Pentagon CIO tells agencies, industry to put a stop to email typos that could disclose sensitive info
Department of Defense Chief Information Officer John Sherman is calling on other U.S. government agencies, the defense industrial base and international partners to take steps to prevent typos that could accidentally divulge sensitive military information to unintended email recipients.
In a May 23 memo with the subject line, “Unauthorized Disclosure Due to Typographical Errors,” which was recently cleared for public release, the Pentagon CIO highlighted an issue that was in the news last year and appears to be an ongoing problem.
“The Department of Defense (DoD) has been encountering typographical errors that mistake the .ml domain for the .mil domain. Such errors could result in the misdirection of emails intended for a DoD (.mil) recipient to an unintended recipient on Mali’s sovereign ‘.ml’ domain. More important, such unintended misdirection of email could result in unauthorized disclosure of Controlled Unclassified Information. While this type of unauthorized disclosure is different from intentional and illegal disclosure of classified materials, the Department still takes very seriously all kinds of unauthorized disclosures of Classified National Security Information or Controlled Unclassified Information,” Sherman wrote.
“The DoD therefore requests that all U.S. departments and agencies, international allies and partners, and members of the defense industrial base exercise vigilance and take policy and technical measures to prevent typographical errors that could result in unauthorized disclosures. For its part, the Department implemented technical controls to block emails originating from the DoD network to the entire .ml domain, while retaining the ability to allow, by exception, legitimate emails to the .ml domain,” he added.
Last summer, the Financial Times reported that “millions” of emails intended for Defense Department employees ended up in the wrong place because of the domain mixup.
At a July 17, 2023, press briefing, Pentagon Deputy Press Secretary Sabrina Singh was asked about what the department was doing to mitigate the problem.
“We’re aware of these unauthorized disclosures of controlled national security information,” she said. “We’ve implemented policy and training mechanisms and put them in place. And in terms of what we have here on the DOD systems is that when you send an email from a DOD email address, and you send it to a .ml email address, it will bounce back. So, a DOD email address will not be able to send to that email address.”
However, that move didn’t completely fix the problem across the board.
“We can’t control how other domains and how other websites send information. So, if an email was sent from a personal Gmail or Yahoo account that did likely go through to the .ml account, all we can do is account for our DOD assets, and ours remain intact,” Singh said during the briefing.
Sherman’s recent memo is aimed at getting other organizations to also put in place more effective controls.
“We value your partnership in support of the Department’s missions and thank you for your continued efforts to safeguard our military and national information,” he wrote.
Sherman is set to depart from his role as Pentagon CIO at the end of the month to serve as the next dean of the Bush School of Government and Public Service at Texas A&M University, his alma mater.
David McKeown, the deputy CIO for cybersecurity and chief information security officer, is listed as the department’s point of contact for the typo issue outlined in Sherman’s memo.