Interview: Ali-Reza Anghaie and Scot Terban on InfoSec, Hackers, China, and Cyber Hype

terbali2 Interview: Ali Reza Anghaie and Scot Terban on InfoSec, Hackers, China, and Cyber Hype

Ali-Reza Anghaie (Right) is a Consulting Security Engineer and Senior Analyst with Wikistrat. His varied work in engineering and security has taken him to numerous universities and Fortune 500 companies in the Defense, Energy, Entertainment, and Medical fields. You can follow Ali-Reza on Twitter and Quora. Scot Terban (Left), AKA the gonzo INFOSEC blogger Krypt3ia, blogs at http://krypt3ia.wordpress.com. You can also find him on Twitter. Both host the weekly Cloak & Swagger: Security Unhinged podcast.

John Little: Let’s start off with a Skyfall-esque word association game. Ready? “Cyber Pearl Harbor

Ali-Reza Anghaie: Geraldo. (Yes, that’s my answer. Say `Cyber Pearl Harbor` in his voice and you’ll want to strangle yourself too.)

Scot Terban: Expletive.

John Little: Alright, so what is it about “Cyber Pearl Harbor” that sets you two, and many other infosec professionals, off? What are Panetta, Lieberman, and other Beltway types getting wrong about the legitimate threats we face in the digital domain?

Ali-Reza Anghaie: Lets clarify “getting wrong” – as professionals we encounter `wrong` all the time. ~Intentionally~ exaggerating and obfuscating threats is what has been happening in DC. However, it’s also politics – you never hear a politician talk about any issue in a way that satisfies the wider professional community of that issue. That’s quite intentional – as the people who really know are absolutely the people that politicians need to play ~against~ to centralize and pull power toward their own spheres of influence.

And that’s really the part that burns me – the echo chamber they’ve built is designed to accomodate just those that will work within the confines of the existing DC dynamic. And so much energy is exhausted in just that posturing that by the time you get to actual technical working groups – you’re already on the tail end of resource availability. So, if you’re lucky, you’ll get through one or two iterations of actual policy driven work before the next manufactured crises hoovers priority elsewhere.

Since this is the inevitable cycle, I suggest we move straight to the end – private industry needs to step to the plate as a competitive matter because Government, as Government always does, will punish you using whatever laws do or don’t exist as soon as it’s politically tenable. And won’t provide any solutions along the way. Why not just get it over with?

You know – I’d probably be less cynical and in a better mood if you stopped saying “Cyber Pearl Harbor”..

Scot Terban: It’s jingoism at its best. It is propaganda and a tool to get people to react in a knee jerk way.

What are Panetta, Lieberman, and other Beltway types getting wrong about the legitimate threats we face in the digital domain? Everything. They do not comprehend the technologies involved nor the complexities of what they are advocating as the end of the world. They need to let the professionals who deal with this technology and space give the answers. It’s akin to telling a five year old to go on to Meet The Press and explain quantum mechanics.

John Little: There are countless layers to this problem and many of them are not “technical”. There are human factors and physical security issues for example. In most cases there are no paths to 100% security. So where, from a national security perspective, should we focus or efforts and dollars? What would get us the most bang for the buck?

Scot Terban: Well, contrary to what a Dave Aitel or lately Schneier might posit, more security awareness for the general populace to start I think. This is more so for companies that are within the sights of an APT adversary but also look at what goes on with crimeware to start right? How much of this could be stopped just with making sure people understand the technology that they own and should be managing? We are all supposed to have training to drive a car and a license so why not at least have a better grasp on the PC and how things work right?

*wait’s for Ali’s head to explode*

But really, knowledge is power and unfortunately I don’t think this will happen either really. The money will all go into offensive campaigns within the CyberComm and we will lag behind on defense. Look at the EO and how the corps responded to it. “hey yeah, we would like to do less” I know Ali thinks that is all about letting the gubment take over and that is what they want but I disagree here. I think they do not want the government dictating to them nor do they want to be responsible for the security of their environments at the level of mandate because they would be held to it by assessment.

I think in the end your question is moot because nothing will be done that will help us.

Ali-Reza Anghaie: The pounding of the `do the basics` drums needs to be louder than the `sexy` drums..

However, I think the biggest things we can do at a national security lever are:

1) Admit defeat at the Government level. Make it clear – CLEAR – that if you’re waiting for Government to combat your hacking problem, you’re going to die.

2) You. Must. Compete. There is a concept called “Intellectual Property Obesity” that has ravaged the American innovators for some time. They spent too much time on Copyright, Patent, and IP theft and not enough on risk analysis, business development, existing means of competition.. concentrate on ~everything else~ that has made America less competitive on a global scale.

In the end, if we’re to suffer a `death by a thousand cuts`, it’s not because of cyber espionage from the Chinese or anyone else. That’s but a small part of the bigger picture.

Now – that speaks to national security at the economic level, which I think is most important – but some conflate this as all purely defense/military in nature. The solutions to that problem set as a bit different and, in part, require actually letting people fail. Not retroactively but put a pretty solid post in the ground that says: `Hey, if you get hacked and all the IP is stolen. Your program funding is going to take a BIG hit. We don’t want to tell you how to fix it – we (Government) doesn’t know how. Likewise, if the data gets stolen while with us (again, Government), you’re going to get a bit of automatica business helping us or influencing our direct means of securing it`.. something along those lines without the tin-foil gaps.

John Little: Although I know and respect many security professionals the ones that I encounter professionally seem to be bureaucrats rather than technical professionals. They are just lords of a massive fixed documentation process that must be completed whether I’m building a simple web page with public data or a massive mission critical enterprise system. The problem is that I can answer 500 questions about my application and get it approved but at the end of the day there’s nothing about the process that really enhances security. What are your thoughts about how the private sector utilizes InfoSec professionals?

Ali-Reza Anghaie: Firstly – I’m sorry. Really really sorry. You’ll have to file a RC269B exception to ask me this question. It’ll be rejected of course because everyone knows of the `Great RC268T Debacle` of 2012. I have my big red stamp ready to reject your request because email isn’t secure enough and the ColdFusion workflow app we had developed in Bangalore was, of course, developed by non-US Citizens so we can’t really use it. I have spoken.

There is this inherit fear of InfoSec that comes with the noise around incidents right now – similar to how auditors were perceived just after SOX went into effect. Nobody knows what to do with InfoSec except to not piss InfoSec off. Along with that come a lot of non-technical professionals or entry-level professionals enabled with copious amounts of authority and confidence over – well – nothing in particular. So, much like politics, you do exactly what you can get away with without punishment.

This is a cynical view – as my answers have trended so far – but it’s quite normal and recent trends leave me very optimistic.

We’re at the tail end of this trend and, as an industry, we’re going through it a fair bit quicker than many of our predecessors. Somewhat due to economic constraints but I sincerely believe the best of the best in InfoSec have taken more responsibility recently for knocking down their own echo chambers. They’ve seen the charlatans flourish and they know “we” created room for them with ambiguity and hand-waiving. “We” want our industry back..

So – to answer your question – I think a huge majority of the private sector is very confused in how to apply InfoSec. And it’s our fault…for now.

