The use of social media by government can provide many benefits, but it also presents very real security risks and must be managed in accordance with risk mitigation requirements. The U.S. government's Federal Chief Information Officers (CIO) Council has released guidelines that offer at least a starting point for managing social media's risks.

• Government agencies and personnel are increasingly using social software solutions, such as LinkedIn, Facebook and Twitter, for professional and personal reasons.
• Social software presents a range of interaction capabilities that exceed those provided in traditional messaging environments, as well as new sets of security risks for both enterprises — including government agencies — and individuals.
• The newly released guidelines on security and social networking in government discuss risks to government employees, agencies and other internal organization and infrastructure, but do not consider risks to citizens and other government stakeholders.

Government IT security leaders should:

• Consider these guidelines a partial catalog of typical threats and mitigation strategies related to social media and available countermeasures, but should not expect guidance about how to prioritize mitigation strategies.
• Recognize that the classification and advice given in these guidelines cannot capture the highly dynamic and fast-evolving nature of the risks posed by social media, and particularly those at the boundary between professional and personal use.
• Select security controls and practices for social media on the basis of security risk assessments that are aligned to the specific operational requirements of the enterprise or organization.
• Integrate the new guidelines with other security intelligence sources to construct a comprehensive view of social software security threats and risks.

The CIO Council guidelines constitute a useful starting point for a discussion of the significant security threats related to social networks. However, they address only a narrow range of security controls and social software threats, and provide neither a rationale nor a method for the assessment of social software risks, monitoring of risk exposure or selection of appropriate security controls. Security managers should integrate these guidelines into a more comprehensive security risk management program that includes a full review of security threats related to social media and a common mechanism for risk assessment and prioritization.

On 18 September 2009, the CIO Council, the U.S. federal government's primary interagency forum for IT decision making, released "Guidelines for Secure Use of Social Media by Federal Departments and Agencies, v1.0" (available online at www.cio.gov/Library/documents_details.cfm?id=Guidelines%20for%20Secure%20Use%20of%20Social%20Media%20by%20Federal%20Departments%20and%20Agencies,%20v1.0&structure=Information%20Technology&category=Best%20Practices ). The document focuses on addressing three main types of security threats associated with social networking — "spear phishing" (that is, e-mail "spoofing" that targets a specific individual within an enterprise or organization), social engineering and Web application attacks — and makes recommendations for controls: policy, acquisition, training, host and network.

The CIO Council's newly released guidelines represent a useful starting point for a discussion of the security threats presented by social networks. However, their usefulness is limited by the narrowness of their focus, and the absence of guidance on prioritizing threats and selecting appropriate, cost-effective mitigation strategies. Gartner has identified what we believe are a number of fundamental flaws in the guidelines that the CIO Council should address.

The CIO Council's guidelines reference Gartner research to highlight three types of security risks: risks to individuals, risks to agencies and risks to the federal infrastructure (see "Corporate Use of Social Networks Requires Multilayered Security Control"). This is certainly a reasonable classification, but it fails to make the important distinction between risks to federal government employees and risks to citizens and other stakeholders who either communicate with or rely on information provided by the federal government.

The CIO Council's approach is based on the classification system presented by researchers Mark Drapeau and Linton Wells II in their paper "Social Software and National Security: An Initial Net Assessment" (available for download at www.dtic.mil/cgi-bin/GetTRDoc?AD=ADA497525&Location=U2&doc=GetTRDoc.pdf ). However, it does this in a somewhat confusing way. Drapeau and Wells define four different functions of social software in government (inward and outward, inbound and outbound), by combining a matrix with "primary sharing direction" (internal versus external) and "familiarity with participants" (known versus unknown — see Figure1).

The new guidelines replace the second dimension with an interaction level (individual versus group), which is less meaningful and fails to take into account the fundamental difference between trusted and nontrusted counterparts. Moreover, many uses of social software necessarily escape either classification. The boundaries between the internal and the external, as well as between the known and the unknown, are shifting and blurring, and will continue to do so. Government employees will, for example, use tools, such as LinkedIn and Twitter, to network among themselves, across agencies and with external partners and stakeholders, and their professional and personal networks will inevitably overlap and support one another.

The new guidelines discuss various aspects of the security risks of social media, but the threat discussion is far from comprehensive, because it is limited to spear phishing (also known as "whaling"), social engineering and Web application attacks. Just as important, the guidelines fail to offer actionable guidance for stakeholders attempting to prioritize threats and to select appropriate, cost-effective mitigation strategies. The mitigation strategies focus on internal infrastructure, vendor review, negotiation of preferential treatment by vendors (for security purposes) and user education. Two crucial elements that are notable by their absence are mitigation strategies for home use of social media by government personnel and the impact of mobile devices as access points for social media.

