The US Military's email addresses have been compromised due to a typo that has been sending millions of sensitive emails to Mali instead of the intended recipients. The emails contained sensitive information such as travel itineraries, tax returns, passwords, and medical data, which could be used to conduct targeted cyber-attacks or track the movements of Pentagon personnel. This article explores the security risks to US national officials that can arise from an innocent typo, how the emails were misdirected, and what the US military is doing to prevent further leaks.
The emails were meant for the owners of ".MIL" email accounts, which is the internet domain owned by the US military. However, due to a typo, they were instead sent to the .ML domain, which manages email accounts in the West African country of Mali. The similarity between the two domains caused confusion and resulted in sensitive information being sent to the wrong location.
Misdirected emails have been coming in by the hundreds per day, with most being spam and some containing sensitive information. One email contained hotel room numbers for the Army chief of staff, Gen. James McConville, and his entourage on a trip they took in May to Indonesia. The leak poses a significant national security risk as adversaries could exploit the information to generate intelligence even just from unclassified information.
Johannes "Joost" Zuurbier, a Dutch internet entrepreneur, received the emails because his company was contracted to manage the .ML domain. Since 2013, Zuurbier said he has raised the issue with various US officials, including the US Embassy in Mali earlier this year. His contract to manage the .ML domain expired last week, prompting him to raise awareness of the issue in the media. He collected almost 117,000 misdirected emails since January and warned the US in July, "This risk is real and could be exploited by adversaries of the US."
The personal information in the emails could be used to conduct targeted cyberattacks or to track the movements of Pentagon personnel. Although there is no evidence that happened in this case, the leak reveals the security risks to US national security officials that can arise from an innocent typo. The Pentagon has no control over whether third parties incorrectly type defense personnel's email addresses. It poses a significant problem as it is one thing when you are dealing with a domain administrator who is trying, even unsuccessfully, to articulate the concern, and another when it's a foreign government that sees it as an advantage they can use.
The Department of Defense (DoD) is aware of this issue and takes all unauthorized disclosures of Controlled National Security Information or Controlled Unclassified Information seriously. The Pentagon has blocked its email accounts from emailing .ml email addresses as a precaution. Emails sent directly from the .mil domain to Malian addresses are blocked before they leave the .mil domain. The Pentagon has implemented policy, training, and technical controls to ensure that emails from the '.mil' domain are not delivered to incorrect domains. The Department continues to provide direction and training to DoD personnel, although it is not possible to implement technical controls preventing the use of personal email accounts for government business.
The US government can't prevent outside users from mistyping emails intended for the government, but some of those making the typos were US government employees. The Department of Defense needs to enforce strict guidelines to ensure that their personnel use official email addresses for official business and avoid using personal email accounts for the same. They should also introduce mandatory training and education for personnel to increase awareness of the risks of using personal email accounts for conducting government business.