Scot Terban: I think we need to differentiate between the INFOSEC folks like an archaeological dig here to start. First off, not all INFOSEC’ers are built the same. I come from the pentesting side AND the policy as well. I performed many assessments that had a combination of both and understand them both well enough to see where the rubber meets the road to so speak. Unfortunately not everyone has the skill sets to see both sides of coin and to work efficiently in the space. So we have people who get into INFOSEC primarily from a “legislative or paper” side of the issue. They understand that security is necessary and there are rules that need to be in place and that is about it. They follow their checklists and once they have checked the boxes they are good. This is bad but all too often the real aegis of many folks in corporations who perform audit from SOX to other government audit standpoints.

Then there are the people who perform just pentest and who many often think that rules are just useless. Why? Because the hackers/adversary does not follow the rules and all too often rules get mired in minutiae that doesn’t matter to their attacks. I have heard way too many times, and rightly so, that SOX and other check box security measures are useless. I too have felt the same thing but, too often the pentest crowd is just dismissive of it because they are broken and not workable in their present state much of the time. So you can develop an app as you say, the “Bob’s” can come in with their checklists but in the end they have not made the product more secure because they lack the dimension of the attacker perspective.

So we have two camps.. Both out to secure things and neither really can because of a third camp.. Let’s call this camp the “Corporation” The corp all too often is motivated not by an innate desire to protect their data, their clients etc.. Their driver is to make as much money as possible and in doing so security spend is even today, not what it should be because it is a cost center. When looking at the options and the legal drivers we can see how it is so easy for a company to go for the check box security approach mainly because that is what the government and the laws are mandating. It is the “due diligence” mentality and in that, the only due diligence we have primarily is to have the boxes checked to insure that they can say that once they get sued or after an incident. THIS is to minimize the legal remunerations that they may incur to law suits and that’s the extent of it. Rarely have I seen a company throughout my career that was proactive about their security enough to engage true red teaming and effective policies, procedures, and audit to insure a modicum of security.

It’s mostly set and forget as well as get drones who check SOX boxes every year. Aye, there’s the rub huh? This is where you have the paper CISSP’s and others who really do not have a grasp of adversarial INFOSEC that needs to be in place to protect yourselves and this is where the engine of popularity and money have made a glut of people who don’t really have the chops to be in the business doing business. So yeah, you could create an application and the SOX types come along and ask questions but they really aren’t coders nor understand application code security right? They do their bit but they don’t see the whole picture and you, you could totally hoodwink them that your application is up to standard because this is the only appsec that they are carrying out.. Asking questions and not validating code?

To me, that says that the system is broken. What we need is a middle road where true application security people are involved in your case. In other cases I would like to see people who have a good grasp of security (defense as well as offense) in the roles of audit. Will this happen? Probably not and that is because as was lamented recently “Defense isn’t sexy” add to that the corp’s aren’t looking to do anything but be “risk averse” and you have a broken system.

John Little: So we have a system that is broken and seems bound to stay that way. With the increasing complexity and distributed nature of data and applications, the vast number of application users (a good portion of the planet now), the rapid advancement of technology, and the challenges involved in building and maintaining an even barely adequate cadre of INFOSEC professionals how will the future not become even more of a hacker’s playground?

Ali-Reza Anghaie: The problem space is going to continue to grow at an accelerating pace. We will drown in more data and we won’t ever have enough bodies to throw at the problem. Government “regulation” will likely further exasperate the staffing problems. Generally we’ve shown ourselves incapable of effective security automation. Woe is me?

There is a difference between a hacker’s playground and an unmanageable risk. Like any other type of crime, society will compensate in some areas and not in others. Some regions will do better with the same `door locks` and other regions will need `burglar bars` on all windows. So the question isn’t if the attack surface will continue to outpace us – it certainly will – the question is how will we compensate, as an industry and society, elsewhere?

This goes to the very root of competition – and we’re stuck with this idea that InfoSec is absolute. You’re either not using computers or your pwned. In no other aspect of life or society do we so readily say that to customers, through Governments, and in our daily routines.

So I would say that hackers will hack and that’s OK. If you aren’t viable and complete even under hacker fire – I’d say you were never actually viable or complete.

Scot Terban: It shall be just as it is now. The only answer is to become a new age Luddite and live in a bunker awaiting the end…

John Little: A significant portion of the cyber-chatter inside the Beltway and in the media is focused on China. How would you characterize the threat Chinese hackers (official or not) pose to the U.S. and how should we be talking about it?

Ali-Reza Anghaie: Lets be clear – the Chinese threat is real and it’s aggressive. It is also entirely irrelevant.

We’re at such an early stage of secure architecture and software that concentrating on a given foe is foolish for all but a small core of defense and intelligence agencies. Along those lines, Government emphasizing a given nation-state threat also leaves people with the false impression that these threats ~require~ a nation-state to execute. And…. wait for it… a nation-state level response.

About now big red spinning alarms should be going off in your head. THAT is the problem with “the Chinese threat” – it’s become a political football that has turned into a lobby interest that has turned into a disadvantage to an already painfully broken field. It creates whole classes of C-levels looking at the wrong problems, wrong solutions, and wrong people to deliver those solutions.

Scot Terban: How would I characterize the Chinese threat… Well, they are a threat because they are just persistent and mostly sneaky. Not all of the teams are uber ninja’s like portrayed in the news media or in a Mandiant self propaganda piece but they are pretty good (some of them) What the question really should be though is how would I characterize the attacked.. Not the attacker. We are on the whole not prepared to deal with attacks either in the MIL space or the private whatsoever. Companies are reticent to fix their infrastructures because it would cause loss of productivity, they hold on to old technologies like XP and IE6 for way too long, and they generally are not as a whole, security savvy.

So.. How hard is it for the average Chinese hacker to get someone to click on a link, pwn a machine, enter a poorly managed network, and steal them blind? Furthermore, how hard is it then to keep persistence?

Meh.

John Little: You both raise a very important point. While the debates over terminology, doctrine, and threats rage on the assets are going unprotected. We hear case after case of hackers having an easy time with their targets because of laziness, ignorance, and irresponsibility on the behalf of individual users, software developers, and network owners. It seems like we could eliminate most threats by shifting the focus away from “external” threats and back to our own behavior and business practices.

Ali-Reza Anghaie: Some years ago various groups started referring to de-perimeterisation as an inherit system design goal – that is to say that every system’s functions should act like it’s facing the “outside” world. From the outset I thought that should be the data protection goal as well – trust no one, period. Everything should have a forensic trail, least-privilege model, etc. Insiders can become your outsiders – prepare as such.

Now, that was naive of me – cost applies. So I think it comes down to appropriate risk assessments in the complete context of your business, legal, and technical resources – which is non-trivial for multinationals and small business alike.

So – the “right” answer to your question is – we still have an accountability problem period. Internally or externally the risk assessments, valuations, and models just aren’t being done appropriately on a reliable basis for most organizations. The good news is that the body of work on these topics are increasingly reliable – we can fix the overall scheme of things. Where fixing doesn’t always mean absolute security as the goal.

