The Indian Army wants its officers holding critical posts to deactivate their Facebook accounts and not use the popular messaging application, WhatsApp, for any official communication.
In an advisory issued last month, the army has cautioned officers holding sensitive posts in all headquarters, divisions and brigades that WhatsApp is a vulnerable platform and so should not be used for any official communication.
It added that although WhatsApp is end-to-end encrypted, the encryption would cease to be effective if the mobile handset on which it is being used gets compromised.
WhatsApp was recently in the eye of a storm after it admitted that surveillance software called Pegasus — owned by an Israel-based NSO group — had been used to compromise some of its Indian users, including journalists and activists.
The advisory comes after the army cyber group conducted an analysis of social media trends in which it has identified a new set of problems on the ways its personnel use the internet.
The advisory states that the popular social media platform Facebook has turned out to be a crucial source of collecting intelligence, which is why officers holding critical posts in the army must consider deactivating their accounts.
Armed forces personnel and their families have been discouraged from posting their pictures in uniform or photographs of locations that can give out details of sensitive locations on Facebook or other social media apps.
According to the advisory, there have been numerous instances of loss of information through social media — which could well be inadvertent — despite multiple directives issued to army personnel time and again on the threats and implications of using the online medium. A social media policy for the army is already in place since 2016.
The advisory also talks of inimical agencies possessing sophisticated tools for monitoring and analysing data on social media to derive intelligence, underscoring that those holding critical appointments are especially at risk.
OSINT can give away substantial information ::
According to the advisory, information on OSINT or open source intelligence on the internet, can give away substantial information on important appointments held by army officers.
It advises officers holding sensitive appointments to be aware of the information available about them on the internet and take steps to ensure that critical data about them is not given out inadvertently.
The advisory also states that army personnel should be cautious in giving out personal and professional details while creating accounts on social media platforms. It further states that substantial information can be extracted just by analysing posts or comments on social media made by either army personnel or their families or friends.
It advises exercising restraint in posting comments, ensuring correct privacy settings and educating families and friends of those in the army.
The advisory cautions army personnel to not link their gmail accounts to multiple other applications that could compromise sensitive information on the email account.
Use of smartphones ::
Highlighting the susceptibility of smartphones to cyber attacks, the advisory states that social media and other applications should be avoided on smartphones and they should be used only for voice calls and SMS.
It states that email clients used for official communication should be strictly avoided on smartphones, as they are susceptible to phishing campaigns that can compromise the phone, leading to exploitation of calls and messages too.
The advisory also warns army personnel that the location services on a smartphone can give out vital details of movement and has hence asked to keep their location services switched off at all times, particularly during visits to forward areas.
Leak of crucial information a matter of concern for military ::
Pilferage of crucial information about the armed forces has remained a matter of concern for the Indian military, prompting it to issue multiple directives and advisories on the use of social media.
ThePrint had reported that in July this year, the army had started month-long cyber security exercise to identify and crack down on those violating its norms for all online activities and had those found violating the norms would face “exemplary” punishment.
Just about a week before that, the Director General of Military Operations (DGMO) issued a list of instructions on information security to all army units and formations, stating that enemy agencies have access to advanced monitoring, decryption and data analysis capabilities.