By Noah Shachtman
For years, the military has been warning that soldiers' blogs could pose
a security threat by leaking sensitive wartime information. But a series
of online audits, conducted by the Army, suggests that official Defense
Department websites post material that's far more potentially harmful
than blogs do.
The audits, performed by the Army Web Risk Assessment Cell between
January 2006 and January 2007, found at least 1,813 violations of
operational security policy on 878 official military websites. In
contrast, the 10-man, Manassas, Virginia, unit discovered 28 breaches,
at most, on 594 individual blogs during the same period.
The results were obtained by the Electronic Frontier Foundation, after
the digital rights group filed a lawsuit under the Freedom of
"It's clear that official Army websites are the real security problem,
not blogs," said EFF staff attorney Marcia Hofmann. "Bloggers, on the
whole, have been very careful and conscientious. It's a pretty major
The findings stand in stark contrast to Army statements about the risks
that blogs pose.
"Some soldiers continue to post sensitive information to internet
websites and blogs," then-Army Chief of Staff Peter Schoomaker wrote in
a 2005 memo. "Such OPSEC (operational security) violations needlessly
place lives at risk." That same year, commanders in Iraq ordered (.pdf)
troops to register their blogs "with the unit chain of command."
Originally formed in 2002 to police official Defense Department websites
(.mil), the Army Web Risk Assessment Cell, or AWRAC, expanded its
mission in 2005. A handful of military bloggers, including then-Spec.
Colby Buzzell, were seen as providing too many details of firefights in
Iraq. Buzzell, for one, was banned from patrols and confined to base
after one such incident, and AWRAC began looking for others like him on
blogs and .com sites.
But AWRAC hunted for more than overly vivid battle descriptions. It
scoured pages for all kinds of information: personal data, like home
addresses and Social Security numbers; restricted and classified
documents; even pictures of weapons. When these violations were found,
AWRAC contacted the webmaster or blog editor, and asked that they change
"Big Brother is not watching you, but 10 members of a Virginia National
Guard unit might be," an official Army news story warned bloggers.
Within the Army, some worried that the blog-monitoring had compromised
AWRAC's original goal.
"My suspicion ... is that the AWRAC's attention is being diverted by the
new mission of reviewing all the Army blogs," reads an e-mail (.pdf)
from the office of the Army Chief Information Officer obtained in EFF's
FOIA lawsuit. "In the past they did a good job of detecting and
correcting (website policy compliance) violations, but that is currently
not the case."
On one blog, AWRAC found photos showing bomb damage to a Humvee; on
another, a description of a mountain near a base in Afghanistan; on a
third, a video about "morale concerning incoming mortar." AWRAC
discovered a secret presentation on the official, unclassified Army
Knowledge Online network. It found a map of an Army training center in
Texas on a second .mil site. A "colonel's wife's maiden name" was caught
on a third.
The documents unearthed by the EFF also show that AWRAC's investigations
may have been meant to discourage any Army blogging -- not just correct
security flaws. One soldier-blogger noted that "The DoD (Department of
Defense) is cracking down ... and I wouldn't be able to continue
blogging." AWRAC's internal response: "The word is getting out."
"I won't be blogging anything cool probably while we're here," another
soldier wrote. "I remember really enjoying a few blogs at the beginning
of the war, but they were pushing the limits a little bit on OPSEC and I
don't plan to get anywhere near those limits." AWRAC's answer: "GO
The AWRAC monitoring is part of an ongoing struggle in the military over
digital media. To some, these new forms of communications are security
risks waiting to happen. Others welcome soldiers posting to blogs,
online video sites and social networks as information warfare, combating
a wave of Islamist propaganda online.
This spring, the Army released stringent new rules (.pdf) telling
soldiers to stop posting to blogs without first clearing the content
with a superior officer. "Personal websites of individual Soldiers (to
include web logs or 'blogs') are a potentially significant
vulnerability," Army Regulation 530-1 noted.
The guidelines' author, Major Ray Ceralde, cited the Pentagon's take-out
pizza orders as an example of potentially damaging information that a
blog might leak. Days later, the Army issued a "fact sheet" which seemed
to back away from the rules -- without officially retracting them.
The overlapping guidelines created a climate of confusion for
soldier-bloggers. Sgt. Edward Watson, a blogger currently deployed with
the 82nd Airborne Division in Baghdad, was threatened by his company's
commander for perceived transgressions of the blog policies.
"They wanted to give me an Article 15 (non-judicial punishment) for a
regulation I was clueless about, and they never brief anyone about
starting or running blogs," Sgt. Watson told Wired News in an e-mail. He
was eventually allowed to keep his website -- after removing some of the
more detailed entries.
Overall, the new documents reveal, AWRAC found few security breaches on
soldiers' sites -- at most, 28 in more than a year. That's a fraction of
the thousands of violations found on official sites.
(The precise number of breaches is unclear. In AWRAC's presentations,
numbers contradict one another, or are transposed from one month to the
next. For example, AWRAC came up at different points with five separate
figures for the number of .mil pages scanned in September 2006. The
documents show that the number of breaches may have been as high as
4,052 on official military sites, and as low as 14 on blogs.)
To D.J. Elliott, a blogger and former intelligence officer, the
statistics -- however uneven -- are proof that "the milblogs (military
blogs) are policing their own far tighter than officialdom is."
"Most of the milblog(er)s are there or have people close to them there,"
he wrote in an e-mail to Wired News. "They maintain OPSEC because it is
personal to them. Self-preservation. It is risking them and/or theirs."
Army spokesman Gordon Van Vleet seemed to agree with that assessment.
One "factor that contributes to fewer violations being found on blogs is
that in general the blogger is conscientious about their duty to not
provide information that could be considered an OPSEC violation," he
wrote. "Often these bloggers are stationed in the combat areas and they
more than anyone understand the importance of security and the potential
impact any OPSEC violations could have on themselves and their fellow
Soldiers, Airmen and Marines."
Attend HITBSecConf2007 - Malaysia
Taking place September 3-6 2007 featuring seven tracks of technical
training and a dual-track security conference with keynote speakers
Lance Spitzner and Mikko Hypponen! - Book your seats today!