I’d like to thank Blogs of War for taking the time to put together this interview. It’s been great and I really enjoy your various feeds.

Scot Terban: The answer is “yes” but I would also hasten to say that it’s not just accountability but a more encompassing problem of OPSEC altogether. The point being that many people today lack understanding of the need never mind the practice of OPSEC. So we have all these private and public entities that really have no concept of the security landscape in the first place and why it is important to protect their data so how do you expect them to be aware of internal or external threats? While in the military and government space they have an idea they too suffer from lackadaisical attitudes and lack of comprehension of the technologies that they are using to manipulate, store, and use data. I tend to think of it as a human nature issue in general that we need to tackle just to bring people to the security table in the first place before we can make them aware enough to think about and secure their assets. Once people are on the same page with the technologies (not just the tech folks we all work with but the end users) then we will have a discussion over the internal versus the external threats posed.

Talking Tech, Social, and Security with White Canvas Group Founders Jon Iadonisi and Tim Newberry

wcg Talking Tech, Social, and Security with White Canvas Group Founders Jon Iadonisi and Tim Newberry

Jon Iadonisi is the founder of White Canvas Group (Twitter) and leads the innovation and application of new products and solutions for all clients. He blends over 15 years of diverse experience in computer science, cyber security, and applied creativity into solving tomorrow’s challenges. He is regularly sought by the Department of Defense, various Intelligence agencies, members of the US Congress, industry conventions and popular media outlets to provide expert opinion and briefings on information age unconventional warfare. Prior to joining the private sector, Jon served as a Navy SEAL, where he designed, planned and led various combat operations that integrated innovative technologies and tactics into the operating environment, ultimately creating new capabilities for the Special Operations Community and Central Intelligence Agency. He is a combat-wounded and decorated veteran who earned a B.S. in Computer Science from the US Naval Academy, and M.S. in Homeland Security from San Diego State University. He is currently pursuing a PhD in Criminal Justice from the University of New Haven, focusing his research on the emerging field of cyber crime. Jon is a guest lecturer at San Diego State University and Georgetown Law School and is an academic and athletic all-American who participated in the 2000 Olympic Rifle team trials.

Tim Newberry is the co-founder of White Canvas Group and is responsible for day-to-day operations and sustained client engagement. Tim’s 15 years of identifying, developing, and executing projects in areas ranging from computer science to nuclear engineering has helped him hone a process-oriented delivery model that ensures clients’ objectives are met on time and on budget. Prior to joining the private sector, Tim spent eight years as a Naval Submarine Officer and Nuclear Engineer. He has a master’s degree in engineering from Catholic University, and a bachelor’s degree in computer science from the U.S. Naval Academy. Tim is currently pursuing a PhD in Criminal Justice from the University of New Haven in Connecticut, with an emphasis on understanding the intersection between cyber technologies and new age media with justice.

John Little: White Canvas has been involved in lot of interesting projects from crowdsourced crisis communications products like GridMeNow, to social media analysis, to your longtime involvement in the hacker conference scene. Can you briefly tell us where White Canvas is devoting most of its energy at the moment and where you see yourselves headed in the next 3-5 years.

Jon Iadonisi and Tim Newberry: John, first, thank you for hosting us in this forum. We’ve been a big fan of yours over the years and actually think we’ve got quite a bit in common with your content pursuits. As you allude to in the question above, we’ve been accused at times of being a bit unfocused and spreading ourselves too thin. We couldn’t disagree more.

Everything we do, day in and day out, now coming to the end of our fifth year, connects. It connects by focusing our efforts at an intersection between technology and people. Behind every social media account, keyboard, and mobile phone is a person. Our expertise is technology development but our focus is to serve people with that technology, with each one of our projects combining elements of design, science, and functional solutions.

Right now, we’re focusing on a handful of projects. We like to describe ourselves as a privatized DARPA (most of your readers will probably understand that analogy), except we like to produce a bit faster and be a bit more practical in solving tomorrow’s problems today. You’ll see GridMeNow spin off into its own company in the coming months as customer growth and demand warrants. 2013 will also see a renewed focus for WCG on the human factor in cyber security and digital operations for private and government customers. Our other significant energy focus will be an elite performance training system for military and law enforcement personnel, customizing systems currently used by professional and Olympic athletes.

Clients contact us regularly seeking other paradigm-shifting solutions, and we’re dedicated to evaluating those potential opportunities for future growth.

John Little: I know you guys were looking at the national security implications of social media, especially web video, well ahead of the Arab Spring. Has the marketplace for these concepts changed completely over the last three years or is it still an uphill battle with some customers?

Jon Iadonisi and Tim Newberry: Both. The Arab Spring undoubtedly caused global shifts in power but more critically, it caused a shift in the perception of what power is and who has it. Social media certainly helped those events transcend local boundaries onto the global stage; and the pressure of that elevated visibility shaped public opinions and corresponding ground action in near real time.

Video social media is the most important form of user-generated content when influencing someone to do something. That journey from being compelled or inspired to do something to taking action on that inspiration happens much quicker with video as opposed to just text, pictures, or audio. Video compels, inspires, incites action. That’s why we focus there, because it is the most potent form of influence, whether you use it for marketing or organizing. Further, the social technologies at play in these cases (YouTube, Vimeo, etc.) offer a transformative experience for the user/viewer because they instantly provide context (via comments, likes and shares), and connect users/viewers to wider online audiences via their own social presence. The video footage of the January 25 Tahrir Square protests in Egypt compelled a global audience in seconds. You personally could watch the event unfold via social media virally while other 1.0 organizations usually tasked with monitoring and analyzing these events (e.g. intelligence agencies, news bureaus, etc.) totally missed the boat. And in this case, the compulsion caused by the social video experience resulted in a united narrative promoting a regime change.

It’s still an uphill battle—that’s going to be the case for years, and unfortunately more so within the confines of government. But, we’re getting better at it – after all, the Internet is only about 20 years old.

John Little: It seems like with all the hype around social media and the internet in general that mobile gets overlooked as a driver. Twitter and Facebook wouldn’t be full of compelling real time content from Tahrir Square without the global spread of affordable hardware and networks. It’s really the convergence and ubiquitous nature of these technologies that is creating something special isn’t it?

Jon Iadonisi and Tim Newberry: The quick, simple answer is “absolutely” – I think we’ve heard recently that in many parts of Africa, cell phones and internet connectivity are more prevalent than running water. But the harder-to-measure second and third order effects this creates involve how PEOPLE are changing with this new dynamic. This is where we at White Canvas Group spend most of our time: helping people to navigate this new digital world order. Consider the fact that reliable, real-time information is being delivered via an underground Skype connection in Syria, which is then broadcast by the global news network powerhouses. It’s an inversion of power and influence. Many people don’t buy goods or services based solely on advertisements: they spend money based on peer recommendations or social network validation. These changes are only enabled by the convergence and spread of affordable connectivity. We think we’ll start seeing many more innovative uses of mobile technology in the future as burgeoning youth population bubbles reach critical mass inside the regions you mention and others.

