “People need to be aware of, in the civilian world, everything you do is now being tracked.”

     For example, if someone posts they are interested in going on a cruise, that information may be sold to third parties and that person will begin seeing advertisements for cruises marketed directly to them. This same strategy is used by adversaries to gather the information they need, Burch said.

     “That’s kind of how our adversaries work,” he said. “Things that you put out there, they’re following and that’s how they pull stuff up from your social media sites and your dating profiles. Facebook isn’t directly sending it to a threat, but they’re looking it up if you don’t set your privacy settings correctly. The threat is the third party who will pull up that information.”

     Disabling geotagging on cellphones and cameras before posting a photo, as well as when uploading a general text post is important to one’s own security, too, Burch said. While tagging a post with a location may be fun or convenient to helping friends meet up, it’s also a way for an adversary to know exactly where one is at any given time.

     “We want to avoid the geotagging problem when you post the picture,” he said. “Suddenly a threat comes along and extracts that location from the picture and knows exactly where it was taken.”

     Applying OPSEC properly extends past securely maintain one’s own account too. It’s important to educate friends and family members on what is and is not safe to post online, especially regarding service member deployments and redeployments, Burch said.

     In one scenario, he described a spouse learning when her service member was returning home, she called her mother-in-law to let her know and her mother-in-law posted the information online, making it available to a possible threat looking to do something nefarious.

     “Watch your friends and family’s social media because sometimes you’re doing everything right and then it’s somebody else who puts something out on there about you,” Burch said. “You have to look two to three layers out from you to watch what they’re putting out there.”

     These same precautions apply to Family Readiness Groups’ pages and groups, he said. Even when a group is private, someone may still gain access to it by hacking, spoofing a member’s account or creating a new account in a current member’s name.

     “Once it’s out there, it’s out there, so that’s the importance of getting everything right from the beginning,” Burch said. “We want to make sure our Soldiers, our service members, get home safely and protect the installations our families are living on … You have to always assume everything can be hacked, everything can be spoofed.”

     While applying OPSEC to personal social network accounts may seem extreme, one can never be certain of who is really watching or reading, he said.

     “Once you hit the send button, once you post it, you’ll never get it back.”


Tag Operations Security   Tag OPSEC