One year from now, the US Department of Defence (DoD) expects to implement a new infrastructure to increase security around the way it communicates electronically, Gizmodo has learned.
The Defence Information Systems Agency (DISA), which manages the Pentagon's email systems, says it intends to adopt, by default, STARTTLS, an encryption protocol designed to prevent the interception of email messages in transit. "DISA is actively working an acquisition to upgrade the email gateways that will allow us to take advantage of evolving capabilities for email protection," wrote Maj. Gen. Sarah Zabel, vice director of DISA, in a letter this week addressed to Senator Ron Wyden, Democrat of Oregon.
In late March, Wyden sent a letter to DISA inquiring as to why the Pentagon had not already enabled STARTTLS, as it is widely used by default throughout the US federal government and in the private sector to protect email communications. "As you may know, the technology industry created STARTTLS fifteen years ago to allow email servers to communicate securely and protect email messages from surveillance as they are transmitted over the internet," Wyden wrote.
The senator added that while the Pentagon uses various other systems to protect classified and unclassified messages — such as Public Key Infrastructure (PKI), which allows for the encrypted transfer of data at DoD, as well as to and from its defence industry partners — Wyden was "concerned that DISA is not taking advantage of a basic, widely used, easily-enabled cybersecurity technology". He continued: "Indeed, until DISA enables STARTTLS, unclassified email messages sent between the military and other organisations will be needlessly exposed to surveillance and potentially compromised by third parties."
It appears, however, that surveillance was at least one reason why DISA had not enabled STARTTLS already. In a letter acquired by Gizmodo dated April 27, Zabel states that DISA made a deliberate decision not to use STARTTLS because it feared doing so would interfere with its ability to inspect each email it was sent for malicious software, phishing attempts and other exploits. "DISA currently rejects over 85% of all DoD email traffic coming from the Internet on a daily basis due to malicious behaviour," Zabel wrote. "The remaining 15% of email traffic is also inspected for Zero Day threats that exploit an undisclosed cybersecurity vulnerability."
Added Zabel: "We also inspect for advanced, persistent threats using detection methods developed using national level intelligence. Many of these detection methods would be rendered ineffective if STARTTLS were enabled."
However, in a follow-up letter to Wyden this week, the major general clarified that DoD was largely hindered in adopting STARTTLS by its own antiquated technology.
"Email remains one of our largest threat vectors," Zabel wrote, continuing: "DISA is currently implementing architectural changes, which will allow the use of STARTTLS on a default basis, while still enabling us to apply appropriate safeguards; however, the capacity and throughput of the ageing equipment creates limitations in supporting STARTTLS as the default for all mail sessions."
A new email gateway infrastructure will allow the use of STARTTLS by default, the letter said, estimating that DoD would be able to acquire and transition to this new system by July 2018.
The Presidential Advisory Commission on Election Integrity, which is charged with investigating President Trump's unsubstantiated claims of widespread voter fraud during the 2016 US election, recently asked state officials to send their voter rolls to the commission using an email address that does not use STARTTLS.
"For far too long, many of the unclassified email messages sent and received by members of the military have been left vulnerable to surveillance by foreign governments and hackers," Senator Wyden told Gizmodo. "The Pentagon is doing the right thing by encrypting emails as they are sent to and from the military's servers."
Wyden called DISA's decision "a good step", but said there was no reason it should take an entire year to adopt industry-standard cybersecurity technology. "Protecting the communications of American servicemen and women should be a priority, so I hope the agency accelerates its timeline," he said.