John Little: You have a long history of participation in the hacker community through events such as DEFCON. And lately I’ve seen the two of you discussing cyber security on Fox Business News, CBN News, Government Computer News, C-SPAN and other media outlets. Cyber has been a beltway buzzword for some time now but it seems like, especially in the political arena, the threat is often hyped or mischaracterized, while real vulnerabilities are overlooked. It drives a lot of the information security professionals I know crazy. How can we move beyond the extremes of hype and apathy to implement the kind of broad and sustained effort needed to secure our digital infrastructure?

Jon Iadonisi and Tim Newberry: This transition will be lengthy, and in many ways similar to the societal adjustment towards terrorism post-9/11. Simply put, a broad sustained effort will not be embraced until either a generational change in the political landscape or a 9/11-scale cyber event. Until then, private businesses, institutions and individual American citizens will have to hold their own. We hate to be the bearers of doom and gloom, but the fact that those inside this professional industry are more focused on the context of a word instead of the practical manifestations of that word frankly says quite a lot about how much most people in this community care about it. Towards that end, and in the context of what the “industry” deems cyber security, we’re focused on providing tools, technologies, and perspectives that will help to fill that void; hopefully enabling individuals, companies, and organizations that are taking it seriously the ability and confidence to hold their own.

John Little: I know you guys are always looking forward and you can find opportunity almost anywhere. Are there any anticipated technological/social developments on the near horizon that you’re really excited about?

Jon Iadonisi and Tim Newberry: Unfortunately, innovation is a cliched term these days. We really enjoy following the modern day Da Vincis and Edisons. People who aren’t afraid to challenge the norm and risk changing the world. For example: Salvatore Iaconesi, diagnosed with brain cancer who instead of giving up hope, coded his medical records in a structured format, enabling thousands of people to help him successfully find a cure, which he did. Stories like his remind us that computing power, when used as a tool, enables creators a chance to globally impact our world. We’ve got a couple of promising projects we’d like to launch against Leukemia, and perhaps have a chance to impact the world. Until then, all we can do is fearlessly dream, and that begins like all of our projects: on a white canvas.

Interview: Phillip Smyth on Syria

phillipsmyth Interview: Phillip Smyth on Syria

Phillip Smyth is a researcher specializing in Lebanon, Syria, and the broader Middle Eastern affairs. He travels regularly to the region and has been published by a number of publications including the American Spectator, the Counterterrorism Blog, the Daily Caller, Haaretz, MERIA Journal, The National Review Online, NOW Lebanon, PJ Media, and Voice of America. You can follow him on Twitter @PhillipSmyth.

John Little: We’ve seen countless accusations of chemical weapon use from both the regime and opposition forces. Twitter, YouTube, and Facebook have been overflowing with that content but most of it has been way off the mark. Some of the content creators are genuinely confused and many (on both sides) are pushing poorly constructed propaganda. I’ve consistently maintained that there is no upside to chemical weapons use by Assad. Using them on a large scale would be suicidal. Do you think that logic will prevail? What is the likelihood that Assad would do the unthinkable?

Phillip Smyth: If the regime openly uses chemical weapons (CW) (e.g. as Saddam did in Halabja) it will most likely result in a “Game over” situation for them. In that case, the “red line of red lines” would have been crossed and would probably lead to some variety of intervention involving external actors. Presumably, such an action may force the hand of even the most unwilling actor.The rebels understand this, as does Assad. It certainly accounts for numerous (generally erroneous) rebel reports of Assad having already used chemical weapons. It also serves as a main reason why Assad is not using them. He gains much more leverage from having his finger on the button than from pressing it.

There have also been numerous charges the Assad regime has already transferred some of these weapons to Hizballah in Lebanon. I have my doubts regarding those accusations aswell. Why hand off the keys to the castle before one has vacated the premise? For Assad, CW serve as the regime’s joker card–There are pluses and minuses. Thus, Assad understands that CW are best used as a strategic bargaining chip in the great game of retaining his hold on Syria.

Another oft-repeated line we hear is how “desperate” Assad has become. This is often described as a reason for certain actions executed by the regime (i.e. his launching of ballistic missiles). The message can be read as: “If he’s crazy and desperate, he can and will do anything”. However, there’s a huge difference between launching missiles and using the strongest, most deadly, and most internationally disapproved weapon(s) in his arsenal. Assad still has a functioning military, irregulars, and external help. This force is launching a number of counteroffensives now and Assad is not making a run for the hills.

Still, no one should discount the possibility of some type of chemical agent being used on a small scale to “Test the red lines” or accomplish other tactical tasks. Nevertheless, save for some cataclysmic collapse of the regime, I am hesitant to say Assad would use the weapons as an intrinsic part of a strategy to retake the country.

John Little: When the uprising started most expected the Syrian regime to have significant staying power and it has. However, we have seen a number of high profile defections, regime military installations are falling to the rebels, and Damascus is threatened. Where does the regime take it from here? Is their downfall now certain with only the timing and body count in question or is it still too early to tell?

Phillip Smyth: Assad’s downfall is an ongoing process–I believe that on the battlefield there may eventually be a major tipping point. This point has yet to be reached and the battle for supremacy in the country is currently a piecemeal one. The rebels lack game-changing tactics and weapons, are disparate, and still learning effective strategies. Assad is also continuing to hit back. Remember, Bashar’s father did not retain his position in the country through not building a working army capable of crushing dissent, a network of thugs, and duplicate intelligence agencies. Thus, Assad’s end–while coming into view–still requires a pair of high powered binoculars. Assad is in the battle to win, and right now we are still looking at a draw.

Body count is certainly a factor, but this too can go a few ways. Assad’s primary and most loyal fighting forces come from a minority group–his minority group–the Alawites. They understand the region’s zero-sum politics (there’s no such thing as “power sharing” and there will always be a dominant group and one or more under that group’s foot) and have tasted power; Their resolve to win or retain as much power as possible will be a hard nut for rebels to crack. There may come a time when Alawite mothers of sons, who continue to die in battle for Assad, become loud enough to affect change. Nevertheless, as with many Middle Eastern minorities, the communal survival mentality could and will likely override such sentiment.

The bigger issue is how many trained, loyal, and equipped fighters can and will Assad continue to throw into a multifaceted and geographically diverse front line? I expect that those numbers are not as high as Assad truly hopes for, but they are still strong enough to hold key strategic urban areas (such as Damascus, parts of Aleppo, and sections of Homs and Hama).

Assad’s viability also depends on what one defines as a “High profile defection”. None of Assad’s inner-Alawite circle of advisers or people in true power positions have left the regime or joined the rebels. This reflects the tightness of his ranks. Some have described Assad’s rule of Syria as reminicent of a mafia-don. It’s a bit more complicated and dependent on broader concentric and connecting circles of family, clan, sectarian, and business based loyalties. Hafiz Assad and Bashar both did a nice job cultivating links to and cutting in many urban Sunni bourgeois and like it or not, many of these links still exist, albeit at reduced levels.

I hate to continue statements which seem to push the narrative of sectarianism, but like it or not, it’s a reality. To which sect did “High profile defectors” Ryad Hijab (prime minister) and Manaf Tlas (general in the Republican Guard) belong? They are all Sunnis.

