The DoD Will Finally Encrypt Service Member Emails. Here's What That Means For You

Community
A member of a Cyber Protection Team participates in the Air Force's Exercise Black Demon.
U.S. Air Force/Airman 1st Class Daniel Garcia

In a letter to a watchdog lawmaker last week, the Department of Defense confirmed that it will finally, in 2018, join the 21st century and use a popular basic encryption tool to help make emails to and from .mil addresses more secure. What does that mean for your badass joe.schmuckatelli@centcom.mil account? Let’s break it down.


What’s happening?

The Defense Information Systems Agency confirmed to Democratic Sen. Ron Wyden of Oregon, a Senate intelligence committee member, that by next year, the Pentagon’s .mil email will implement STARTTLS for enhanced email encryption — a longstanding application that Wyden has called "a basic, widely used, easily-enabled cybersecurity technology."

The move came after years of poking around by the reporters at Vice and some tough talk from Wyden questioning how the military’s 4.5 million-user cloud-based email service had never implemented STARTTLS before.

"I can't think of a single technical reason why they wouldn't use it," one former U.S. Special Operations Command IT whiz told Vice. A hacker and former Marine similarly told the outlet: "The military should not be sending any email that isn't encrypted, period. Everything should get encrypted, absolutely everything. There's no excuse."

How does STARTTLS work?

Vice’s Motherboard blog has a nice breakdown of STARTTLS, which is what’s called an “opportunistic” encryption app. Basically, when your email server and a recipient’s email server hook up to exchange info, STARTTLS sets up the exchange on the fly as an encrypted transaction. When your emails are sent out into the world without encryption, opportunistic or otherwise, they are as readable as postcards, per Vice:

When your email provider doesn't support STARTTLS, your email might be encrypted going from your computer to your provider, but it will then travel across the internet in the clear (unless you used end-to-end encryption.)... When your email provider, and the email provider of the person you're sending the email to, both support STARTTLS, then the email is protected as it travels across.

Is that a big deal?

Kinda, yeah, but not super-big. STARTTLS has been around since 2002, and Gmail first implemented it in 2004. Vice points out that Google and your other popular private email and social-media sites — including Microsoft, Yahoo, Twitter, and Facebook — have already integrated STARTTLS. In the wake of the NSA surveillance disclosures by contractor Edward Snowden, Facebook led a very public charge to get more sites to use STARTTLS to keep the feds from looking at your emails.

So there’s nothing new here; DoD is simply catching up to a basic encryption technology that’s been around for a decade and a half — long enough now that the vast majority of emails you send and receive communicate with another STARTTLS-equipped server. It has some weaknesses, and it ain’t PGP encryption, but it’s a good start.

What the hell took the military so long?

Well, you probably already know from experience that no Pentagon-level IT policy changes overnight. But more than that, keeping mail.mil STARTTLS-free has also given the military a lot more freedom to snoop through your emails — a freedom DISA was probably reluctant to give up. In a letter to Wyden in April, DISA deputy director Maj. Gen. Sarah Zabel said the agency’s software regularly sweeps incoming soldier email for phishing scams, viruses, and the like.

“DISA currently rejects over 85% of all DoD email traffic coming from the Internet on a daily basis due to malicious behavior,” Zabel wrote. “We also inspect for advanced, persistent threats using detection methods developed using national level intelligence. Many of these detection methods would be rendered ineffective if STARTTLS were enabled.”

In fact, top civil liberties groups like the ACLU have long called for government agencies to use encryption not just to protect their sensitive info, but to help establish a broad pro-encryption consensus in America: If the government gets to encrypt its data, then why shouldn’t free American citizens get the same right? Such a norm might not sit well with government agencies, like the NSA, CIA, and FBI, who rely on signals surveillance to further intelligence and investigative aims.

Beyond that, if the military has to triage its IT systems for info security, it’s probably going to tackle unclassified email servers last, after focusing on secure and closed systems like SIPRNET, the National Military Command Center, and Link 16 tactical data transmission networks.

So now my stuff’s going to be encrypted, but it could be easier to hack?

Well, that was DISA’s initial suggestion: Using STARTTLS could make it harder for the Pentagon to catch and neutralize viruses in your emails. But its decision to migrate everyone’s mail.mil accounts to a new STARTTLS gateway by July 2018 suggests whatever kinks the application threw in DISA’s surveillance have now been worked out.

In the meantime, the service is still adamant that you shouldn’t be passing any sensitive info or clicking any weird links in your nonsecure mail.mil account in the first place, so, you know, keep not doing that.

Any other tips?

Yeah: Download less porn. Seriously. Even if it’s virus-free, that much can’t be healthy, man.

Also, remember the cardinal rule of opsec:

Imgur

WATCH MORE:

"It's kind of like the equivalent of dropping a soda can into canyon and putting on a blindfold and going and finding it, because you can't just look down and see it," diver Jeff Goodreau said of finding the wreck.

The USS Eagle 56 was only five miles off the coast of Maine when it exploded.

The World War I-era patrol boat split in half, then slipped beneath the surface of the North Atlantic. The Eagle 56 had been carrying a crew of 62. Rescuers pulled 13 survivors from the water that day. It was April 23, 1945, just two weeks before the surrender of Nazi Germany.

The U.S. Navy classified the disaster as an accident, attributing the sinking to a blast in the boiler room. In 2001, that ruling was changed to reflect the sinking as a deliberate act of war, perpetuated by German submarine U-853, a u-boat belonging to Nazi Germany's Kriegsmarine.

Still, despite the Navy's effort to clarify the circumstances surrounding the sinking, the Eagle 56 lingered as a mystery. The ship had sunk relatively close to shore, but efforts to locate the wreck were futile for decades. No one could find the Eagle 56, a small patrol ship that had come so close to making it back home.

Then, a group of friends and amateur divers decided to try to find the wreck in 2014. After years of fruitless dives and intensive research, New England-based Nomad Exploration Team successfully located the Eagle 56 in June 2018.

Business Insider spoke to two crew members — meat truck driver Jeff Goodreau and Massachusetts Department of Corrections officer Donald Ferrara — about their discovery.

Read More Show Less
(CIA photo)

Before the 5th Special Forces Group's Operational Detachment Alpha 595, before 160th Special Operations Aviation Regiment's MH-47E Chinooks, and before the Air Force combat controllers, there were a handful of CIA officers and a buttload of cash.

Read More Show Less

The last time the world saw Marine veteran Austin Tice, he had been taken prisoner by armed men. It was unclear whether his captors were jihadists or allies of Syrian dictator Bashar al Assad who were disguised as Islamic radicals.

Blindfolded and nearly out of breath, Tice spoke in Arabic before breaking into English:"Oh Jesus. Oh Jesus."

That was from a video posted on YouTube on Sept. 26, 2012, several weeks after Tice went missing near Damascus, Syria, while working as a freelance journalist for McClatchy and the Washington Post.

Now that Tice has been held in captivity for more than seven years, reporters who have regular access to President Donald Trump need to start asking him how he is going to bring Tice home.

Read More Show Less

"Shoots like a carbine, holsters like a pistol." That's the pitch behind the new Flux Defense system designed to transform the Army's brand new sidearm into a personal defense weapon.

Read More Show Less

Sometimes a joke just doesn't work.

For example, the Defense Visual Information Distribution Service tweeted and subsequently deleted a Gilbert Gottfried-esque misfire about the "Storm Area 51" movement.

On Friday DVIDSHUB tweeted a picture of a B-2 bomber on the flight line with a formation of airmen in front of it along with the caption: "The last thing #Millenials will see if they attempt the #area51raid today."

Read More Show Less