For years, US military personnel have allegedly been sending critical government and military information to the person in charge of Mali’s internet domain, all because authorities keep forgetting to insert the letter “I” at the end of their outbound address. The Financial Times first reported on a regular influx of emails being sent to the “.ML” domain, which is associated with the West African country of Mali. Officials should type “.MIL” as the official military symbol.
Although none of the emails were classified, some of them contained sensitive information. One of the emails revealed in the FT story included sensitive material, such as the travel itinerary of James McConville, the current chief of staff of the United States military, from earlier this year. Other emails allegedly include identifying information, base and ship crew and employee lists, internal investigations, and financial information. Another email forwarded by an FBI agent contained information on a terrorist organization recognized by the United States. In total, the United States has redirected 117,000 communications to the.ML domain.
Johannes Zuurbier struggles to contact US officials about domain issue
All of the information was transmitted to Johannes Zuurbier, whose company Mali Dili manages Mali.ML domain. After the company’s contract expired on Monday, control of that name was returned to Mali. His company provides domain services to countries such as Gabon and Equatorial Guinea, and he has managed Mali’s email since 2013. In the decade since, he’s received hundreds of requests to names like army. ml and navy. ml in a single day, he told FT.
When a user sends an email to an invalid address, the email service looks for the domain server first and then rejects the request if the specific address does not exist. In most cases, the user receives an error message in their email. It is possible that the domain host to see those messages as their pinged when a message is sent to an improper address. The problem is that Zuurbeir has been attempting to contact US officials about the situation for years, via both formal and informal routes. He even claimed to have gone through Dutch ambassadors and attempted to warn the United States via cyber security and White House authorities.
Department of Defense unable to prevent email forwarding mistakes
In response to Gizmodo’s inquiry, a U.S. Department of Defense spokesperson said “The Department of Defense (DoD) is aware of this issue and takes all unauthorized disclosures of Controlled National Security Information or Controlled Unclassified Information seriously. DoD has implemented policy, training, and technical controls to ensure that emails from the “.mil” domain are not delivered to incorrect domains.”
According to the spokesperson, their emails are “blocked before they leave the.mil domain, and the sender is notified that they must validate the email addresses of the intended recipients.” However, the Department of Defense is not technically capable of preventing its workers from unintentionally forwarding emails to the.ML domain. It wasn’t simply US officials who spelled the domain incorrectly. The Dutch army’s domain is “army.nl,” and Zuurbeir has received several Dutch emails as well. The Australian Department of Defence likewise sent emails to the incorrect army.mil address.
US criticized for computer literacy, encryption delay, email security breaches
In the past, the United States has been criticized for its woeful lack of computer literacy. It took until 2015 for the US intelligence community to encrypt emails, and it wasn’t until 2017 that the Department of Homeland Security required partner agencies to implement basic encryption standards. You only have to go back a year to see when the United States Air Force almost survived a reply-all disaster. Microsoft recently claimed that hackers may have infiltrated government email accounts, potentially revealing some of the information to China.