Additionally, Syria is awash with generals, so another “General’s defection” is hardly the equivalent of say Ulysses S. Grant joining forces with Robert E. Lee.

I also recall an article in the Arabic daily, Al Hayat from the summer of 2012. It discussed the “Highest ranking Alawite to defect”–Apparently, a leader of Assad’s air force intelligence special forces. His rank was not mentioned and he never gave his full name. He is just a small fry in a large pond of people actually running Assad’s show.

Regardless, it gives us some insight into the amount of security agency duplication found in Assad’s and even other dictatorial regimes. One force spies on the other, which spies on the one spying on it, which is spied on by another, which has 49 “commanding generals” who do little beyond sit at a desk and report on their juniors and seniors. At the end of the day, the Assad family and broader clan still run the show.

Howver, there’s no doubt in my mind that these defections did and continue to rankle a good number of Assad’s people in Damascus. Yet, those defectors are not leaders, per say. To paraphrase Alex Karras (Mongo) in Blazing Saddles, most of these “High ranking” defectors are, “Only pawn[s] in game of [the Assad regime's] life”.

So is Assad’s collapse a “Sure thing”? It’s certainly growing more possible and has been growing for a year. It is my contention that when Damascus falls, for all intents and purposes, so does Assad. He needs the capital city for ideological and social reasons. Without it, he’s just a former ruler-cum-warlord. Yet, even in that scenario, there’s the potential that he is still around controlling some chunk of territory. I just do not feel we are going to see a Libyan-style end a la Qaddafi in Sirte for Assad in Syria.

John Little: What options do you think Iran is considering as they contemplate a post-Assad Syria? They won’t have a lot of friends in the mostly Sunni opposition but inaction isn’t exactly an option for them – nor would it be expected.

Phillip Smyth: It really goes without saying that Syria is a strategic linchpin for Iran’s regional policy. The Iranians are doing their best to continue propping-up the Assad regime. Simultaneously, they are also creating sub-networks among their coreligionists (Syria’s Shia community); In much the same way they did in 1980s Lebanon and more recently in Iraq.

Iran has been rather public in their announcements that the Iranian Revolutionary Guard’s Quds Force is operating inside Syria. The same thing goes with Lebanese Hizballah, which has been reported guarding important Shia religious sites and fighting rebels in many locations. Iran is also ferrying Iraqi Shia fighters (from groups Iran helped create, like Asa’ib Ahl al-Haq and Kata’ib Hizballah, and from allies like Muqtada al-Sadr’s Liwa al-Yom al-Mauwud–formerly known as Jaysh al-Mahdi) into Syria. When Richard Engel was kidnapped, he reported his captors were Shia and they were trying to gain the freedom of pro-Assad/pro-Iran Lebanese Shia actors held by the Syrian rebels.

Thus, in a post-Assad Syria, it can be assumed Iran will attempt to draw the country’s Shia under their protective wing, likely creating proxy militias on the ground while backing any remnants of the Assad
regime.

At the outset, it would appear Iran is playing a strictly sectarian game and will not be able to draw any support from Syria’s Sunni majority. Many analysts argue Sunni sectarian anger against Iran and the Shia as a whole is too great. However, this neglects the region’s constantly morphing multi-polarity.

Iran has a lot of money, arms, and strong forces. In any coming Syrian anarchy, all militias on the ground will need capital and support–Even if it is covert. The Iranians will reach out to just about anyone who takes their hand. Many speak of the “Sunni-Shi’a split”. Unfortunately, they forget that Iran has made some incredible inroads among a variety of groups. Of course, not many Sunnis (especially now) would wish to publicly recognize they get support from Shia Iran, but they do.

At this moment, Syria has around 1000 militias. Post-Assad (and even now) they will all be fighting for a slice of the pie. In keeping with the Middle Eastern version of the “Golden rule”, Iran is “The one with the gold [who] makes the rules”.

A great example to look at regarding how Iran will inject itself and retain some level of presence in Syria, are their (often via Hizballah) moves in the predominantly Sunni, Tripoli, Lebanon.

For all of the talk about sectarian fighting (between Alawites and Sunnis) going down in Tripoli, there are quite a good number of Sunnis–especially militiamen–who are or have been on Hizballah’s payroll. Some of these fighters continue to battle the city’s Alawites (Hizballah’s allies), but due to their economic conditions, they can be called to fall in line when Hizballah asks them to.

In the past some have even been wooed over using the plea of “‘Islam’ must unify in the face of Western enemies and Israel”. This is the kind of ideological logic pro-Iranian Sunni Islamist groups, like Tripoli’s Tawhiid Movement, use (i.e. “Sunnis and Shia are both Muslims and should not fight each other, but the greater foes). Nevertheless, I am guessing such a strategy will only have a limited effect in the near-future.

Hizballah and their Iranian paymasters also are not simply calling for their Sunni proxies to battle other Sunnis or fight directly on the side of Hizballah. They work slowly, giving some of Tripoli’s poorer Sunnis a financial cushion and aid them in other ways. In that way, Iran slowly embeds itself into the community. The potential for Iran/Hizballah is that this builds a lot of long-term influence in key areas among groups of people who should despise them. I cannot see why they wouldn’t try the same thing in Syria.

Wars make strange bedfellows and sands can shift at a moment’s notice. In a Syria sans Assad, Iran’s influence will be diminished to a great extent. However, they will not cease their attempts to gain connections whenever or wherever they can.

John Little: What is your take on the more Machiavellian view held by some that it is in the West’s interest that this conflict enters a sort of long-term standoff where Assad remains weakened, but in control of his arsenal (especially his chemical weapons), and the conflict churns through the more radical parts of the opposition?

Phillip Smyth: I hold a mixed interpretation of that viewpoint. The war on the ground is devolving into what has been termed a “Spanish Civil War” style conflict. It would appear to many that it is counterproductive to jump in.

On the sidelines such a scenario may be a wonderful thing to watch: Assad, Al Qaida, and other radical Islamist groups beating each other senseless–It also couldn’t happen to a nicer collection of foes. However, the situation on the ground isn’t always that simple and often a sequence of events does not always play out how one may have hoped. Even in an environment pitting just radical Islamists against Assad–with both forces lacking any love for the United States–the risks are just as high as the benefits.

As of right now, despite the fact that radical groups are taking center stage and getting a lot of coverage, it doesn’t mean they make up the majority of the Syrian opposition. Watching from the stands may result (as it has in the past) in even more polarization. Such a situation would not be good for the U.S. or region in the long-run.

Radical Sunni Islamists have already demonstrated that no matter where they spring-up, they don’t stay put. They will continue to spread problems to the region around them, even if engaged in an ongoing conflict. Case in point: Jabhat al-Nusra, which was spun from a very busy Al Qaida in Iraq. It’s a fallacy to believe they will simply be sucked into the Syrian conflict and just wear themselves down. In fact, I’d say they’ll use the conflict like they tried to use Afghanistan or Iraq. Only, this time, they won’t be facing a high-technology enemy which can more effectively check their growth. They will sharpen their skills, expand in size, and may spread like a virus to neighboring areas.

