"As the popularity of social media has grown, they have increasingly been targeted as well," said Gregory Wilshusen, the GAO's information security issues director, in testimony delivered to the House Oversight and Reform Subcommittee on Information Policy, Census and National Archives. "Thus, as agencies make use of Web 2.0 technologies, they face persistent, sophisticated threats targeting their own information as well as the personal information of individuals interacting with them. The rapid development of Web 2.0 technologies makes it challenging to keep up with the constantly evolving threats deployed against them and raises the risks associated with government participation in such technologies."
Wilshusen pointed out that the Federal Information Security Management Act holds agencies responsible for the security of information collected or maintained and for information systems used or operated on their behalf. "The extent to which FISMA makes federal agencies responsible for the security of third-party social media websites may depend on whether such sites are operating their systems or collecting information on behalf of the federal government, which may not be clear," he said.
Federal law limits the government's collection of information about citizens, yet it's ambiguous as it relates to social networking sites where members post details about their lives and express opinions on a wide range of matters. Wilshusen suggested that the government might need to adopt rules to address what information it can collect and disclose in the Web 2.0 arena. "Unless rules to guide their decisions are clear, agencies could handle information inconsistently," Wilshusen said. "Individual privacy could be affected, depending upon whether and how government agencies collect or use personal information disclosed by individuals in interactive settings."