Sen. Ron Wyden, D-Ore., is calling for the Defense Department to bring the security of its public websites into the 21st century.
Many Defense Department public websites still don’t use HTTPS encryption — the web protocol that ensures secure connections and prevents man-in-the-middle attacks — and Wyden wants new DOD CIO Dana Deasy to make it a priority in the next two months to bring those web pages up to speed.
In a letter to Deasy on Tuesday, Wyden writes that a “small number” of DOD websites, such as the Army, Air Force and NSA homepages by default use trusted certificates and HTTPS encryption. But many others, like the CIO’s own website, don’t employ HTTPS or issue basic certificates.
“Many mainstream web browsers do not consider these DOD certificates trustworthy and issue scary security warnings that users are forced to navigate before accessing the website’s information,” Wyden writes. “These challenges do not only impact civilians; service members accessing DOD pages from home regularly encounter security warnings and must click through such errors when accessing public DOD resources.”
The senator says that DOD is lagging on this issue. A 2015 memo from the Office of Management and Budget set a requirement that all websites only be available through HTTPS and HSTS by the end of 2016. HSTS is a policy whereby a website forces a browser to use the secure HTTPS protocol, and not the less secure HTTP. A 2017 Department of Homeland Security directive reiterated the OMB requirement.
Wyden says that the timing is critical for the Pentagon to secure its websites because, starting in July, the Google Chrome Browser will warn users that any HTTP connection is “not secure.”
“These warnings will erode the public’s trust in the Department and its ability to defend against sophisticated cyber threats. Moreover, the DoD’s refusal to implement cybersecurity best practices actively degrades the public’s security by teaching users to treat critical security warnings as irrelevant,” Wyden writes.
He wants Deasy to issue an “action plan” by July 20, directing all Pentagon agencies and offices to implement the internet security orders from OMB and DHS. In addition to that, Wyden says DOD agencies and offices should deploy “certificates trusted by major web browsers” for all public-facing websites and services and assess the use of “shorter-lived, machine-generated certificates” that are often available for free.
Read more about Wyden’s letter on CyberScoop.