Let’s say Assad starts to triumph over the disparate rebels and radical Sunni Islamists. We will then see an emboldened Iran. If Assad is left in place during a stalemate, the pro-Iranian set will be shaken, but won’t be out of the game. In that case we will have two radical anti-American foes in control of large chunks of the Levant. Sure, they would be fighting one another, but that does not mean they will cease their other activities in the region.

Remember, in the early and mid-1980s, when Iran was “Tied down” fighting Iraq, they still found enough time to build Hizballah, bomb the Marine Corps. barracks in Beirut, attack some embassies, and hijack a few aircraft. Just as the “War weary” Saddam Hussein–after almost a decade of fighting Iran–Invaded Kuwait.

I for one do not see a scenario like you describe really playing out. There are too many variables which would be immediate regional game-changers in such an environment. Who says Assad, after a few more months or years of brutal fighting, can really hold onto his strategic weapons? Can Assad really “Churn through” the radicals, or will the conflict resemble something closer to the Lebanese Civil War with internecine fighting and defacto cantons? It’s really impossible to know.

I would leave with this: The U.S. needs to tread carefully but realistically assess its interests. Do we want Iran to hold onto a link to the Mediterranean and Hizballah? I don’t feel we should. However, does this mean it would be acceptable to have Al Qaida managing swaths of territory in a strategic Middle Eastern country? Absolutely not. Thus,I don’t believe it would be very prudent to just let the two foes kick each other into oblivion. There’s too much room for something blowing-up in our faces.

There are many covert, more quiet, and cost-effective ways to affect change. Nevertheless, right now, the United States is sitting on its hands in near bewilderment with no real policy to speak of.

John Little: Can Russia remain relevant as Syria descends into chaos? Could they still possibly broker a political solution to this crisis or is it just too late to engineer a smooth transition of power?

Phillip Smyth: As early as summer 2012, we heard many calls that Russia was essentially irrelevant. This was mainly due to the fact that it was doing little more than equipping Assad and attempting to buy him some breathing space in the international community and with the rebels. Certainly, few consider Moscow to be an unbiased actor.

Recently, rebels (with Khatib) and Assad rejected Russian overtures–Overtures that I’m sure were little more than additional feet-dragging measures and likely seen by rebels as nothing more than bolstering for Assad’s position. The Russians will continue to throw out offers for peace talks, but the writing on the wall says that calls for “Political transition” will amount to very little.

Realistically, Moscow remains relevant insofar as how much backing they continue to offer for Assad. Nevertheless, one must consider who is pushing Russia as a potential peacemaker. Ironically enough, it’s the United States. For months the U.S. has been promoting a policy of using the Russians to establish a “Political compromise”. Will that policy work? No. Is there any hope for Russia to mediate a transition? It’s doubtful.

John Little: Russian foreign chief Sergei Lavrov recetnly warned that a protracted stalemate could lead to the breakup of Syria. Does that seem like a plausible outcome to you?

We’re already seeing the “Break-up” of Syria. When you have 1000 militias on the ground all holding different positions. If we thought 1985 West Beirut was bad, this will be worse.

However, it’s important to remember that Lavrov is using a narrative first honed in Damascus by Assad. It’s the typical pan-Arabist line which encourages autocratic-central governance over a diverse population while simultaneously threatening a potential break-up if any movement exists countering the aforementioned central authority.

Regardless, in terms of an officially recognized “Break-up” of Syria (i.e. an internationally recognized Alawi state/Kurdish state), my position is a mixed one. I believe that on a defacto level, in a post-Assad atmosphere, large chunks of Syria will be dominated by certain ideological, ethnic, and religious groups . We are already seeing what can be termed as “general autonomy” for Kurds in the northeast. However, it’s really up to how all factions decide to play these developments in the long-term.

Life at Mossad Headquarters – A Discussion with Former Mossad Officer Michael Ross

michaelross31 Life at Mossad Headquarters A Discussion with Former Mossad Officer Michael Ross

Michael Ross was born in Canada and served as a soldier in a combat unit of the Israel Defence Forces prior to being recruited as a “combatant,” (a term designating a deep-cover operative tasked with working in hostile milieus) in Israel’s legendary secret intelligence service, the Mossad. In his 13 year career with the Mossad, Ross was also a case officer in Africa and South East Asia for three years, and was the Mossad’s counterterrorism liaison officer to the CIA and FBI for two-and-a-half years. Ross is a published writer and commentator on Near Eastern affairs, intelligence and terrorism. He is the author of The Volunteer: The Incredible True Story of an Israeli Spy on the Trail of International Terrorists. You can follow him on Twitter.

John Little: There are a few intelligence agencies with high profile headquarters and the CIA leads the pack in that regard. Mossad facilities have a much lower profile (outside of Israel at least). Can you talk a bit about the size and scope of the Mossad’s headquarters – and the environment?

Michael Ross: I am prohibited from disclosing the Mossad’s HQ actual location but it is convenient and well-situated to meet the needs of the organization. It has a very modern (but highly secure) university campus feel about it and the grounds and gardens are quite beautifully maintained. It is a sanctuary from the greater hustle and bustle of Israel. There are even works of sculpture by some renowned artists that adorn the landscape. It is quite self-contained with indoor shooting ranges, meat and dairy dining rooms (the Mossad is “kosher”), fully equipped fitness center and an outstanding gymnasium (where I used to play inter-mural basketball).

It’s not large given the small size of the organization but it is a busy place. The parking lots start filling up early and the lights are always burning at all hours somewhere in the complex. As with any top tier intelligence service with a global footprint, It never actually goes to sleep.

Also like other services, the really interesting activity is conducted off campus where specialized units are maintained in out-stations. The Mossad is very strict about compartmentation so operational personnel do not interact with the HQ component on the main campus. I was in the Mossad for about 7-8 years before I ever set foot in the main HQ campus.

John Little: So it sounds very different from many other agencies that rotate officers in and out of HQ assignments then?

Michael Ross: Very, we have no cubicles and people can, and often do, spend their entire careers overseas until retirement. Some come back to HQ after many years overseas to take up senior management roles. There is also a population of operational personnel that live in Israel but travel to assignments all over the globe on a regular basis and for many years.

John Little: Overall, how did you feel about your interaction with HQ when in the field? Complaints about disconnects and micromanagement are common in intelligence literature. Is life in the Mossad any different?

Michael Ross: One of the great axioms of secret intelligence services is the sniping that goes on back and forth between HQ and the field and the Mossad is not immune to this side of HQ-field unit interaction. Given our flatter bureaucracy and overall size (and compartmentation) there is probably much less of it but it does exist. We have also made significant headway in divesting ourselves of the embassy station system. This makes for a more fluid (and less hierarchical) management style less conducive to counter-productive turf wars.

When I was in the field we used to think that some HQ requests were unreasonable and did not take into account the reality of our working environment. When I was in HQ, I thought some of the people in the field were high-maintenance prima donnas, so it works both ways. One of my great lessons was that HQ always has the big picture in mind so I came to realize that my quibble with some strange tasking did not always take into account the fact that what I was doing was a piece of something much, much bigger.

