Army Reports Brass, Not Bloggers, Breach Security

For years, the military has been warning that soldiers' blogs could pose a security threat by leaking sensitive wartime information. But a series of online audits, conducted by the Army, suggests that official Defense Department websites post material far more potentially harmful than anything found on a individual's blog.

The audits, performed by the Army Web Risk Assessment Cell between January 2006 and January 2007, found at least 1,813 violations of operational security policy on 878 official military websites. In contrast, the 10-man, Manassas, Virginia, unit discovered 28 breaches, at most, on 594 individual blogs during the same period.

The results were obtained by the Electronic Frontier Foundation, after the digital rights group filed a lawsuit under the Freedom of Information Act.

"It's clear that official Army websites are the real security problem, not blogs," said EFF staff attorney Marcia Hofmann. "Bloggers, on the whole, have been very careful and conscientious. It's a pretty major disparity."

The findings stand in stark contrast to Army statements about the risks that blogs pose.

"Some soldiers continue to post sensitive information to internet websites and blogs," then-Army Chief of Staff Peter Schoomaker wrote in a 2005 memo. "Such OPSEC (operational security) violations needlessly place lives at risk." That same year, commanders in Iraq ordered (.pdf) troops to register their blogs "with the unit chain of command."

Originally formed in 2002 to police official Defense Department websites (.mil), the Army Web Risk Assessment Cell, or AWRAC, expanded its mission in 2005. A handful of military bloggers, including then-Spec. Colby Buzzell, were seen as providing too many details of firefights in Iraq. Buzzell, for one, was banned from patrols and confined to base after one such incident, and AWRAC began looking for others like him on blogs and .com sites.

But AWRAC hunted for more than overly vivid battle descriptions. It scoured pages for all kinds of information: personal data, like home addresses and Social Security numbers; restricted and classified documents; even pictures of weapons. When these violations were found, AWRAC contacted the webmaster or blog editor, and asked that they change their sites.

"Big Brother is not watching you, but 10 members of a Virginia National Guard unit might be," an official Army news story warned bloggers.

Within the Army, some worried that the blog-monitoring had compromised AWRAC's original goal.

"My suspicion ... is that the AWRAC's attention is being diverted by the new mission of reviewing all the Army blogs," reads an e-mail (.pdf) from the office of the Army Chief Information Officer obtained in EFF's FOIA lawsuit. "In the past they did a good job of detecting and correcting (website policy compliance) violations, but that is currently not the case."

On one blog, AWRAC found photos showing bomb damage to a Humvee; on another, a description of a mountain near a base in Afghanistan; on a third, a video about "morale concerning incoming mortar." AWRAC discovered a secret presentation on the official, unclassified Army Knowledge Online network. It found a map of an Army training center in Texas on a second .mil site. A "colonel's wife's maiden name" was caught on a third.

The documents unearthed by the EFF also show that AWRAC's investigations may have been meant to discourage any Army blogging -- not just correct security flaws. One soldier-blogger noted that "The DoD (Department of Defense) is cracking down ... and I wouldn't be able to continue blogging." AWRAC's internal response: "The word is getting out."

"I won't be blogging anything cool probably while we're here," another soldier wrote. "I remember really enjoying a few blogs at the beginning of the war, but they were pushing the limits a little bit on OPSEC and I don't plan to get anywhere near those limits." AWRAC's answer: "GO ARMY!"

The AWRAC monitoring is part of an ongoing struggle in the military over digital media. To some, these new forms of communications are security risks waiting to happen. Others welcome soldiers posting to blogs, online video sites and social networks as information warfare, combating a wave of Islamist propaganda online.

This spring, the Army released stringent new rules (.pdf) telling soldiers to stop posting to blogs without first clearing the content with a superior officer. "Personal websites of individual Soldiers (to include web logs or 'blogs') are a potentially significant vulnerability," Army Regulation 530-1 noted.

The guidelines' author, Major Ray Ceralde, cited the Pentagon's take-out pizza orders as an example of potentially damaging information that a blog might leak. Days later, the Army issued a "fact sheet" which seemed to back away from the rules -- without officially retracting them.

The overlapping guidelines created a climate of confusion for soldier-bloggers. Sgt. Edward Watson, a blogger currently deployed with the 82nd Airborne Division in Baghdad, was threatened by his company's commander for perceived transgressions of the blog policies.

"They wanted to give me an Article 15 (non-judicial punishment) for a regulation I was clueless about, and they never brief anyone about starting or running blogs," Sgt. Watson told Wired News in an e-mail. He was eventually allowed to keep his website -- after removing some of the more detailed entries.

Overall, the new documents reveal, AWRAC found few security breaches on soldiers' sites -- at most, 28 in more than a year. That's a fraction of the thousands of violations found on official sites.

(The precise number of breaches is unclear. In AWRAC's presentations, numbers contradict one another, or are transposed from one month to the next. For example, AWRAC came up at different points with five separate figures for the number of .mil pages scanned in September 2006. The documents show that the number of breaches may have been as high as 4,052 on official military sites, and as low as 14 on blogs.)

To D.J. Elliott, a blogger and former intelligence officer, the statistics -- however uneven -- are proof that "the milblogs (military blogs) are policing their own far tighter than officialdom is."

"Most of the milblog(er)s are there or have people close to them there," he wrote in an e-mail to Wired News. "They maintain OPSEC because it is personal to them. Self-preservation. It is risking them and/or theirs."

Army spokesman Gordon Van Vleet seemed to agree with that assessment. One "factor that contributes to fewer violations being found on blogs is that in general the blogger is conscientious about their duty to not provide information that could be considered an OPSEC violation," he wrote. "Often these bloggers are stationed in the combat areas and they more than anyone understand the importance of security and the potential impact any OPSEC violations could have on themselves and their fellow Soldiers, Airmen and Marines."