Over the past several months the government has amplified its posture on cybersecurity (a massive breach of millions of security clearance investigations along with airline and healthcare hacks will do that to an organization). While some specific intelligence organizations have always been known for their online caution, there’s rarely been such a widespread effort to encourage all government employees to be careful how they interact online.
In 2009, a hacker made headlines for creating several fake social networking profiles for a woman called Robin Sage. Using that network of fake connections and contacts, Sage was able to solicit job offers, engage in industry conversations and get access to individuals ‘she’ wouldn’t have in real life. More than five years after the story of Robin Sage made headlines at a Black Hat conference, it’s now the Director of National Intelligence urging clearance holders to be cautious, in a new campaign.
If you’re still using public facing social networking sites to manage your career, it’s time to think again. Here are five reasons why you shouldn’t post your resume details to LinkedIn.
1. You make spear phishing easier.
The Chief Information Security Officer at the Department of Homeland Security slammed government computer users for lazy security, noting he regularly spoofed colleagues with fake emails. He went as far as to say those who are regularly caught falling victim to such schemes lose their clearances. While some phishing attacks are clearly fake, the more information a hacker has about you, the easier it will be for them to create a successful phishing attack against you.
2. Anyone can access the information.
Anything you post to a public facing social networking site is no longer your own. As the website ICWATCH demonstrates, in a post-Snowden era, clearance holders are under more scrutiny than ever. By posting your clearance information publicly, you’re opening yourself up to being watched – literally – by nefarious actors. The website ICWatch culls Google and LinkedIn, and pulls all of the data it can about individuals deemed to work for the intelligence community. Much of the information comes from scanning LinkedIn for the names of NSA programs or IC projects.
3. ‘Invitation to Connect on LinkedIn’ Tops Lists of Dangerous Emails.
Speaking of spear phising, ‘invitation to connect on LinkedIn’ is consistently listed among the most-used subject lines in phishing scams. In addition to fake emails, fake profiles are also a problem. In addition to completely fabricated accounts, it’s very common for hackers, scam artists and terrorists to create fake profiles for real life individuals. Even if you know not to connect with strangers, you may erroneously make a connection with someone who you think is real – who isn’t at all.
4. It Shows a Lack of Discretion
You can still have a profile on a site like LinkedIn. But it’s a matter of how much information you share.
“Advertising your security clearance on sites liked LinkedIn makes you an intelligence target and evidences a lack of discretion,” said security clearance attorney and former background investigator Sean Bigley. “The granting of a security clearance is fundamentally the government agreeing that you can be trusted (both in terms of honesty and common sense). Publicly posting your security clearance details online may not impact anyone’s opinion of your honesty, but it certainly might impact opinions about your common sense. After all, if someone is sharing their clearance details with the whole world online, who is to say that they wouldn’t also spill the classified information they learn?”
5. Your foreign LinkedIn Connections Could be Deemed a Security Risk
Until now, clearance holders haven’t had to worry about the government monitoring their social media accounts. Security clearance reform efforts are making social media monitoring and reporting a real possibility. That means you may be held responsible for all of those foreign LinkedIn connections you made without thinking about it.
Can security clearance holders network online? Absolutely. But when it comes to public facing social networking sites such as Facebook and LinkedIn, the government is increasingly urging professionals to take a less is more approach. Whether it’s sharing personal details like date of birth or resume details, such information is best kept on a password protected site you trust.