Our organizational culture is based on our management layers being populated by people whose resumes contain many years of operational experience in the field. If you don’t go overseas, you don’t get promoted in the Mossad. This helps mitigate any HQ-field disconnect because the people giving you taskings and orders at HQ have been there, done that, and worn the t-shirt.

John Little: Was your time at headquarters a nice change of pace or a shock to the system? I can imagine the office politics and rigidity being a bit off-putting after someone has spent many years in the field.

Michael Ross: It was actually an environment that I never really embraced nor felt comfortable with. Suddenly there were all these protocols and yes, a certain degree of rigidity to the proceedings. I was also an unknown because I came from this highly compartmented existence (people serving in the Mossad who are not members of the unit have no idea what my former operational division, “Caesarea”, does in the field). One of the hardest parts of being in HQ however, was the reduction in pay given that being in the field includes all kinda of extra allowances.

So I suddenly show up and everyone pays you a much respect because you were a combatant in the flagship unit of the Mossad but they also say, “You have no clue how things work here, so you better get up to speed and quickly.”

I also realized that all my report writing, cable communication overseas, etc. were all now to be in Hebrew. Both Hebrew and English are official languages in the Mossad meaning you can use either one, but nobody is going to use English because nobody else does. I’m fluent in the language but having been under cover for several years, did everything I could to forget it. Now I’m in a milieu where the majority of people are highly educated native Israelis and the writing and communication standards are very high. When I was in the field, I did all my reporting in English (for obvious reasons).

Luckily, I was placed in a staff officers course right after entering HQ. It’s an advanced course that people wait years to get on and I was able to jump the queue because of my time in the field. Combatants achieve rank at an accelerated pace over their peers in other operational and support divisions and so I entered HQ with the equivalent military rank of Major and left as a branch head at the rank of Lieutenant-Colonel (the ranking is military equivalent as our salaries, benefits, and pension are indexed against the IDF).

It was a real education and I was able to work with some terrific people in the CIA and FBI but after 2.5 years, I could not wait to get back into the field as soon as possible. I don’t have a personality type that thrives in an overly structured environment. I also found the politics of working with the vast and Byzantine U.S. intelligence community frustrating. In retrospect I was probably better suited to working a liaison role with a country whose intelligence service has no diplomatic relations with Israel.

John Little: Were your options limited to domestic postings or liaison roles at that phase of your career? It sounds like, generally speaking, once you are called back to headquarters your operational work is done.

Michael Ross: Typically if you come from one operational division’s field component, you return to its HQ counterpart but I did something different and tossed myself into the deep end by joining a division that didn’t know me at all: The Liaison and Special Political Operations Division known as “Tevel” which is Hebrew for “World”. While liaison work seems cushy, it’s not at all and almost all my colleagues were former case officers or combatants. One of my colleagues was a deep cover combatant for many years and took part in the operation to assassinate Abu Jihad in Tunisia.

Some of my colleagues joined the HUMINT division so coming in from the field doesn’t necessarily ground you in any way. You can go back to a posting in the field almost immediately if you want.

The truth of the matter is that HQ doesn’t need more people to fill roles at the office. Support people can be hired fairly easily. What the Mossad always has in short supply are officers that can be deployed in the field under foreign cover. If you come from an operational background, there are always opportunities to go back out until you return take up a management role at HQ or retire.

John Little: So what was a typical day like for you at headquarters? Was it a constant grind of 16 hour days and layers of bureaucracy to navigate or different?

Michael Ross: It started with 05:30 wake-up to beat traffic and a 45 minute commute to the office where I’d hopefully score decent parking.

Days at work in the office started by reading cable traffic from our Washington station (always entertaining) and meetings both internally and with our liaison partners from either the local CIA station or FBI Legatt (but never at the same time!).

As the CT liaison officer to the U.S. IC, I was constantly exchanging material and data on terrorists and their targets with both agencies, but a huge part of my job was dealing with attack alerts. Israel and the U.S. are main focal points of every potential terror attack on one of our many missions, schools, and military installations worldwide. A source report of an impending attack on a U.S. target would have me coordinating the transfer of said warning to my U.S. counterpart together with our CT division and the division responsible for the source of the warning. I’d call the CIA station on the “STU” (secure telephone unit) connecting the station with Mossad HQ. Together, we’d make sure that all the relevant security functions knew about the warning, it’s viability, and any other relevant intelligence. It was a fast-paced, dynamic position where delay could cost lives. I greatly enjoyed working with my American counterparts and I think it was mutual. Beyond terror attack alerts, we worked on joint operations, exchanged delegations on many mutual subjects and basically kept the relationship on track. I especially remember the period where the U.S. embassies in Kenya and Tanzania were attacked. Not only was I involved in helping the U.S. immediately after the attacks, I represented the Mossad as part of the CIA team that captured some of the main players in Baku in 1998 (based on our intelligence provided to the CIA). That was a “full circle” moment when I realized how important and powerful liaison relationships can be between two top tier services working together.

I normally worked a 12-14 hour day, but if the terrorist attack threats were coming thick and fast (either sourced by us or from CIA sources) I’d be dealing with them at all hours. It’s ironic, but when I was living under deep cover, I got way more sleep than I did when I was working in HQ. After doing this job, was it any wonder I couldn’t wait to get back to the field?

Interview: Ethics and Security in the Age of Ubiquitous Media with Dr. Rebecca Johnson

interviewrj Interview: Ethics and Security in the Age of Ubiquitous Media with Dr. Rebecca Johnson

Dr. Johnson is Associate Professor of National Security Affairs at Marine Corps University’s Command and Staff College. Prior to joining the faculty in 2009, she taught at The Georgetown Public Policy Institute at Georgetown University and the School of International Service at American University. Dr. Johnson has spoken on topics related to military ethics across the services in the United States and at service schools abroad. She has published numerous articles and book chapters and is currently writing a book on emerging trends in military ethics. Her most recent work, “The Wizard of Oz Goes to War: Unmanned Systems in Counterinsurgency” is forthcoming in Strawser (ed.) Killing by Remote Control: The Ethics of an Unmanned Military. You can follow her on Twitter.

John Little: Let me start by saying that Blogs of War will never knowingly be the launching point for a leak of classified information – no matter how big the scoop. I consider protection of classified information to be a patriotic duty even if one is not directly tasked with that responsibility. At the same time it is impossible to ignore the fact that anyone who discusses or studies intelligence is able to do so, in large part, because of a long history of unauthorized disclosures. Once a story drops in a major publication the damage can’t be undone or minimized. The information is distributed too quickly and too widely. Given that, what responsibility do ordinary Americans, commentators, and journalists have after the initial disclosure?

