RON WYDEN COMMITTEES:

4
EGON COMMIITEE ON FINANCE
COMMITTEE ON BUDGET

RANKING MEMBER OF ON COMMITTEE ON ENERGY NATURAL RESOURCES
HNANCE mat
SELECT COMMITTEE ON INTELLIGENCE

WASHINGTON, DC 20510?3703 

221 DIRKSEN SENATE OFFICE BUILDING
WASHINGTON, DC 20510

(202) 224?5244 May 22, 2018

Dana Deasy

Chief Information Of?cer
US. Department of Defense
1300 Defense Pentagon
Washington, DC 20301 -1300

Dear Mr. Deasy:

I write to ask that you take immediate action to require the adoption of cybersecurity best
practices on all publicly accessible Department of Defense web services.

In 2015, the Of?ce of Management and Budget (OMB) issued memo M-15-13, requiring all
federal agencies take steps to secure their websites and other web services?including interfaces
for automated, programmatic interaction (APIs)??from cyberattacks. The OMB memo gave
agencies until the end of 2016 to enable and to enforce its use with HTTP
Strict Transport Security (HSTS), which ensures web browsers will not use insecure protocols
when connecting to HSTS-enabled websites. In 2017, the Department of Homeland Security
(DHS) issued Binding Operational Directive (BOD) 18-01, reiterating the OMB requirements
and requiring civilian agencies to adopt additional forms of basic cyber hygiene.

A small number of websites including the Army, Air Force, and the National Security
Agency homepages currently implement by default and use certi?cates trusted by major
web browsers. Unfortunately, many other sites, including the Navy, Marines, and your own
of?ce?s website at dodcio.defense. gov, either do not secure connections with or only
prove their authenticity using a certi?cate issued by the Root Certi?cate Authority. Many
mainstream web browsers do not consider these certi?cates trustworthy and issue scary
security warnings that users are forced to navigate before accessing the website?s information.
These challenges do not only impact civilians; servicemembers accessing pages from home
regularly encounter security warnings and must click through such errors when accessing public
resources.

The cannot continue these insecure practices. Starting in July, the Google Chrome browser
will begin warning visitors to sites that the requested site is not secure. These
warnings will erode the public?s trust in the Department and its ability to defend against
sophisticated cyber threats. Moreover, the DoD?s refusal to implement cybersecurity best
practices actively degrades the public?s security by teaching users to treat critical security
warnings as irrelevant. Normalizing these warnings increases the risk of cybercrime and foreign-
government hacking, as users, both military and civilian, incorporate these dangerous practices
reinforced by the into their daily habits.

911 NE 11TH AVENUE 405 EAST 8TH AVE SAC ANNEX BUILDING U.S. COURTHOUSE THE JAMISON BUILDING 707 13TH ST SE

SUITE 630 SUITE 2020 105 FIR ST 310 WEST 6TH ST 131 NW HAWTHORNE AVE SUITE 285 

PORTLAND, OR 97232 EUGENE, OR 97401 SUITE 201 ROOM 118 SUITE 107 SALEM OR 97301

(503) 326?7525 (541) 431?0229 LA GRANDE, OR 97850 MEDFORD, OR 97501 BEND, OR 97701 (503) 5894555
(541) 962?7691 (541) 858?5122 (541) 330?9142


PRINTED ON RECYCLED PAPER

DOD has prided itself on cybersecurity leadership and now is the time to again demonstrate that
leadership. I urge you to direct all DOD agencies and of?ces to take the following three concrete
steps to improve the cybersecurity of their publicly accessible web services:

0 Adhere to all the guidelines speci?ed in OMB memo and DHS Binding
Operational Directive 1 8-01, including:
0 Enable with HSTS on all public web services;
0 Facilitate the adoption of HSTS by delivering a list of all public domains,
including .mil addresses, to DHS, as required by DHS Binding Operational
Directive 18-01;
. Obtain and deploy certi?cates trusted by major web browsers for all web services

accessible to the general public; and
0 Evaluate the use of shorter-lived, machine-generated certi?cates, such as those available
at no cost from organizations like Let?s 

Please provide me an action plan by July 20, 2018, describing your progress implementing these
steps and detailing an estimated date by which all publicly accessible web services will
implement these cybersecurity best practices. If you have any questions regarding this request,
please contact Chris Soghoian in my of?ce.

Sincerely,

Ron Wyden
United States Senator