It’s no secret that FBI Director James Comey is somewhat clueless about encryption — to the point that he doesn’t even realize that stronger encryption will actually better protect Americans. But it seems to go beyond that. Apparently he’s so clueless about encryption that he doesn’t realize that it will help protect FBI agents. Lorenzo Franceschi-Bicchierai has a great story over at Vice Motherboard concerning key parts of our government that should understand the importance of keeping emails secret, that have failed to take the most basic steps in securing email communications. And the FBI is one of the agencies that has not done so. Ditto with the CIA. Or most branches of the military (the Air Force — which used to run the US cybersecurity efforts — is the one exception).
Specifically, the article focuses on the use of STARTTLS, which is used to encrypt emails in transit between service providers (it’s not nearly as secure as doing full end-to-end encryption of the messages like PGP — in which case the email providers can’t read your email — but it’s a key tool for at least protecting your messages in transit between those providers). Most email systems use STARTTLS these days. Gmail has offered it since it launched over a decade ago. And for STARTTLS to work, both sides of the email provider chain need to be using it. Google has published stats on how much of the emails sent via Gmail are able to be sent with STARTTLS for a little while now and it keeps going up, such that these days, it’s pretty rare for email providers not to offer STARTTLS — with 80% of outbound mail and 61% of inbound mail using it. Yet the US military, the CIA and the FBI don’t use it (the NSA does, because they’re no dummies about encryption). Google and others in the tech industry have been begging email providers to use STARTTLS for a while, but apparently the US government, including agencies that you’d figure would want to protect secrets, apparently still hasn’t figured this out.
When Franceschi-Bicchierai asked the Defense Department why most of the military doesn’t support it, he got a nonsensical answer:
In a statement emailed to Motherboard, a spokesperson for the Defense Information Systems Agency (DISA), the Pentagon’s branch that oversees email and other technologies, said the DISA’s DOD Enterprise Email (DEE) does not support STARTTLS.
“STARTTLS is an extension for the Post Office Protocol 3 and Internet Message Access protocols, which rely on username and password for system access,” the spokesperson wrote. “To remain compliant with DOD PKI policy, DEE does not support the use of username and password to grant access, and does not leverage either protocol.”
The spokesperson did not respond to several follow-ups, asking to clarify the statement. Michael Adams, an information security expert who served more than two decades in the US Special Operations Command, said that DISA’s explanation is “an unacceptable and technically inept answer,” and criticized the Pentagon for not taking security seriously and implementing STARTTLS.
“I can’t think of a single technical reason why they wouldn’t use it,” he told Motherboard in a phone interview. “It’s absurd.”
That opening sentence of the statement from the DOD reads like someone who is just discovering the technical details of email. It’s stating something that is (1) meaningless to the question and (2) stated in a manner different than any knowledgeable person would say things. Someone who deals with this stuff would just say POP3 and IMAP rather than spell them out — and again, that’s totally unrelated to the question of STARTTLS. So is the use of PKI (public key infrastructure) for emails.
In the past, I’d mainly assumed that when the FBI spoke out against encryption, it was mainly a smokescreen to try to get more backdoors to make its own life easier. But could it actually be that the FBI (and the CIA and the DOD) don’t even realize how important encryption is to protect their own information?