Rebecca Johnson: I agree whole-heatedly that protection of classified information is everyone’s responsibility – even those who aren’t in direct government service. American lives and missions really are at stake, and it will be a cold day in hell before I do something I know could sacrifice either. I’m not persuaded by the argument that once information is leaked it’s too late to minimize damage. That may be true, but to me, it’s irrelevant. Journalists and government sources both have their own missions and motivations for what they do. I can’t do anything about what brings classified information into the public realm. I can – and must – accept responsibility for my own actions. That means my sharing of classified information (because even if it’s leaked, it’s still classified), puts me not only on the wrong side of the law, but on the wrong side of my duty to work to make the country more secure. People know I work in national security are more likely to take what I share as actual US policy. I think I have to be more careful than analysts who aren’t related to the government or regular private citizens. They might not read a specific story in the paper, but if I share what I consider to be the ‘important bits’, then I’m highlighting the potentially most damaging elements of the leak for anyone to see. I won’t do free work for enemies of the United States. I know they’re perfectly competent to identify the damaging parts of leaks themselves, but again, I’m not responsible for them. I’m only responsible for me.

Ordinary Americans have a responsibility as well. Everyone knows (but often forget) not to telegraph troop movements. Posting on Facebook that you can’t wait to see Tommy when he gets back from Afghanistan next week may not violate federal law, but it’s not the smartest thing to do. Americans also have a responsibility to be involved and communicate their opinions to the government. Here, I would simply caution that leaked classified information by definition gives only a very small part of the picture. Taking one leak and using it to indict some facet of US policy is shortsighted and sure to be inaccurate. Here, I would encourage folks to give a story time to develop, turn to a multitude of sources from different perspectives, and keep their eyes focused on what’s really important – the strength of the country, not scoring partisan or personal points.

John Little: But patience and careful consideration are in short supply. Is there a way to introduce a common ethical framework back into this arena (as opposed to a purely legal one) when it looks like the dysfunctional relationship between media and social media exhibited in the Sandy Hook School shooting is the new norm? The notion of personal responsibility doesn’t exactly appear to be on the rise either.

Rebecca Johnson: If they’re in short supply, then it’s probably a good idea to practice more! I just don’t buy this line of argument. The people working the issues are the ones generating the classified material to begin with; they don’t magically see it for the first time once it’s leaked (very often, at least!). It’s the public — and primarily those of us who work in this area, but maybe not a specific issue directly — who want to know what’s happening on the ‘high side’ and create a lot of the churn following a leak. I am a true believer in our particular system of democratic governance but I couldn’t care less about feeding personal egos or people’s desire to be ‘in the know’. There are times when people claim disclosure is in the name of democratic transparency, but what they really mean is that it’s in the name of advancing their particular agenda or sense of personal entitlement. Anyone who’s in this business to be the center of the ‘look what I know’ universe would be better served just staring in a mirror all day. It would be far more helpful for everyone.

I see Sandy Hook differently, primarily because we’re not talking about national security and classified information. It does, however, highlight both sides of social media – important information is shared quickly and efficiently, but the impulse people (not just journalists) have to be the one who shares the information first resulted in the wrong man being accused of a horrific crime in a very public, terribly painful way. Did he find out that he was accused of mass murder on twitter before or after he learned that his brother had killed his mom and 26 other people on Facebook? That is the very real cost of social media and citizen journalism. In terms of a common ethical framework, I would suggest the following (and I’m speaking here to your basic user of social media – I’ll leave journalism ethics to the professionals):

  • Sourcing in everything. If you don’t know the credibility of a source, ask before you share. If that takes you extra time, oh well. If you’re not in a position to be breaking news, it probably doesn’t matter if you’re 15 minutes behind the curve. No one will remember you weren’t first out of the box tomorrow, and it could spare you from looking like a complete jackass if you share something that turns out to be wrong.
  • Ask yourself what good would come from sharing a particular piece of information. If you’re just piling on, or potentially exposing someone’s (or the country’s) vulnerability, maybe don’t RT. When big stories break there is a group dynamic that takes over that motivates people to share more than they should. If you lack the judgment and impulse control to moderate what you share on social media, then really – REALLY – take the time to practice developing that skill. It will serve you well in life.
  • Remember that no one really cares what you think anyway. You honestly don’t have to vocalize every single thing you know or suspect to be true. I’m active on social media, so I won’t pretend to be immune to this temptation, but there seems to be a sense in which people use social media to feed self-importance. Folks who follow me on twitter know I tweet all sorts of irrelevant nonsense. It’s actually intentional. I ain’t all that, and chances are, you ain’t either. Get over yourself. You don’t have to share what you know. You certainly don’t have to let yourself get caught up in a story as it’s developing if you lack the skills to moderate yourself effectively. Just stop.
  • Do you want to be right, or do you want to be effective? There are all sorts of baiters lurking on social media trying to draw people into saying something they shouldn’t. You don’t have to correct every knucklehead who gets a story wrong. Really. Work your issues and let stupid take care of stupid. It can be stomach churning to watch stories build in a direction I know to be wrong, but that’s life. People would do well to remember why they’re on social media to begin with and not let one-off distractions compromise their larger goals.

John Little: Lastly, do you think we are doing enough to prepare incoming public servants and soldiers with the burden that comes with having access to sensitive information in an environment that also encourages persistent personal broadcasting?

Rebecca Johnson: This is a great question. No. This is true of both PERSEC and OPSEC. Every day for a month I had Facebook recommend that I friend an individual whom I’ve never met but who serves in a Cabinet level position in the current administration. Finally I friended the individual (who — *sniff* — has yet to accept my friend request) and posted a courtesy message on my wall that whichever of my friends who knows the principal may want to have a gentle conversation about privacy settings. If this is the level of security for senior leaders, imagine the lack of preparation and accountability at more junior levels. I have found myself correcting my own students numerous times for PERSEC issues on social media, and my students are seasoned professionals.

In terms of OPSEC, most service members are pretty good at keeping quiet on things they shouldn’t discuss; here I would say the breakdown comes not in preparing people not to leak classified information, but in reminding people that there is a lot of open source material that still should not be shared – at least by them. Since DOD changed its policy on the use of social media, each of the services has adopted guidelines and operating procedures, but these tend to be communicated by Public Affairs Officers, rather than by commanders or small unit leaders. I’ve had the good fortune of working with leaders who embrace social media rather than run from it, and that definitely helps in building a culture of responsible social media engagement. Still, I know this isn’t the norm.

In the military, familiarity on the part of unit leaders with what social media is and the general common sense prudential rules for how to leverage it goes a long way to training subordinates in responsible practices. I’m not saying leaders should be monitoring their people’s twitter feeds; I’m saying that familiarity puts leaders in a better position to actually lead in this area. In civilian organizations (including DOD) where there is a mix of career public servants and political appointees, it can be harder to get everyone on the same page in terms of what’s appropriate to share. I’m less familiar with what individual agencies do to regulate social media use on the part of their employees, but I would suggest that the obligatory “these views do not represent” disclaimer people cram into their profile is not enough.

Banning or over-regulating the use of social media is obviously not the answer either; it’s a fact of life and has the ability to make us all better at what we do. For me, it comes down to responsible engagement. My boss likes to say that we have two ears and one mouth for a reason – so we will listen twice as much as we speak. When it comes to social media I’d push it even further. We have two ears, two eyes, and one mouth. We’d all do better to stay on receive mode and be judicious in when and why we shift into transmit.