The Scramble to Protect Coronavirus Resrarch from Hackers has spurred the Defense Department (DOD) to fix a much Larger Problem, a long-known Security Hole that allowed Emails to go into the World Unprotected from Snooping.
In December 2020, the Pentagon quietly adopted a Security Measure for ensuring that its Email Conversations with Outsiders would be Encrypted, more than a Decade after many Private Companies and other Institutions had done the same. Attempts to Permanently Fix the Flaw didn’t gain momentum until last year, when DoD Officials realized that the Weakness was Exposing Electronic Conversations with a host of Civilian Agencies and Companies developing Covid-19 Vaccines.
“This became really important because of Operation Warp Speed, when DoD became a lot more chatty about very nationally sensitive things with people out in federal government [and] people in pharmaceuticals, hospitals, health care,” said Lance Cleghorn, the Lead Engineer of the Team that Plugged the Hole.
That spurred the Engineers of the Defense Digital Service (DDS), the so-called "SWAT team of nerds" that tackles the Pentagon's Thorniest IT Problems, to make Patching the Vulnerability a Top Priority. Even then, it took nearly a year to Complete what Engineers consider a Minor Technical fix.
It's a saga that illustrates the Massive Logistical challenges facing the World's most Powerful Military as it tries to keep up with Hackers intent on pilfering some of the Country's most Sensitive Data. As China, Russia, and Profit-seeking Criminals ramp up their efforts to Tunnel into U.S. Systems, the Federal Government's Bureaucracy often stands in the way of its own efforts to be Nimble on Cybersecurity.
The Flaw didn’t Compromise the Pentagon’s Classified Communications or Internal Mail Emails. But it meant that DoD’s Unclassified Electronic Conversations with Outsiders were essentially Naked as they traveled Server to Server across the Internet. That posed a Risk for the Vaccine push, opening the door for Hackers to read Trade Secrets or Launch Spearphishing Email Attacks aimed at gaining Access to other parts of DoD’s Network.
The Pentagon was already Breached in such an attack in 2015, when suspected Russian Hackers compromised an Unclassified Email Server used by the Joint Chiefs.
The Root of the Problem was the Pentagon never fully Implemented a widely used Security Protocol, known as STARTTLS, that makes it Easier for Email Servers to Exchange Encrypted Messages. The Protocol was created in 2002, but over the years the Department enabled it Only for Communications with a Handful of External Agencies.
Even when the Pentagon Overhauled its Email Safeguards in 2017 and 2018, its Defense Information Systems Agency opted Not to Buy a Security Certificate that would Vouch for the Authenticity of DoD Emails, instead Creating its own, less Universally accepted Version. The setup ensured that Pentagon Emails could be Encrypted as long as they remained within the Department’s Networks. But Messages lost that Protection once they reached the Outside World, where most Email Systems didn’t Trust the Department’s Homegrown Certificate.
The Pandemic changed all that, by hastening efforts to adopt STARTTLS for All Traffic crossing DoD’s Email Gateway. Government Bureaucracy is often on a slippery slope that slides into the Outdated Reasoning that ‘Because we’ve always done it this way’ outweighs the better logic, because this is the right answer. Solutions that might otherwise seem obvious can get Sidelined and Forgotten, often because it is Unfamiliar and Foreign.
A Team got the go-ahead and the Resources it needed in the Early days of the Pandemic. Three Engineers Recruited the Pentagon’s CIO for extra muscle to Cut through Layers of Bureaucracy. Cleghorn, the Lead Engineer, said that even then there were “lots of stop-and-go and odd hurdles that we had to overcome.” They called the effort “Project Groot,” after a Character from Marvel’s “Guardians of the Galaxy” movies. “Groot is a tree-like character that's resilient to fire and has the ability to regenerate, which is fitting for this project,” DDS Chief Brett Goldstein said in an email.
Even with buy-in from on high, enabling STARTTLS, something that should take minutes, became a nearly yearlong effort of Testing and Editing Policies that hadn’t been Implemented with a Government-wide Pandemic Fight in mind.
DDS ultimately spent $3,000 to Purchase a Certificate from a Company called Entrust. “Spending $3,000 to secure over 2 million email accounts was a drop in the bucket to resolve a lingering issue and significantly improve our security posture,” Goldstein said. “From a technical perspective this is like an hour’s worth of work,” said Cleghorn. “It's getting a certificate and installing it on the mail gateway — which is just ‘File, Browse, Click, Click, Upload’ — and then attaching it to that profile.”
Roger Greenwell, the Risk Management Executive at the Defense Information Systems Agency responsible for Signing-Off on the Change, said most of the holdup wasn’t about Instituting the Fix, but in Analyzing what impact hitching a new Commercial Certificate would have on DoD’s existing Email System and Network Architecture. “For all intents and purposes you can almost think of it as somewhat a relatively minor software upgrade,” Greenwell said.
The shift by DoD drew applause from People who have urged Wider Adoption of STARTTLS following Former NSA Contractor, Edward Snowden’s Revelations of Government Mass Surveillance in 2013. But some had only Limited praise for the Department’s decision to finally catch up with the rest of the World.
Alexis Hancock, a Technologist at the Electronic Frontier Foundation, said the move Warrants only a “golf clap” because calls for Adopting STARTTLS became more Urgent and Widespread post-Snowden.
DoD’s Conversion also looks Long Overdue considering Google started an effort to Shame Organizations into Switching to the Protocol in 2014.
NYC Wins When Everyone Can Vote! Michael H. Drucker
