New Pentagon CIO Dana Deasy has laid out a plan to make public-facing Defense Department websites more secure for visitors by the end of 2018.
DOD has been working to bring trust certificates and encryption across its public domains up to speed with industry standards for the past two to three years, Deasy wrote in a July 20 letter to Sen. Ron Wyden, D-Ore. He hopes to be mostly there by the end of the calendar year.
“The Department is working hard to ensure DoD inspires trust among citizens and partners in its digital interactions across our missions, business, and entitlements roles,” Deasy wrote.
Wyden requested such a plan of action in a May letter criticizing DOD’s public website and email security, specifically the lack of HTTPS encryption, which ensures secure connections and prevents man-in-the-middle attacks. Without the proper trust certificates and encryption, users to many DOD websites are greeted with a frightening message that their connection isn’t private and “Attackers might be trying to steal your information.”
“Many mainstream web browsers do not consider these DOD certificates trustworthy and issue scary security warnings that users are forced to navigate before accessing the website’s information,” Wyden wrote then. “These challenges do not only impact civilians; service members accessing DOD pages from home regularly encounter security warnings and must click through such errors when accessing public DOD resources.”
In August, according to Deasy, the Joint Force Headquarters-Department of Defense Information Network (JFHQ-DoDIN) — the U.S. Cyber Command component responsible for securing the department’s thousands upon thousands of networks — will issue an order moving for the entire defense enterprise to follow the Department of Homeland Security’s binding operational directive for civilian agencies to improve website and email security.
While DOD components should be able to comply with that order by 2018’s close, Deasy said a full implementation of HSTS — the security standard by which a website forces a browser to use HTTPS — will take some more time for testing. But the Pentagon, by the end of the year, will issue a plan for rolling it out, the CIO said.
“DoD takes pride in being a leader in cyberspace and supports the need to protect information, both for the warfighter as well as the general public,” Deasy wrote.
Wyden told CyberScoop in a statement that “the Pentagon deserves credit for moving toward these commonsense cybersecurity improvements for their websites and email. The men and women of the American military, and anyone who visits a Defense Department website, will be better-protected from spammers, scam artists and spies once these changes go into effect.”