Cybersecurity

Pentagon purges HTML from .mil emails

Shutterstock image (by wavebreakmedia): digital lock superimposed upon a data center.

The Pentagon is tightening the screws on its campaign to improve email security. A department-wide policy will soon be in effect to render Web links unclickable in emails to .mil addresses, Richard Hale, DOD deputy CIO for cybersecurity, told FCW. The move adds an extra layer of security to anti-phishing measures already in place at the Pentagon.

The new policy, which was coordinated between Hale’s  office and U.S. Cyber Command, has been rolled out gradually and is already in place for much of the .mil domain, Hale said. For at least some users, outside emails are being flagged in the subject line as coming from a "Non-DOD Source."

Hale told FCW that after reviewing a series of anti-phishing measures already in place, officials decided that a more stringent approach was needed. "For years we have had an email policy that says we will not render HTML email," he said, but certain email clients still include active links in their emails.

The solution, Hale said, was to, "deactivate the links more actively in the mail system before it gets to an end user by adding a little extra into the link that says, 'Caution,'" E-mail users can still paste the link into a Web browser, he noted, "but we don't want that link to be active in [an] email and have someone click on it before they've thought through" the security implications."

The rollout of the extra anti-phishing measure is part of series of initiatives begun in September by a Pentagon cyber office known as Joint Force Headquarters DOD Information Networks, a subordinate command to Cyber Command.

"JFHQ DODIN provided direction to all DOD components to implement initiatives to further harden the DOD information environment, which included improving end-point security system standards," a Cyber Command spokesperson said in a statement. "Along with these initiatives, efforts to harden the DODIN’s defenses are always ongoing."

Officials like Deputy Secretary Robert Work have said that a great majority of intrusions into Pentagon networks are the result of the kind of human error that is exploited in phishing attacks, in which seemingly trustworthy e-mail links are used as attack vectors to hijack user computers, install malware or steal credentials.

DOD CIO Terry Halvorsen has therefore made clamping down on phishing a priority during his tenure. In March, Halvorsen issued a memo warning about potential phishing attacks on defense personnel through third-party social media accounts.

"Phishing continues to be successful because attackers do more research, evolve their tactics and seek out easy prey," that memo states. "We need to arm ourselves and our families with the defensive skills and knowledge to protect them from being victimized by a phishing email, computer or phone scam."

The new anti-phishing policy will have consequences for marketers and media (including FCW) trying to reach audiences behind the dot-mil screen. FCW and its sister publications already offer plain-text versions of their email newsletters, and have taken additional steps to make those messages user-friendly for newly restricted DOD recipients.

"Countering phishing is one of our big current problems and we are trying everything we can to both counter phishing in the technology part of our infrastructure and educate our users on what safe behavior is," Hale told FCW.

About the Author

Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.

Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.

Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.


Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.

Featured

Reader comments

Tue, Jun 28, 2016

what are the best practices other than sending in Plain Text for .mil addresses

Wed, Dec 9, 2015

As a DoD employee, the addition of the "non-DoD source" phrase to the subject of emails is a HUGE PITA. Now, if a govt employee initiates an email, a contractor replies, the subject-sorting ability of the email program is broken. People who are dumb enough to fall for phishing attempts will fall for them no matter work. Now, the rest of us have another IA related headache.

Tue, Nov 17, 2015 Mark

This is the message that the Army has been putting in our e-mails to .mil users: This email was sent from a non-Department of Defense email account, and contained active links. All links are disabled, and require you to copy and paste the address to a Web browser. Please verify the identity of the sender, and confirm authenticity of all links contained within the message. And, they've been doing it for over a month now.

Tue, Nov 17, 2015

Why not just buy a COTS solution like FireEye that detonates bad links for you. Teaching humans best practices is great but wishful thinking on a strategy to protect and prevent. Good luck with this... Hope is not a strategy.

Sun, Nov 15, 2015 HH

A very good idea. But a simple HTML stripping won't work because some mail clients don't provide an underlying text version. But reducing HTML mail could result in lowered transmission and storage costs. Back to the olden days!

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group