Senator presses DOD to secure agency’s publicly accessible web pages

Sen. Ron Wyden (D-Ore.) on Tuesday pressed the chief information officer at the Department of Defense (DOD) to immediately adopt cybersecurity best practices for all of the agency’s publicly accessible web services.

“[T]he Navy, Marines, and your own office’s website at dodcio.defense.gov, either do not secure connections with encryption or only prove their authenticity using a certificate issued by the DoD Root Certificate Authority,” Wyden wrote in a letter to Dana Deasy. {mosads} 

He noted that popular web browsers are sending alerts notifying users that “many” of the DOD web pages are not trustworthy.

“Many mainstream web browsers do not consider these DoD certificates trustworthy and issue scary security warnings that users are forced to navigate before accessing the website’s information,” he wrote to Deasy.

“The DoD cannot continue these insecure practices,” Wyden continued, noting that failing to heed these warnings “will erode the public’s trust in the Department and its ability to defend against against sophisticated cyber threats.”

Wyden highlighted how the Office of Management and Budget (OMB) issued a directive in 2015 requiring federal agencies to take steps to secure their websites and other web services as part of an effort to protect against cyberattacks.

Agencies were required to enable HTTPS encryption and include application programming interfaces, among other changes, by a 2016 deadline. He noted that the Department of Homeland Security then issued a directive reiterating these requirements a year later.

Wyden urged in his letter that they follow the guidelines followed in the OMB directive as well as other steps to boost security for web services. He asked that DOD provide him with a plan of action by July 20.