NOTE: This article may include commentary reflecting the author’s position.
Sensitive information including passwords, diplomatic documents, travel itineraries, tax returns, and more have been inadvertently sent to one of Russia’s allies.
The Financial Times was the first to break the story on Monday that millions of U.S. military emails have been misdirected because people mistype the .MIL suffix used by all U.S. military email addresses and instead type .MI, which is the country identifier for Mali.
It’s a simple mistake that anyone could make, and for now, it hasn’t been weaponized against the U.S. but that could change very soon.
According to the Financial Times report, the problem was first identified in 2013 by Johannes Zuurbier, a Dutch internet entrepreneur who was contracted to handle Mali’s country domain, but his contract is set to expire and control of the domain will revert to the government of Mali.
Zuurbier has been collecting misdirected emails since January in an effort to persuade the US to take the issue seriously. He holds close to 117,000 misdirected messages — almost 1,000 arrived on Wednesday alone. In a letter he sent to the US in early July, Zuurbier wrote: “This risk is real and could be exploited by adversaries of the US.”
Control of the .ML domain will revert on Monday from Zuurbier to Mali’s government, which is closely allied with Russia. When Zuurbier’s 10-year management contract expires, Malian authorities will be able to gather the misdirected emails. The Malian government did not respond to requests for comment.
Zuurbier, managing director of Amsterdam-based Mali Dili, has approached US officials repeatedly, including through a defence attaché in Mali, a senior adviser to the US national cyber security service, and even White House officials.
Much of the email flow is spam and none is marked as classified. But some messages contain highly sensitive data on serving US military personnel, contractors and their families.
Their contents include X-rays and medical data, identity document information, crew lists for ships, staff lists at bases, maps of installations, photos of bases, naval inspection reports, contracts, criminal complaints against personnel, internal investigations into bullying, official travel itineraries, bookings, and tax and financial records.
Source: Financial Times (Archived)
Zuurbier said that after he began the contract with Mali, he quickly began receiving a number of requests for domains that didn’t exist — army.ml and navy.ml. This set off alarm bells for Zuurbier, who suspected that this was actually email, so he set up a system to catch the correspondence. He was quickly overwhelmed and stopped collecting the messages.
He sought legal advice and then repeatedly attempted to alert the US authorities. He also gave his wife a copy of the legal advice “just in case the black helicopters landed in my backyard” Zuurbier told the Financial Times.
So, what has the Department of Defense done to fix this problem?
Lt. Cmdr Tim Gorman, a Pentagon spokesman, said the DoD “is aware of this issue and takes all unauthorised disclosures of controlled national security information or controlled unclassified information seriously.” He added that emails sent from the .MIL domain that are inadvertently sent to Malian domains “are blocked before they leave the .mil domain and the sender is notified that they must validate the email addresses of the intended recipients”.
Of course, this doesn’t affect emails sent from non-military email addresses.
While none of the emails sent appear to have labeled classified, some of the information included in the emails are still sensitive and could put individuals at risk if they fall into the wrong hands.
One misdirected email this year included the travel plans for General James McConville, the chief of staff of the US army, and his delegation for a then-forthcoming visit to Indonesia in May.
The email included a full list of room numbers, the itinerary for McConville and 20 others, as well as details of the collection of McConville’s room key at the Grand Hyatt Jakarta, where he received a VIP upgrade to a grand suite.
Source: Financial Times (Archived)
There is also the real issue of scale — so much information over a such a long period of time is a problem in itself.
“If you have this kind of sustained access, you can generate intelligence even just from unclassified information,” said Mike Rogers, a retired American admiral who used to run the National Security Agency and the US Army’s Cyber Command.
“It’s one thing when you are dealing with a domain administrator who is trying, even unsuccessfully, to articulate the concern,” Rogers said. “It’s another when it’s a foreign government that … sees it as an advantage that they can use.”
With Biden’s decision last week to activate Reserves to “augment the active Armed Forces of the United States for the effective conduct of Operation Atlantic Resolve in and around the United States European Command’s area of responsibility,” any intelligence going to allies of Russia is a problem.
Psalms of War: Prayers That Literally Kick Ass is a collection, from the book of Psalms, regarding how David rolled in prayer. I bet you haven’t heard these read, prayed, or sung in church against our formidable enemies — and therein lies the Church’s problem. We’re not using the spiritual weapons God gave us to waylay the powers of darkness. It might be time to dust them off and offer ‘em up if you’re truly concerned about the state of Christ’s Church and of our nation.
Also included in this book, Psalms of War, are reproductions of the author’s original art from his Biblical Badass Series of oil paintings.
This is a great gift for the prayer warriors. Real. Raw. Relevant.