The Defense Department is charged with protecting the nation from military threats. However, it is now turning its attention to a mission closer to home: protecting its own websites.
DOD CIO Dana Deasy has indicated that the Pentagon will be taking several steps between now and then end of 2018 to bolster the cybersecurity defenses of its public-facing websites, according to a letter Deasy sent late last month to Sen. Ron Wyden of Oregon. The letter was a response to one that Wyden sent in May detailing how some DOD websites, including that of the CIO’s office, either do not secure connections with encryption or only prove their authenticity using a certificate issued by the DOD Root Certificate Authority.
In the earlier letter, Wyden urged the DOD to concrete action to enhance its website security and to provide an action plan for doing so.
Deasy now says that the DOD will fix issues related to encryption and certificates by the end of the year. Some aspects of the plan will take longer than that, but the Pentagon now has a timeline for completing the security enhancements.
“The Department is working hard to ensure DoD inspires trust among citizens and partners in its digital interactions across our missions, business, and entitlements roles,” Deasy says in the letter to Wyden. Deasy notes that the DOD has spent the past two to three years beefing up web and email security measures and has refreshed its infrastructure and changed policy to do so.
Indeed, since 2016, the Pentagon and various branches of the armed forces have worked with white hat hackers to identify vulnerabilities on public-facing websites in “bug bounty” programs. Since then, more than 3,000 vulnerabilities have been resolved in government systems. Just this week, the DOD and HackerOne, the leading hacker-powered security platform, announced the launch of the department’s sixth bug bounty program, Hack the Marine Corps.
Deasy’s letter indicates that the DOD is taking website security seriously and has elevated it to a higher priority level within the department.
DOD Sets Targets for Boosting Website Security
DOD is working to implement the measures ordered by the Department of Homeland Security in its October “Binding Operational Directive,” Deasy said, which directed agencies to apply security standards for email and web traffic.
The directive noted that Hypertext Transfer Protocol connections can be easily monitored, modified and impersonated, and switching to HTTPS remedies each vulnerability. Additionally, HTTP Strict Transport Security ensures that browsers always use an https:// connection, and removes the ability for users to click through certificate-related warnings.
In 2015, a directive from the Office of Management and Budget required all existing federal websites and web services to be accessible through a secure connection (HTTPS-only, with HSTS). In 2017, the .gov registry began automatically preloading new federal .gov domains as HSTS-only in modern browsers.
Although HSTS can assure the use of HTTPS, Deasy notes, “it can have negative impacts such as denial of service on subdomains or improperly prepared root domains,” and once DOD commits to using HSTS preload for its websites, there is no quick “rollback” option. The department must do more testing on the technology, but in the interim it will direct components to prepare to use HSTS for .mil domains and work to address any issues the move creates regarding the DOD’s defensive capabilities.
Meanwhile, DOD will direct that all of its public-facing websites use HTTPS, regardless of the HSTS preload state, and authorize the use of HSTS on websites that are ready, Deasy says. Further, all HTTP requests will redirect to HTTPS. DOD will work with DHS on the HSTS rollout and issue a plan by the end of the year.
In another area of website security, the DOD will shift away from website certificates it issued to publicly trusted certificates on its websites. By the end of August, this will happen for sites operated by the Defense Media Agency, which operates many of the Pentagon’s public information resources.
By the end of the year, Deasy expects the DOD to move to public trust root and issuing certificate authorities, as well as supporting certificate transparency services.