Continued from page 1

“Everything in her profile screamed fake,” he told The Times. She claimed to have 10 years’ experience in the cybersecurity field - which would mean that she entered it at age 15 - and there is no such job as “cyber threat analyst” at the Naval Network Warfare Command. Even her name is taken from the code name of an annual U.S. special-forces military exercise, as a two-second Google search establishes.

Mr. Ryan chose the photos, which he found on an amateur pornography site, “because she looked foreign” - which he said was another potential counterintelligence red flag - as well as for her attractiveness.

Several people with whom she attempted to connect spotted the fakery, Mr. Ryan said, “I was pretty much busted on Day Two.” He said some people with whom Ms. Sage tried to connect took simple precautions such as trying to call the phone number she provided, or by asking her to e-mail them from her military account. Others checked public records on her purported National Security Agency information security qualification or reviewed the college alumni network for the Massachusetts Institute of Technology, where she claimed to have been educated.

Some even noticed that her profile on every site had been established less than a month earlier.

But Mr. Ryan added that no central place was established for people to warn others about the scam, and tweets or other commentary questioning her authenticity didn’t stop others from connecting with her.

“The only agencies where I didn’t get any connections were the FBI and the CIA,” he said.

David Wennergren, the deputy chief information officer for the Department of Defense, said in an e-mail that the answer was to continue the Pentagon’s effort to “ensure our folks are well trained on responsible use of the Internet - at work and home.”

After the department discovered that it was the victim of “long-distance phone abuse … we didn’t abandon the use of telephones,” he said.

“We should address the behavior, not abandon the tool.”

“All access to the Internet - not just social-networking sites - involves risk; even accessing websites and the use of e-mail involves risk,” Mr. Wennergren added.

But Paul Strassmann, a professor at George Mason University who was the Pentagon’s director of defense information in the early 1990s, said the unrestricted use of social networking by Defense Department personnel poses unacceptable risks.

“You are opening the floodgates to a torrent of data, which your adversary can … sift and turn into intelligence,” he said.

Mr. Strassmann, who said he was recently engaged by a U.S. agency he declined to name to help develop a policy on social networking, added that it didn’t matter that the security breaches in the case were unintentional. “In intelligence, many of the most important leaks are inadvertent.”

Another person involved at a senior level in the U.S. military’s cybersecurity efforts, who asked for anonymity because he was not authorized to speak about the case, called it “an object lesson in the dangers of social networking.”

“People feel they are safe” on the Internet, he said, but in reality, “it is a perfect environment for preying on people’s weaknesses.”

Story Continues →