Future Use of Social Media in Continuous Vetting
Although Security Executive Agent Directive (SEAD) -5 already provides government agencies the authority to collect open-source social media data, most agencies have shied away from doing it for a couple of reasons. First, they do not have the manpower and expertise to pull and review the data, and second, they have not been provided the guidance on what data to pull and how to assess it for possible actions needed. There are also the privacy concerns that may lead to legal actions. This will change with the implementation of the Trusted Workforce (TW) 2.0 initiative being rolled out by the Defense Counterintelligence and Security Agency (DCSA) and the Office of Personnel Management (OPM). Currently, Continuous Vetting (CV), a key part of TW 2.0, includes automated checks of databases broken down into seven different categories. Social media is not one of them.
However, in the last few years the government has realized that social media is embedded into the fabric of the American culture, and it has the ability to shape opinions, mobilize protests, and even cause violence. It also can be used by foreign actors or criminals for malicious intent. The amount of misinformation distributed via social media platforms is staggering. The Intelligence and National Security Alliance’s Insider Threat Subcommittee recently published a white paper on this that outlined the threats the cleared community faces from the use of social media.
According to the paper, the Department of Defense has updated their own regulations that deal with cyber activities, including posting on social media with the intent to regulate what it’s workforce posts online and what the repercussions are if it violates the regulations. Some of the Insider Threat Subcommittee’s recommendations to the Director of National Intelligence are to update SEAD-5 providing additional guidance to agencies on what types of data to review and how to assess it. It also recommended clearly defining to the workforce what type of activity is not acceptable and what should be reported.