The Pentagon's Stunning Negligence With Sensitive Email

Pentagon Secretary Lloyd Austin (Source: Air Force Staff Sgt. Jack Sanders, DOD, and in the public domain)

The following is an exclusive for paid subscribers of The Dissenter. Exclusive content is accessible to all readers during July. If you appreciate what you read, become a subscriber with this 60-day free trial.

The Pentagon often makes a big deal out of “insider threats,” when leaks from low-level United States military personnel occur. However, it would appear that there is a bigger threat to the security of classified information: cyber carelessness.

As Financial Times first reported, for a decade U.S. officials have emailed diplomatic documents, tax returns, passwords, and travel details for high-ranking military officers to the wrong address.

The emails have mistakenly been sent to the .ml domain instead of the .mil domain. The .ml domain is for Mali. (Mali is currently considered a Russia ally.)

Johannes Zuurbier, a Dutch internet entrepreneur who has managed Mali’s country domain, has accumulated over 100,000 messages. There were more than 1,000 messages sent to .ml by mistake in the last week.

Since 2013, Zuurbier has warned U.S. officials of the problem.

A travel itinerary for General James McConville, who is the U.S. Army’s chief of staff, was sent prior to his trip to Indonesia in May.

CNN noted, “One email in Zuurbier’s stash is from an FBI agent and intended for a US Navy official, asking for personal information to process a Navy visitor to an FBI facility. The FBI agent uses the .ml domain.”

On June 17, control of the .ml domain reverted to the Mali government. The government is controlled by Colonel Assimi Goïta, the leader of a junta that seized power in a coup in 2020.

Goita, according to journalist Nick Turse, “worked with U.S. Special Operations forces for years, participating in Flintlock training exercises and attending a Joint Special Operations University seminar at MacDill Air Force Base in Florida.”

But this is not the first stunning example of negligence to be reported this year.

In February, it was widely reported that the Pentagon had “inadvertently leaked thousands of sensitive military emails via a misconfigured email server on the Microsoft Azure government cloud.”

According to independent security researcher Anurag Sen, the exposed email server leaked three terabytes of U.S. Special Operations Command (USSOCOM) internal emails for two weeks. The military’s internal mailbox system was accessible without a password to anyone with a web browser, internet access, and knowledge of the IP address.

When someone low-level, like Jack Teixeira, leaks documents to the public, that almost always sparks scandals. Senators and representatives in Congress will demand that rules and procedures are fine-tuned. However, unauthorized disclosures of information online or to the press seem to be more rare than careless actions by U.S. officials who possess security clearances.

The lack of a response to cyber negligence indicates that the problem with leaks is not that leaks risk harm to military personnel or security officials. Rather, unauthorized disclosures upset custodians of the military industrial-complex so deeply because they threaten to expose the inner workings of the system to scrutiny—even if the person doing the leaking had no intention of blowing the whistle.