The Department of Defense said it plans to undertake an overhaul of its antiquated email system in order to implement a decade-old encryption technology designed to safeguard emails from eavesdroppers.
The Defense Information Systems Agency (DISA), the agency overseeing the Pentagon’s email service, announced this week to begin using STARTTLS, an industry-standard encryption protocol widely used by the private sector to protect communications, starting July 2018.
Maj. Gen. Sarah Zabel, DISA’s vice director, unveiled the plan in a letter sent this week to Sen. Ron Wyden, Oregon Democrat, in response to a recent inquiry from the lawmaker lambasting its lack of encryption.
“As you may know, the technology industry created STARTTLS fifteen years ago to allow email servers to communicate securely and protect email messages from surveillance as they are transmitted over the internet,” Mr. Wyden wrote in March, adding he was “concerned that DISA is not taking advantage of a basic, widely used, easily-enabled cybersecurity technology.”
“Indeed, until DISA enables STARTTLS, unclassified email messages sent between the military and other organizations will be needlessly exposed to surveillance and potentially compromised by third parties,” Mr. Wyden wrote.
The Pentagon is “actively working an acquisition to upgrade the email gateways that will allow us to take advantage of evolving capabilities for email protection,” Gen. Zabel responded this week.
“Email remains one of our largest threat vectors,” she wrote, according to a copy of the letter obtained by Gizmodo. “DISA is currently implementing architectural changes, which will allow the use of STARTTLS on a default basis, while still enabling us to apply appropriate safeguards.”
Mr. Wyden applauded the Pentagon’s decision in a statement to CNN but took aim at the 12-month window reserved for the rollout.
“The Pentagon is doing the right thing by encrypting emails as they are sent to and from the military’s servers,” Mr. Wyden said. “This is a good step, but in my view there’s no reason it should take [the Defense Department] a year to turn on this industry-standard cybersecurity technology.”
Filtration systems currently in place enable the Pentagon to automatically reject about 85 percent of incoming emails for “malicious behavior,” according to DISA. Remaining messages are subsequently scanned for sophisticated threats, Gen. Zabel added, although upgrading to STARTTLS will make some existing services useless.
“We also inspect for advanced, persistent threats using detection methods developed using national level intelligence. Many of these detection methods would be rendered ineffective if STARTTLS were enabled,” she added, Gizmodo reported.
The Pentagon’s email system, mail.mil, provides services to about 4.5 million users, Motherboard reported Thursday.