Pentagon purges HTML from .mil emails

The Pentagon is tightening the screws on its campaign to improve email security. A department-wide policy will soon be in effect to render Web links unclickable in emails to .mil addresses, Richard Hale, DOD deputy CIO for cybersecurity, told FCW. The move adds an extra layer of security to anti-phishing measures already in place at the Pentagon.

The new policy, which was coordinated between Hale’s  office and U.S. Cyber Command, has been rolled out gradually and is already in place for much of the .mil domain, Hale said. For at least some users, outside emails are being flagged in the subject line as coming from a "Non-DOD Source."

Hale told FCW that after reviewing a series of anti-phishing measures already in place, officials decided that a more stringent approach was needed. "For years we have had an email policy that says we will not render HTML email," he said, but certain email clients still include active links in their emails.

The solution, Hale said, was to, "deactivate the links more actively in the mail system before it gets to an end user by adding a little extra into the link that says, 'Caution,'" E-mail users can still paste the link into a Web browser, he noted, "but we don't want that link to be active in [an] email and have someone click on it before they've thought through" the security implications."

The rollout of the extra anti-phishing measure is part of series of initiatives begun in September by a Pentagon cyber office known as Joint Force Headquarters DOD Information Networks, a subordinate command to Cyber Command.

"JFHQ DODIN provided direction to all DOD components to implement initiatives to further harden the DOD information environment, which included improving end-point security system standards," a Cyber Command spokesperson said in a statement. "Along with these initiatives, efforts to harden the DODIN’s defenses are always ongoing."

Officials like Deputy Secretary Robert Work have said that a great majority of intrusions into Pentagon networks are the result of the kind of human error that is exploited in phishing attacks, in which seemingly trustworthy e-mail links are used as attack vectors to hijack user computers, install malware or steal credentials.

DOD CIO Terry Halvorsen has therefore made clamping down on phishing a priority during his tenure. In March, Halvorsen issued a memo warning about potential phishing attacks on defense personnel through third-party social media accounts.

"Phishing continues to be successful because attackers do more research, evolve their tactics and seek out easy prey," that memo states. "We need to arm ourselves and our families with the defensive skills and knowledge to protect them from being victimized by a phishing email, computer or phone scam."

The new anti-phishing policy will have consequences for marketers and media (including FCW) trying to reach audiences behind the dot-mil screen. FCW and its sister publications already offer plain-text versions of their email newsletters, and have taken additional steps to make those messages user-friendly for newly restricted DOD recipients.

"Countering phishing is one of our big current problems and we are trying everything we can to both counter phishing in the technology part of our infrastructure and educate our users on what safe behavior is," Hale told FCW.