Centcom - a PR disaster, not cyberwar

13 January 2015

Dark picture of hands at computer keyboard

Technology correspondent

The timing was exquisite.

Just as President Obama was outlining plans to strengthen cyber-security in the US, the Twitter and YouTube accounts of the US military command for the Middle East and Asia were both being used as platforms for IS propaganda. But let's not get too hysterical about this incident - the hacking was a PR disaster, but not a major breach of America's cyber defences.

The accounts, as Centcom was swift to stress, were hosted not on the military's own servers but by an outside commercial organisation. And it seems the information posted on Twitter by the so-called "Cyber Caliphate" was already widely available online.

Not an audacious raid on the Pentagon's computers then, but graffiti scrawled on on its virtual walls. A 2011 cartoon, external from the excellent XKCD webcomic was circulating widely on Twitter last night. It contrasts the horrified public reaction to the "hacking "of the CIA's website with that of security experts who say "someone tore down a poster hung up by the CIA".

Which isn't to say that the social media and PR teams at Central Command won't be looking for new jobs today. Like many public sector organisations, the US military first had a very cautious attitude to the use of social media, then plunged in, apparently convinced that it could not be absent from this vital arena of public debate. But did Centcom think clearly enough about the risks?

Every day thousands of people and organisations have their Twitter or YouTube accounts taken over and used for malicious or criminal ends. Sources at Twitter and YouTube's owner Google told me that in most cases this didn't involve genuine hacking but what they described as "poor password hygiene" - passwords were either so weak as to be easily guessed or were shared too widely. Some people are tricked into handing over their credentials after clicking on links in direct messages on Twitter or downloading attachments in emails.

One notable aspect of Centcom's Twitter account was that it did not have the blue tick which shows it has been verified by the social networking firm. This doesn't guarantee better security but means Twitter acts faster if there's a problem - and its absence seems to show that Centcom wasn't thinking too clearly about security.

Both Twitter and Google recommend the use of two-factor authentication, which means anyone logging on to their account from a new computer has also to enter a code sent to their mobile phone. We don't know whether the Centcom staff took advantage of this extra layer of security.

Social networks have become a vital weapon in the information war, but as a number of news organisations have already learned to their cost, they can be turned against you if you let intruders through the doors. Still, in these nervous times, it is worth retaining a sense of proportion. This act of "cybervandalism", as it was described by US Central Command, may have been deeply embarrassing. But nobody died.