Skip to main content
banner image
venafi logo

Senator Asks: Are All Doors Open at the DoD?

Senator Asks: Are All Doors Open at the DoD?

DoD lacking HTTPS
June 1, 2018 | Robyn Weisman

Recently, the federal government’s focus on encryption has been mainly about gaining access to it through backdoors. But in spite of that focus, some agencies may have left the front door open. In an open letter to Dana Deasy, the new CIO of the U.S. Department of Defense, U.S. Sen. Ron Wyden, D-Ore., urges "immediate action to require the adoption of cybersecurity best practices on all publicly accessible Department of Defense (DoD) web services.”

Sen. Wyden’s letter was a recap of things you wish that you didn’t know, kind of like when I learned that U.S. nuclear missiles were still run on floppy disks. Only a few DoD websites—the Army, Air Force and the National Security Agency— “implement HTTPS by default and use certificates trusted by major web browsers.” The rest, (including: The Navy, The Marines and CIO Deasy’s office website) lack a secure HTTPS connection.

Moreover, they are proving their authenticity using certificates issued by the DoD’s own certificate authority, which Google Chrome (the browser favored by more than half of all North Americans, regardless of device) and other browsers do not trust. In other words, come July, when Chrome starts to evaluate the trustworthiness of certificates in order to warn users about the  sites with weak security, the aforementioned sites are likely to be flagged as unsafe. It’s no surprise that Sen. Wyden asks Deasy for an action plan by July 20.

Problem Is Everywhere

Today, Derek Hawkins, national cybersecurity reporter for The Washington Post, writes in his Cybersecurity 202 newsletter that more than three-quarters of federal agencies do not have cybersecurity programs in place that can protect against cyber intrusions in their networks, according to a new report from the White House Office of Management and Budget.

As disturbing as this news is, this problem is not confined to federal agencies. Nick Hunter, senior manager of threat intelligence at Venafi, says this problem extends far beyond the DoD and other government agencies. “The reality is that many private organizations have not implemented HTTPS or have but are not aware that their implementations are using weak encryption configurations. It’s also true that for many of these organizations, including many major brands, don’t understand that the ramifications of insecure encrypted communications and privacy can be profound,” he says.

This situation, both at the DoD and elsewhere, is mind-boggling. On this blog, we’ve harangued you about the importance of securing web transactions with HTTPS. As Scott Carter writes in a recent post:

SSL/TLS certificates are critical to the security of web transactions, such as online banking and e-commerce. These certificates create an encrypted connection between a web browser and web server. If cyber criminals gain access to these critical machine identities, they can eavesdrop on encrypted traffic or impersonate a trusted system in a phishing attack.

Closing All Doors

It’s disturbing that the DoD and so many critical government agencies could be making it easier for cybercriminals and nation-state attackers to break into agency networks. At the same time, however, HTTPS in itself isn’t a cure-all to this problem. After all, threat actors increasingly are leveraging HTTPS to camouflage attacks. Guest blogger Jack Walker points out:

Hackers now use HTTPS encryption to cover their tracks and get past firewalls, sandboxing technologies and behavior analytics tools. And, ultimately, it is a great and easy way to get malware onto the network without ringing any alarm bells, … and this is because defensive measures once thought effective are no longer properly doing their job. Firewalls, anti-malware solutions and IDS tools will often let HTTPS-traffic straight through, with even modern sandboxing technologies and behavioral analytics not configured to detect and neutralize HTTPS attacks.

In other words, grabbing a certificate so that your website has a green padlock isn’t enough. You need a comprehensive machine identity protection program that provides enterprise-wide visibility and automated control of every machine identity to be truly protected.

Is this the situation you’re currently facing? If so, we understand why you might be holding off on a Band-Aid HTTPS patch because you’re thinking about how to put a good machine identity protection solution in place. If that’s the case, then contact us. We’ve helped plenty of organizations, including government agencies, with their machine identity protection challenges and would welcome the opportunity to help you!

Like this blog? We think you will love this.
hands of a puppet master, pulling strings
Featured Blog

Reductor Malware Cleverly Manipulates TLS

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

CIO Study: Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection
Industry Research

Forrester Consulting Whitepaper: Securing the Enterprise with Machine Identity Protection

Machine Identity Protection for Dummies
eBook

Machine Identity Protection for Dummies

About the author

Robyn Weisman
Robyn Weisman

Robyn is a Senior Content Writer at Venafi. She helps enterprise IT vendors pinpoint their marketing challenges and develop content marketing strategies. She worked for several well-known technology trade publications for over 15 years, and has a Master's Degree in Screenwriting from USC.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more
Chat