DOD Won’t Automatically Encrypt External Emails Until 2018

Frontpage/Shutterstock.com

Making the protection automatic would conflict with other protections against malware attacks.

The Pentagon expects to be fully migrated by mid-2018 to an updated email gateway that will ramp up security protections, including automatically encrypting emails between Defense Department accounts and other organizations, according to a DOD official’s correspondence.

DOD computers currently use the protection, called STARTTLS, on a case-by-case basis but not as a default, according to a Wednesday letter from Maj. Gen. Sarah Zabel, outgoing vice director of the Defense Information Systems Agency, to Sen. Ron Wyden, D-Ore. 

STARTTLS is essentially a way of encrypting emails that would otherwise be unencrypted as they transit between two computers.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

Because of DOD’s aging technology, making STARTTLS protection automatic on external emails would prevent DOD from performing other security checks, Zabel wrote in an earlier letter to Wyden in April.

Those protections include monitoring incoming emails for malware used by adversary nation states and for “zero day” threats known by the government but not disclosed to the general public.

The email gateway upgrade that should be in place by July 2018 will allow DOD to both encrypt external emails by default and perform those checks, Zabel said.

The correspondence was previously reported by Gizmodo.

DISA expects to award a contract for the gateway transition later this year, according to a 2016 briefing to industry.

The Pentagon is a notorious target for sophisticated phishing attacks and other digital assaults. DISA currently rejects over 85 percent of external emails coming into the Pentagon each day because the agency believes they carry malicious code, Zabel told Wyden.

Emails within DOD and with particular DOD partners are encrypted using a Public Key Infrastructure encryption system, Zabel said. The department uses STARTTLS encryption for external emails in cases where “specific business and mission requirements establish the need for encrypted communications,” she said.

Wyden initially queried DOD about STARTTLS in March, noting the protection is used by the White House, Senate, House of Representatives and numerous government agencies and private companies. 

Zabel is slated to leave DISA to head up information technology acquisition process development for the Air Force.