WASHINGTON — New government social media security guidelines call for federal agencies to develop "social media stakeholder teams" that can quickly identify and respond to a cyberattack and to strengthen social media passwords.
The new guidelines, released Tuesday on the General Service Administration's DigitalGov portal were created in the wake of the embarrassing hack in early January of the U.S. Central Command's Twitter feed by ISIS sympathizers, which exposed basic security holes in the thousands of social media accounts run by the government.
Hackers used password vulnerabilities at CENTCOM to take over the military organization's Twitter and YouTube page and fill them with pro-ISIS messaging. Government officials said sensitive or classified material was not accessed or threatened by the hack.
The GSA proposes agencies set up a "social media stakeholder team" to quickly respond to instances of "cyber-vandalism," the phrase used by government officials to describe the CENTCOM hack.
The guidelines also call for agencies to integrate security systems built in to many social media networks, like two-step verification for logins, on all their accounts. Passwords themselves should be drafted within guidelines established by the National Institute of Standards and Technology in 2009.
Some of the other suggestions are more straightforward.
"Ensure no former employees, contractors or interns have access to current passwords," reads one of the guidelines in the GSA toolkit.
The goal of the toolkit is to both prevent future hacks with security improvements and also make government agencies able to quickly respond and reduce the impact of social media hacks. The GSA guidelines call for a full audit of social media account login information after one account is breached and immediate contact with the private firm that hosts the hacked social media account.
"If the social media cyber-security stakeholder team or responsible manager determines an incident is in progress, remember that minutes and even seconds count," read the guidelines. "Within minutes you'll need to alert internal stakeholders, alert outside stakeholders to help you regain control, and act to isolate the compromise."
The new GSA rules were drafted by a cross-agency task force assembled after CENTCOM was hacked. Representatives from social media companies were included in the review of government practices and drafting of new guidelines to bolster security and respond to hackers.
The GSA guidelines are voluntary and are advertised as a "Social Media Cyber-Vandalism Toolkit." Federal agencies make their own rules when it comes to social media, and there's no centralized rules regulating who has access to social media accounts, who uses them or how passwords should be set up. A government official with knowledge of the guidelines told BuzzFeed News agencies "plan to use" the toolkit.
Mikko Hypponen, a cybersecurity expert and head of the firm F-Secure, praised the GSA toolkit in an email.
"These guidelines look very solid - almost surprisingly so!" he wrote. "They've clearly done their homework. Other organizations should take note."