Do you ever get the idea China’s ability to breach United States’ networks isn’t so much due to their skill as to their adversary’s incompetency? After the breach of the Office of Personnel Management’s (OPM) network it was revealed that government networks are woefully out of date. In fact China was focusing its efforts of non-milistary federal agencies. But even though other federal agency’s network security is lackluster we were told time and again that the Department of Defense (DoD) is held to a higher standard. That wasn’t true either:
The United States Department of Defense is still issuing SHA-1 signed certificates for use by military agencies, despite this practice being banned by NIST for security reasons nearly two years ago. These certificates are used to protect sensitive communication across the public internet, keeping the transmitted information secret from eavesdroppers and impersonators. The security level provided by these DoD certificates is now below the standard Google considers acceptable for consumer use on the web.
Few things amuse me more than when one federal agency, in this case the DoD, fails to abide by the recommendations issued by another federal agency, in this case the National Institute of Standards and Technology (NIST). This shouldn’t be surprising though, the DoD’s e-mail servers don’t even support STARTTLS so any e-mails traveling between their servers are being sent in the clear. If the DoD can’t even take basic measures like that why would anybody assume they would utilize secure certificates?
We keep hearing about the coming cyberwar. When that finally comes the United States is going to be taken out in the initial volley. Every bit of news we hear indicates the computer security capabilities of the entire federal government are nonexistent.