As if trying to buy a flying fleet of F-35s wasn't enough, now the Department of Defense is being asked to secure its Websites.
In a letter [PDF] sent by US Senator Ron Wyden (D-OR) to the DoD's CIO Dana Deasy, Wyden points out that HTTPS and HSTS (to direct browsers to the HTTPS site if they request the unencrypted version) are required of all American federal civilian agency websites under a 2015 Office of Management and Budget (OMB) directive.
The letter asks Deasy to respond by July 20, providing former ACLU principal technologist Christopher Soghoian as the contact in Wyden's office.
The OMB wanted the transition to be complete by December 2016, but much of the US government missed the deadline and in 2017 the Department of Homeland Security backed up the OMB with a directive that all civilian agencies get their cyber hygiene right.
The order didn't, however, impose any special obligations on the non-civilian defense agencies, and Wyden is frustrated that those agencies are taking their own sweet time. So far, the letter states, only “a small number of DoD websites” (including the Army, Air Force, and NSA) are encrypted.
The DoD is also self-signing certificates, something once fiercely defended as a right by Internet utopians, but which now looks anachronistic at best.
“Unfortunately, many other sites, including the Navy, Marines, and your own office's website at dodcio.defense.gov, either do not secure connections with encryption or only prove their authenticity with a certificate issued by the DoD Root Authority”.
The DoD Root Authority isn't a CA listed as trusted by (for example) the Chrome browser, visitors get security warnings (The Register notes that Navy will accept a plain HTTP connection to www.navy.mil, for example, and if the user forces it to HTTPS, they will get a certificate error because the cert is associated with Akamai; Deasy's own site also cites an Akamai certificate, from a248.e.akamai.net).
Wyden continues that “the DoD's refusal to implement cybersecurity best practices actively degrades the public's security by teaching users to treat critical security warnings as irrelevant”.
The letter urges Deasy to bring DoD sites into line with the OMB and DHS directives; use recognised CAs for its certificates; and consider Let's Encrypt certificates. ®