All Department of Defense Public facing web and email services to be moved to HTTPS
The US Department of Defense has issued a directive to get all the public accessible Department of Defense web services from an unsecure HTTP connection to a more secure HTTPS with HSTS (HTTP Strict Transport Security) connection by the end of this year.
The concern was raised by US Oregon Democrat Senator Ron Wyden in a letter sent to the Chief information officer for US Department of Defense, Dana Deasy earlier in May this year to get HTTPS Certification for DoD websites.
Current Issues with DoD Public Facing web and email services
Wyden had raised several issues with the current condition of many of the Public accessible websites of the Department of Defense.
He specifically pointed out that most of the DoD websites lacked a proper HTTPS certification. Wyden pointed out that only a small number of DoD websites such as the Army, Air Force and the National Security Agency homepages were implementing the HTTPS certification by default, which is trusted by all the major web browsers.
Wyden, mentioned that a number of websites from the Navy, Marines and even one of the DoDs own website lacked HTTPS certification. These sites were still dependent on the certificate provided by DoD Root Certificate Authority to prove their authenticity.
Popular and mainstream web browsers issue security warnings and force the user to navigate through them to reach sites with DoD Certificate. This creates a negative image in the civilians as well as the servicemen who have to constantly face these security warnings to reach the WebPages of DoDs public resources.
Wyden mentioned in his email To Deasy that Google will start warning visitors to non HTTPS websites about them being unsecured. He emphasized that this will strongly impact the public’s trust in DoDs ability of not taking proper security measures to fight against cyber attacks and security threats.
Wyden was concerned that the regular warnings issued by several web browsers will make the public numb to them by taking them as irrelevant pop-ups to get to the websites that lacked security certificates. The lack of proper security certificates also increases the risk of getting targeted by cyber crime and foreign government hacking.
Wyden urged the DoD to implement the following measures to solve the issue of HTTPS certification for DoD websites:
- Enable HTTPS with HSTS on all Public Web Services
- Obtain and Deploy HTTPS certificates trusted by major Web Browsers for all web services accessible to the general public.
Measures to be implemented by DoD by the end of this year to get HTTPS Certification for DoD websites
In reply to Wyden’s letter, Dana Deasy mentioned that the Department of Defense (DoD) has already been working on the issue raised in the letter for the past several years. Deasy stated that implementing these capabilities has included infrastructure refresh and policy adjustments in the past 2-3 years.
Deasy said in reply that a Joint Force Headquarters-DOD Information Network (JTF-DoDIN) Task order is the culmination of their preparation and mission analysis. This Task force will implement the cyber security measures contained in the Binding Operational Directive (BOD) 18-01 issued by Department OF Homeland Security. Deasy stated that the implementation of HTTPS with HSTS is targeted to achieve completion by 31st December 2018.
The plan of action to be implemented by DoD to secure the Public Facing Web and Email services is already in motion and targets to achieve these goals to get HTTPS Certification for DoD websites:
- DoD is issuing a directive to implement commercial Publicly Trusted Certificates on all DoD’s Public Facing sites and services by October 31, 2018. DoD will complete work on issuing Federal/DoD public trust PKI.
- DoD will issue direction to implement STARTTLS and DMARC on all DoD mail servers and will contract a commercial PKI infrastructure for issuing SSL Certificates. The STARTTLS and DMARC roll-out started in 2017 and is scheduled to finish by December 2018.
- DoD will direct all public facing websites to use HTTPS and authorize the use of HSTS on DoD websites that are ready. This will include all the HTTP requests to be redirected to HTTPS by December 31, 2018.