For the last two weeks, emails from US Special Operations Command (USSOCOM) have been seeping out into the public internet. Only this week did the Department of Defense (DOD) secure the server in question. No, this wasn’t the product of some sophisticated hack intent on leaking government emails. The reality is much more banal, but every bit as troubling. The email server—hosted on Microsoft’s Azure government cloud—was misconfigured. Someone failed to create a password for the server.

The good news is that the emails appear to be from USSOCOM’s civilian network, an indication that no classified data has leaked. The bad news is that anyone armed with an internet connection and the right IP address could access the emails, many of which contained sensitive personal information (including a security clearance questionnaire). Although the misconfigured server appears to have had little impact on national security, the incident serves as a canary in the coal mine for three larger cybersecurity issues.

First, the misconfigured server signals that the Defense Department is severely behind the curve on implementing Biden’s executive order on Zero Trust Architecture for federal cybersecurity. The administration’s directive intends to remove implicit trust from inside government networks, i.e., never assume that users or devices have legitimate permissions to interact in a networked environment. An important aspect of this “zero trust” approach is continuous verification—the constant monitoring and authentication of users, devices, applications, data flows, and network infrastructure itself. Using passwords is the bare minimum; the DOD server incident fails even this test.

Second, the server vulnerability is a reminder that contractors make great attack vectors for targeting federal networks. Instead of probing government networks directly, hackers have increasingly infiltrated contractor products and services in government supply chains. For instance, as part of the 2014 Office of Personnel Management (OPM) breach—where Chinese agents stole personal information on millions of federal employees—hackers also targeted USIS and KeyPoint, two contractors with access to OPM servers. Fast-forward to the Solarwinds hack in 2020: Russians infiltrated a single corporate software product to gain downstream network access across roughly a dozen federal agencies. Given this trend, the DOD is lucky that threat actors did not try to penetrate USSOCOM’s networks via the unsecured Microsoft server.

The final takeaway is that humans remain the weakest link in the cybersecurity loop. USSOCOM’s data exposure boils down to subpar job performance. Currently, it is unclear whether the fault lies with DOD personnel or one of Microsoft’s employees. Regardless, it is a keen reminder that cybersecurity is more than just hardware and software protections. For better or worse, human users configure and reconfigure network security through their interactions with the physical and digital elements of cyberspace.

Technology can help minimize human errors that pose cybersecurity challenges, but technology alone is not the solution. We don’t want some version of Skynet running our federal networks without people in the loop. Instead, as US adversaries become more sophisticated in their cyber operations, federal agencies and their contractors must institute better training and accountability standards. Failing to meet the barest minimum of security standards—securing access through password protection—is unacceptable. The Department of Defense and its contractors must do better if we want to avoid handing hostile powers the keys to our digital kingdom.

The post It’s Raining Emails from the DOD Cloud appeared first on American Enterprise Institute – AEI.