In the wake of the hacking of official US military social media accounts – believed to be by Islamic State militants or sympathisers – the US government was quick to claim the incidents were little more than an embarrassment. No meaningful data breach had occurred, and no sensitive documents had been hacked, it was stated.
But such claims ring hollow.
Yes, it appears to be the case that nothing of serious import was accessed – "just" the Twitter and YouTube accounts for US Central Command (CentCom), a regional command base within the Pentagon that has oversight of military activities in the Middle East and other regions.
"We are viewing this purely as a case of cybervandalism," CentCom said in a statement issued on Monday, after the accounts and been deactivated and an investigation was underway. The accounts, the statement added, were on "commercial, non-Defence Department servers."
Well, yes, that’s obviously the case as YouTube and Twitter are services from independent companies. But, as security and privacy experts have been yammering on about for eons now, that doesn’t make it any less important for account users to have strong passwords. Especially if you are a public facing organisation involved in defence, security and military activity.
For many people, the very fact that these account hacks proved to be successful “cybervandalism” attacks on public social media accounts makes things worse. Some will be thinking, if an arm of the Pentagon can’t even effectively password protect a Twitter account, how much confidence does it inspire that more sensitive information is better secured?
Most people would expect a military and defence organisation to be an exemplar of meticulous cybersecurity. For the general public, a hacked Twitter account is as much a sign of general operational sloppiness as a soldier going on parade in a dirty uniform. There’s good reason cadets in military services the world over learn first to present themselves smartly. Attention to detail matters. The military, above all, should know the smallest detail amplifies to reflect an entire organisation.
That’s why any kind of hack or data breach is known to be deadly to any organisation. Often the issue of what was taken matters less in the bigger picture than the reputational damage suffered.
Reputation
One 2011 study, a survey of 850 executives by the Ponemon Institute, revealed that data breaches have a long-term effect on brand reputation. Customers lose confidence in the organisation and will take their business elsewhere.
Organisations that had been hacked said it took a year to restore a brand’s reputation after an incident.
So for CentCom, looking foolish isn’t a trivial issue. Especially not when it is widely acknowledged that a propaganda war is ongoing between the US government and the Islamic State and other militant groups, waged primarily over social media.
Thus, Twitter and YouTube accounts are far more than the equivalent of company buildings on which some pesky vandals have spraypainted offensive slogans. They are the sites of an increasingly important and influential struggle. They are the means through which militant groups and terrorists solicit funds, convert adherents, and remain in the public eye by posting shock videos and images.
Cyber-battlefield
In this context, social media is a significant cyber-battlefield. So, aside from making the victim organisation look stupid, getting hacked results in a noteworthy social and political coup for the hackers, no matter how the victim tries (understandably) to downplay it.
That the hack happened at around the time President Obama was making a speech outlining the importance of national cybersecurity won't have helped matters.
In his speech, Obama argued that the US needed new laws - contained in a proposed bill - to provide better data protections for US citizens. One element of the bill would require organisations to give consumers notice within 30 days that their data have been breached.
The bill would be much weaker than measures being debated in a proposed new European data protection regulation, but would provide federal consistency, replacing a patchwork of state laws.
The common point between the two pieces of legislation is that nations increasingly understand that consumers and citizens have a right to data security, and organisations should be put under pressure to provide it.
Organisations, meanwhile, increasingly understand that data breaches and successful hack attacks, even if they constitute “just” defaced websites or commandeered social media streams, can damage them in multiple ways.
I would wager CentCom has learned that lesson, no matter how much it is downplaying the significance of its breached accounts.