As DoD communicators, social media is one of the best places to interact with a diverse audience, promote events and share information. But with this comes incredible risk as our adversaries are constantly trying to disrupt our everyday procedures.
That's exactly what happened to the official Facebook pages of Hurlburt Field and the commander of the 1st Special Operations Wing (SOW). Review the timeline below for more information on the incident and the actions taken to control the situation before any harm was done.
Timeline of the Hurlburt Field and 1st SOW Facebook Hack
Navigate the timeline by selecting points of information.
Jun 6, 2023
Personal Facebook page is hacked.
A team member of the 1st SOW has their personal Facebook account hacked. Through their personal page, this team member has access to the official Hurlburt Field and the 1st SOW Commander's Facebook pages, allowing the hacker access to both.
1/6
Jun 8, 2023
The team discovers the hack.
Prior to the team needing to make an update on Facebook, nothing was unusual.
Two days pass before the hack is discovered. When another team member with access to the official Hurlburt Field Facebook page attempts to create a post, they discover the page is inaccessible.
The team notifies Air Force Special Operations Command Public Affairs, Secretary of the Air Force Public Affairs and the Air Force Office of Special Investigations.
Additionally, the team works with AFSOC/PA for support with any Facebook posts needed until page access is restored.
The team proactively posts a call for help on different, private Facebook groups related to PA and works with SAF/PA to obtain a contact at Meta.
2/6
Jun 9, 2023
The team corresponds with Meta.
The team reaches out to Meta to request support. Additionally, OSI reaches out directly to the team member whose account is hacked to gain more insight into how the hack happened.
The next day, Meta responds with their own request for more information, including Facebook page URL, page ID, ID/URL for the admin that was removed/demoted and approximate date the admin was removed/demoted.
3/6
Jun 16, 2023
The team responds with an official memorandum.
The Chief of PA for the 1st SOW responds to Meta's request for information. This includes providing two personal memorandums: one with a physical signature and another with a digital signature.
Within the memo is their official position title, Facebook statistics (creation date, followers, general use), individual Facebook link and email associated with that account, along with a request for expediting the review and a statement certifying employment with the Department of the Air Force.
Additionally, a statement of service is provided as proof of official Air Force/DoD employment.
4/6
Jun 20, 2023
Access to the Hurlburt Field Facebook account is restored.
Access to the main Hurlburt Facebook page is restored to normal operating functionality 14 days after the hack.
5/6
Jul 5, 2023
Access to the 1st SOW Facebook account is restored.
A full 29 days later, access to the 1st SOW Commander's Facebook page is restored to normal operating functionality.
6/6
Lessons Learned
Create a social media strategy.
This serves as a reminder that every unit, no matter the size, is vulnerable to hacking attacks via social media. A social media strategy, developed and enforced from the top down, will help protect you from security incidents like hacking. Even though there was no long-term harm caused by the hacking of the Hurlburt Field Facebook account, it became evident that there was not a clear social media strategy for the social media manager to rely on. The team reached out to other DoD PA professionals and utilized contacts they had at Meta that had been helpful in previous situations. The team also resorted to posting on private DoD Facebook groups for additional advice.
It is best to plan ahead with a proper social media strategy that details how to handle hacking incidents including who to contact and how to communicate with each platform your unit is active on. Keep it simple and easy to follow, with key elements like:
- Guidelines that explain how to talk about your unit on social platforms.
- Assigned departments or team members that are responsible for each account.
- Guidelines on how to create an effective password and how often to change passwords.
- A designated person to notify and instructions for responding to social media security concerns and incidents.
Train staff on social media security.
Once you have a social media strategy in place, make sure your team understands it. When a security incident like the hacking of a social media account occurs, it requires quick action from multiple team members. This quick action can only happen if your unit is properly trained and prepared on how to implement the strategy. Training is also an opportunity to update your unit on the latest social media threats they should be aware of.
Training should be unit-specific, but a good place to start when developing training materials regarding social media is DoDI 5400.17. This policy provides:
- Core principles regarding social media use within the DoD.
- Guidance regarding records management procedures for social media accounts.
- Guidance on personal social media use by DoD personnel.
Limit access to unit social media accounts.
This incident came to fruition when a team member's personal Facebook account was hacked, exposing the vulnerabilities that exist when multiple team members have access to social media accounts. Only grant access to unit social media accounts to those who have essential duties to perform and treat account passwords as security assets. That means limiting the number of people who can manage your accounts and requiring everyone who does to have a unique password. See sections 6, 7 and 8 of DoDI 5400.17 for more information on authorized accounts, maintaining an established online presence (EOP) and personal social media use by DoD personnel.
Create a system of approvals for social posts.
Before posting anything on social media, posts should go through a review cycle to ensure content meets the requirements established in your social media strategy. The person or persons who are responsible for this review are known as the "Release Authority." Review the DoD Visual Information Style Guide for more specifications on release authority. Many people may have some responsibility for crafting social media posts, but there should be a much smaller number of people responsible for posting the content.
Put someone in charge.
Assign a key person to whom your unit can go for their social media-related questions and who takes the lead when security incidents occur. This person should:
- Be a subject matter expert (SME) in your unit's social media policy.
- Be a SME in your unit's social media strategy.
- Monitor your unit's presence on all active social media platforms.
- Determine who has posting rights on your unit's social platforms.
- Be a main stakeholder in the development of your unit's social media strategy.
Set up an early warning system.
Assign someone to periodically check that all social posts on unit accounts are legitimate. That includes accounts your unit is active on daily and the ones you’ve registered an account with but never used at all. Additionally, this person should be actively monitoring and listening for any impostor accounts and taking corrective action when spotted.