Gartner believes that these guidelines should provide a much more extensive and detailed appraisal of the risks involved in personal and organizational use of social software. Recent cases — some of them highly publicized — of government personnel using external messaging environments to bypass legally mandated surveillance make it clear that the guidelines should place a stronger emphasis on security controls to prevent, detect and respond to sensitive discussions on public services. These guidelines should include a specific discussion of the need for monitoring of government personnel using public social media services to evade internal government surveillance and archiving of message traffic. Effective control and management of social media usage incorporates infrastructural, procedural and social concepts to identify, block, and remediate inappropriate behavior. In the context of social media, security infrastructure controls are not sufficient. This element of the guidelines should also be reconciled with two recent developments:

• The current U.S. administration's interpretation of the Presidential Records Act of 1978 as not requiring the archiving of all content and activity on networks (for example, Facebook and Twitter) where the federal government has a page (see www.whitehouse.gov/blog/Reality-Check-The-Presidential-Records-Act )
• The recent issuance of a request for quotes for a contractor to capture and archive all conversations involving the office of the president on social media sites (see www.fbo.gov/index?s=opportunity&mode=form&id=7ef60d87860ef9f7cc4395b54a147e6b&tab=core&tabmode=list&cck=1&au=&ck= )

The limited discussion of risk mitigation arguably represents an even more serious weakness. Security organizations rarely have the resources necessary to implement every possible risk mitigation strategy for every identified risk. Risks must, therefore, be assessed in terms of probability of occurrence and scale of impact, to enable the security organization and its internal clients to establish risk management priorities. The absence of a recommended mechanism for assessing the risks presented by the threats highlighted in the guidelines means that stakeholders have no support for the prioritization of various mitigation strategies — or for the justification of the costs of those strategies, a critical issue during a period of highly constrained budgets and other resources. Government agencies and other organizations are, for example, left without any means to decide whether spear phishing is a significant enough threat to justify strong controls on employee profiles in social media, or to determine the probability and impact of the threat.

This lack of guidance on risk management priorities is exacerbated by the failure to connect the identified risks with the specified mitigation strategies. The list of mitigation strategies does include many approaches that could prove effective against the security risks of social software risks. However, all of these strategies require significant investments and at least some disruption of normal work processes. Government agencies and other organizations building risk mitigation strategies to support the use of social software will need to define risks that are specific to those organizations, and develop mechanisms by which recommended mitigation strategies control each defined risk. These guidelines will not be helpful in this process.

Government security managers should press their internal clients to determine which types of social media personnel should and should not use and which personnel — if any — should be prevented from using social media. Reduction of the overall scope of usage can assist in risk reduction efforts and the development of effective mitigation strategies before access is enabled for all personnel.

The effective management of security risks also requires feedback to measure the effectiveness of security controls and practices. The new guidelines do not make any recommendations concerning monitoring, whether of personnel's social software usage or of content in social software environments. The absence of any surveillance capability means the agency will (to use military parlance) lack effective situational awareness, which will result in inappropriate controls being applied indiscriminately. The ability to monitor staff behavior and social software content, and measure the success or failure of controls, is critical for assessing risks and measuring the effectiveness of risk mitigation strategies.

The new CIO Council guidelines focus on the immediate threats presented by social software offerings that are currently widely available. However, the social software market is neither stable nor predictable. This market is extremely dynamic, with new vendors and new feature sets appearing frequently. Security risk management in such a chaotic environment requires that security personnel be well-informed about emerging concepts and products, so that they can anticipate security risks before the organization is impacted by those risks. The guidelines should recommend strategies that will enable security personnel to familiarize themselves effectively with social software and rapidly acquire security intelligence about emerging trends in social software.

Another rapidly evolving area that requires more attention is the difficulty of managing the boundaries between personal and professional profiles. The guidelines suggest that caution be exercised in blurring those boundaries, but more guidance is needed to strike the right balance between protecting the employee's right to privacy and the employer's right to confidentiality. Employees particularly need guidance about leveraging personal contacts for professional purposes, guidance that will vary by role and function and require continuous reassessment (see "Government Employees and Social Networks: Reversing the Burden of Proof"). This will vary by job role and function, and requires continuous reassessment. Security control strategies must provide sufficient flexibility and scalability to effectively prevent, detect and respond to noncompliant behavior, irrespective of the expected or actual diligence and discipline of government users of social media.

The CIO Council guidelines represent a useful starting point for government IT security professionals who are anxious to identify and mitigate the significant risks of social media. However, much more specific and actionable guidance will be needed before these risks can be managed, or even understood, adequately.

"The Business Impact of Social Computing on Data Exposure in the Workplace"

"The Business Impact of Social Computing on Identity Management"

"The Business Impact of Social Computing on Licensing and IP Ownership"

"Corporate Use of Social Networks Requires Multilayered Security Control"

"Government Employees and Social Networks: Reversing the Burden of Proof"