U.S. military personnel have been reportedly sending sensitive government and military information to the person managing Mali’s internet domain for years, all because officials keep forgetting to type the “I” at the end of their outbound address.
The Financial Times broke the story about a steady flow of emails being sent to the “.ML” domain, which links to the West African country of Mali. Officials are supposed to type “.MIL” as the official military signifier.
Though none of those emails were considered classified, some emails contained some rather need-to-know material. One of these emails shown in the FT report reveals sensitive information like the travel itinerary of James McConville, the currently serving U.S. Army chief of staff, from earlier this year. Other emails reportedly include identifying information, crew and staff lists on bases and ships, internal investigations, and financial information.
Another email forwarded by an FBI agent included information on an organization designated by the U.S. as a terrorist group. All in all, the U.S. has misdirected 117,000 messages to the .ML domain.
All that data was being sent to Johannes Zuurbier, whose company Mali Dili runs Mali’s .ML domain. That domain is now being reverted to Mali’s control as of Monday once the company’s contract ran out. His company runs domain services for several other countries like Gabon and Equatorial Guinea, and he has operated Mali’s email since 2013. In the decade since, he told FT, he’s sometimes received thousands of requests in a single day to domains like army.ml and navy.ml.
When users send an email to an improper address, the email service first looks for the domain server, which then rejects the request if the specific address does not exist. The user usually receives an error message in their email. It is possible for the domain host to see those messages as their pinged when a message is sent to an improper address.
The thing is, Zuurbeir has been trying to contact U.S. officials about the issue for years through both formal and informal channels. He even claimed he went through Dutch diplomats and sought to notify the U.S. through cyber security and White House officials.
In response to Gizmodo’s inquiry, a U.S. Department of Defense spokesperson said “The Department of Defense (DoD) is aware of this issue and takes all unauthorized disclosures of Controlled National Security Information or Controlled Unclassified Information seriously. DoD has implemented policy, training, and technical controls to ensure that emails from the “.mil” domain are not delivered to incorrect domains.”
The spokesperson also added that their emails are “blocked before they leave the .mil domain and the sender is notified that they must validate the email addresses of the intended recipients.” However, DOD is not technically able to block its personnel from accidentally steering emails to the .ML domain.
It wasn’t just U.S. officials flubbing the domain spelling. The Dutch army uses “army.nl” as its domain, and Zuurbeir said he’s received several Dutch emails as well. Australia’s Department of Defence also sent some emails to the wrong army.mil address.
The U.S. has been noted for its terrible lack of computer literacy in the past. It took the U.S. intelligence community until 2015 to encrypt emails, and it wasn’t until 2017 that the Department of Homeland Defence forced partner agencies to use basic encryption standards. You just have to turn back clocks a year to see when the U.S. Airforce barely survived a reply-all apocalypse. Just last week, Microsoft reported hackers may have breached government email accounts, potentially leaking some of that information to China.