American soldiers have long marched off to war with one assurance: by fighting abroad they were keeping their families safe at home. Today, advances in digital technology combined with unregulated data collection threaten to make the homefront the military’s new front line. The ability to target military families using their digital footprint significantly alters the risk of military service and potentially changes the calculus of war.
Recently, Military Times reported that military family members of soldiers deployed in Kuwait had received “menacing messages” via social media that appeared to target families of the 82nd Airborne Division. An unnamed source believed that the family members had been identified through a hacked internet service provider at the forward location.
This is not the first time service members or their families have been targeted in this fashion and reflects a trend of threats that are not receiving enough attention. The larger a person’s digital footprint, the more vulnerable they and their families are to being targeted.
What happens when our digital footprint moves from being used to develop targeted advertisements and digital services, to being used to target individuals as an act of terror or war? While this incident looks like a fairly simple hack of email data, when considered in the light of other news stories that demonstrate the ability to target individuals by exploiting a digital vulnerability, it takes on a frightening pall.
The Department of Defense is keenly aware that the proliferation of devices designed to track personal preferences, movement, location, and social networks is degrading personal anonymity and increasing targeting opportunities on their force. Individuals face persistent contact with an arsenal of data collection tools such as internet connected speakers, cameras with facial recognition, electronic passes used to pay transportation fares, license plate readers, home security systems and phone applications that track their lives. Simple vulnerabilities such as identifying as a military member on social media or being named in a news report are compounded when someone’s anonymity is being quietly stripped away through the examination their digital exhaust.
As a person’s data is being collected, stored, sold, resold and combined, patterns of life become discoverable. While much of this sold digital data is purportedly “sanitized” of personally identifying information, numerous reports demonstrate that it possible to reconstruct individual identity from metadata and through combination with other available data sources. As a result, a digital “pattern of life” can be used not only by companies, but by bad actors, be they criminals, or potentially, hostile governments as an act of terror or war.
As a result, the military has banned some electronic devices and applications that could be gathering data and is educating service members of all ranks on good internet and social media practices. On Data Privacy Day, military twitter accounts urged individual users to be vigilant, frequently change passwords, and update social media privacy settings. While this kind of protection is important, individuals and families remain vulnerable to digital targeting, largely because vigilance is not sufficient when those associated with the military are particularly exposed to digital exploitation.
While there is some debate within the United States (in Congress, the Supreme Court, by the ACLU) and among its allies about the proper use of this technology and data, other nations, such as China, are using it to identify, track, and control their populations. If authoritarian regimes, some of whom build the very devices Americans are buying, are willing to use these tools against their own populations, we should expect they would be willing to use these tools, and the data extrapolated from them, to target their enemies. The vulnerabilities these devices are creating must be better understood if we are going to create a credible defense against an enemy inclined to exploit them.
Criminals have already demonstrated the ability to take advantage of these vulnerabilities. Cyberstalking and other cyber threats are on the rise and connected devices give more opportunity and gateways to gather data and more vectors for harassment. These criminal cases demonstrate that the means exist to stalk and harass individuals through email, text, call, doxing, and surveillance through GPS, cameras, and smart TVs . Many threats go unreported, and police departments are struggling to understand the scope and find the means to effectively stop these complex, multi-jurisdictional crimes. This struggle is a harbinger of things to come in the world of national security.
Unfortunately, it is easy to imagine a near-future in which military family members are digitally stalked, the cameras in their homes hacked, their personal data stolen, shared or ransomed. Imagine the fear that could be inflicted if the patterns of life of just a handful of family members are discovered and suddenly someone is talking from their speakers, changing the temperature in their home, posting their photos, publishing their address, cutting off their internet, or broadcasting a child’s bedroom camera to a deployed parent. Any of these things are technically possible right now. Now imagine this being done on a wide scale with much more serious threats and results.
Risk mitigation must begin immediately. While the Department of Defense should support broad congressional debate on data privacy legislation, the military has a unique challenge in this arena. Military family members are often living off military installations and generally fall outside the jurisdiction of military authorities. The tremendous assets that U.S. Cyber Command has at its disposal can work to inform military members and their families about the threat and how make themselves a harder target, but it will likely fall to law enforcement authorities to, at least initially, deal with these threats and the immediate results.
First, the military must be aware of these attacks, which are likely to occur outside of their jurisdiction. This requires an expansion its current suspicious activity reporting campaigns to include cyber incidents. These military “See Something, Say Something” campaigns serve a twofold purpose: to inform the public of the threat and to ensure suspicious activity is reported. Additionally, current anonymous criminal reporting tools must also highlight the ability to report cybercrimes. Anonymous reporting capabilities may increase the likelihood of capturing information on typically under-reported crimes, like cybercrimes, thus improving the ability to mitigate damage or prevent a further attack.
Once aware of a potential threat, military law enforcement organizations should be DoD’s lead on tracking them. Illicit cyber activities are generally considered criminal incidents, therefore Army and Marine Corps Criminal Investigation Division, Air Force Office of Special Investigation, and Naval Criminal Investigative Services, are best suited to deal with them. All these agencies have some cyber capability and routinely deal with other law enforcement agencies over matters of jurisdiction. Military law enforcement would function as the sensors, then military or other federal cyber and intelligence organizations could act within their authorities to mitigate the threat.
Geographic distance has long afforded the United States a safe and assured homefront, but the digital world affords no such luxury. Data is being dispersed at an alarming rate and in the near future, could have a significant impact on national security. Currently, this vulnerability is unfairly carried by the individual. Meanwhile, the companies who design the technology and gather data are largely profiting from this personal risk. As the debate over privacy continues, it is important to keep in mind the unique impact digital footprints may have on the safety and security of our military personnel and their families.
Col. Sarah Albrycht is a senior military fellow at the Center for a New American Security. The views expressed are those of the author and do not reflect the official position of the Department of the Army or Department of Defense or the U.S. government.