Monday, September 21, 2015

CIA, FBI And Much Of US Military Aren't Doing The Most Basic Things To Encrypt Email

It's no secret that FBI Director James Comey is somewhat clueless about encryption -- to the point that he doesn't even realize that stronger encryption will actually better protect Americans. But it seems to go beyond that. Apparently he's so clueless about encryption that he doesn't realize that it will help protect FBI agents. Lorenzo Franceschi-Bicchierai has a great story over at Vice Motherboard concerning key parts of our government that should understand the importance of keeping emails secret, that have failed to take the most basic steps in securing email communications. And the FBI is one of the agencies that has not done so. Ditto with the CIA. Or most branches of the military (the Air Force -- which used to run the US cybersecurity efforts -- is the one exception).

Specifically, the article focuses on the use of STARTTLS, which is used to encrypt emails in transit between service providers (it's not nearly as secure as doing full end-to-end encryption of the messages like PGP -- in which case the email providers can't read your email -- but it's a key tool for at least protecting your messages in transit between those providers). Most email systems use STARTTLS these days. Gmail has offered it since it launched over a decade ago. And for STARTTLS to work, both sides of the email provider chain need to be using it. Google has published stats on how much of the emails sent via Gmail are able to be sent with STARTTLS for a little while now and it keeps going up, such that these days, it's pretty rare for email providers not to offer STARTTLS -- with 80% of outbound mail and 61% of inbound mail using it. Yet the US military, the CIA and the FBI don't use it (the NSA does, because they're no dummies about encryption). Google and others in the tech industry have been begging email providers to use STARTTLS for a while, but apparently the US government, including agencies that you'd figure would want to protect secrets, apparently still hasn't figured this out.

No comments:

Post a Comment