A simple, single-letter typo has caused perhaps as many as several million email messages sent by members of the US Military to be inappropriately delivered to the African country of Mali, an ally of Russia in which contractors from the infamous Russian military contractor, Wagner Group, have been assisting Mali’s armed forces.
It appears that for as long as a decade, various users of military email systems sent messages to emails addresses using the top-level domain “.ML,” the domain for Mali, instead of the U.S. military’s proper “.MIL” domain name – resulting in what is effectively a major leak of sensitive information.
Among the leaked data were briefings on domestic US terrorism marked “For Official Use Only,” a global counter-terrorism assessment document with the words “Not Releasable to the Public or Foreign Governments” on its cover, crew lists for ships, and maps and photos of military bases.
Until today, the .ML top-level-domain had been administered on behalf of the government of Mali by a European company, Mali Dili, but, today, the government of Mali directly assumed control; the CEO of Mali Dili, Dutch national Johannes Zuurbier, claims to have been warning the US government for about a decade about the typo problem – but that despite his warnings, nobody took action to adequately address the problem.
There are at least four major lessons that we can all learn from this incident:
1. Don’t assume that because security technology is available to address a particular danger, and an organization utilizes such technology, that the organization is actually secure against that particular danger.
The technology to prevent errors of the “ML” vs “MIL” type has been around for many years. Data Loss Prevention (DLP) technology, for example, can easily be configured to either prompt users making such an error to correct the relevant delivery address or to block such messages from transmitting altogether. Considering how many messages on the military’s email system are supposed to be addressed to the .MIL domain versus how many are supposed to be delivered to the .ML domain, such a rule should have obviously been in place. In fact, in all likelihood, the military had systems to prevent such mis-transmissions – but something went amiss; perhaps emails sent by government contractors and/or traveling military personnel were not properly directed via VPN to pass through the necessary DLP systems? An investigation will likely reveal much more about what actually went wrong.
2. Classified data must remain offline
The present leak did expose sensitive information, which, according to the Financial Times, included, in addition the aforementioned items, diplomatic documents, tax returns, travel details of top officers, and even passwords (why those were exposed in an email leak is a separate question mandating attention.) But, thankfully, because classified data cannot legally be transmitted using regular email, the simple typo that misdirected a huge number of emails is not believed to have led to the compromise of even a single piece of classified information.
The current incident, therefore, reminds us of the importance of maintaining our most sensitive information – such as classified data – on systems NOT connected to the internet; furthermore, it reminds us as to why we should not belittle the danger created by then Secretary of State Clinton when she utilized a private email server for communicating classified material – our facetiously remarking “But Her Emails” may express legitimate frustration with the failures of various other politicians, but it is truly an unwise remark; classified data on her private email server could easily have been unknowingly delivered to the wrong parties because of a typo, and nobody might ever know one way or the other.
3. If your security plan relies on people not to make mistakes, you are going to ultimately experience a security nightmare.
Mistakes happen. People are fallible. Even military officers. If your security plan relies on people to never make mistakes, you are going to ultimately experience a security nightmare.
4. Don’t wait until an opportunity is gone to exploit it
At any point in the past decade, when the .ML domain was administered by Zuurbier, the United States federal government could have purchased .ml domains mimicking its own – e.g., army.ml, navy.ml, etc. It could have even, for intelligence purposes, purchased domains mimicking the domains of other parties (such as those belonging to Netherlands’ (.NL) based entities), and implemented systems on those domains to warn any users who sent email messages from a military system. Now that the government of Mali is administering the .ML domain that type of action may no longer be possible.