In this post, Joseph Peterson questions if new .navy, .army and .airforce domain names could be a security issue for the U.S. military.
This little article of mine may make me some enemies at Rightside, the registry behind the recently released TLDs .ARMY, .AIRFORCE, and .NAVY. However, I have no ax to grind. Far from being opposed to the new TLD initiative per se, I personally invest in nTLD domains on occasion; and I see strong commercial potential in some of Rightside’s offerings. In this case, I simply want to voice a concern that goes beyond domain industry politics. And it’s just that — a tentative concern rather than a definite conclusion.
I should explain that my perspective on these 3 military TLDs comes from nearly a decade spent in the U.S. Navy. My military career did not involve me in policy decisions or even IT; so my experience is only indirectly relevant. Yet, for any submarine officer, information assurance was paramount. Classroom notes were shredded into dust. Armed guards ensured we didn’t bring cell phones in or classified papers out. Safes could only be opened in pairs. The military needs its boundaries airtight.
So what does this have to do with .NAVY, .ARMY, and .AIRFORCE? Well, nobody in the domain industry needs me to explain how much more important the internet is today than it was 20 years ago. Just like everybody else, the U.S. military operates a fleet of its own official websites. Many of them are public, although you’re unlikely to have visited them. Others require login and are meant to be secure. In other words, the military has an online perimeter to patrol. With these 3 new TLDs, that military border will likely be compromised. It is already blurred.
Unlike .MIL and .GOV websites, which the Department of Defense (DoD) can regulate, .NAVY, .ARMY, and .AIRFORCE domains can be registered by anybody and used for unsanctioned activities. That’s free speech, and that ought to be perfectly fine.
But what about phishing? What if someone clones a military website to gain passwords and infiltrate a secure site or network? Many new TLDs give phishermen an edge. They’re a large supply of shorter plausible representations of your bank, your credit card, or your employer.
The U.S. military is especially vulnerable. Take the Navy, for instance. Most of its sites are built on subdomains like public.Navy.mil. Shortening this to public.Navy by dropping the .MIL could easily go unnoticed or (if noticed) look equally official. In general, military personnel are too busy to pay attention to URLs. Internet awareness matters very little in that line of work. So unless the U.S. military emphatically distances itself from .NAVY / .AIRFORCE / .ARMY as part of an ongoing training program, military personnel will fall for impostors.
Does this matter? Prior to general availability, each of the 3 new TLDs had less than 50 registered domains; and it’s unclear how many will be registered, by whom, and for what mixture of purposes, tomorrow or 10 years from now. Also, I can’t really comment about the nature or extent of the military’s online risk. Phishing could expose personal information at the very least. At worst, it could access classified material.
During World War II, the Navy had a saying: “Loose Lips Sink Ships”. The suggestion that spies are all around and listening in probably strikes most of you as paranoid or antiquated. Nevertheless, military-versus-military espionage is part of a government’s day-to-day activity. Even after the Cold War, rival militaries vie with each other for tactical and technological supremacy. During peacetime, a relentless battle continues to discover what the other guy is up to and how they do things. Spies within the military have been prosecuted as recently as 2013. Submarines, satellites, and aerial drones are all instruments partly designed for espionage. These days, so are hackers.
Cyber warfare isn’t just about installing viruses to destroy Iranian centrifuges or government-sponsored Chinese hackers. Much of it is low tech and makes use of run-of-the-mill online resources. For instance, Facebook has proven to leak ships’ movements like a sieve, despite admonitions to sailors not to disclose deployment dates. Social media can be a security problem for the military, and so can the domain industry.
Motive exists. Does opportunity? Could a phishing expedition using .NAVY gain information on, say, submarine systems, tactics, or nuclear missiles? Maybe not today. But phishing could interfere with military personnel in smaller ways — for instance, diverting pay away from bank accounts.
Crucially, nobody knows how the U.S. military might choose to use URLs built on .MIL or .GOV domains in the future. The world relies on the internet more and more year after year; so I’d expect the military to follow suit. Regardless of how .MIL and .GOV sites are deployed, any military website can now be impersonated more easily with a .ARMY / .AIRFORCE / .NAVY knockoff. That means ongoing elevated risk.
Although I do see the appeal of .ARMY, .AIRFORCE, and .NAVY for personal or civilian use, I keep returning to one basic idea: A blurred boundary is harder to police. For the military, much more than for your bank account, secure access matters. The stakes are high.
Do the benefits of free speech — of allowing private citizens to register their own .ARMY — outweigh potential risks to the actual Army? I personally think the U.S. military missed the boat when it chose to allow these domains to be scattered on the wind. The right hand doesn’t know what the left hand is doing. If the issue was neglected, that is hardly surprising, given what pressing concerns the DoD has had on its plate. Who in the U.S. military could afford to pay attention to the domain industry and hypothetical web-based chinks in the DoD’s armor while mired in multiple, actual overseas wars?
Back in 2012, Politico ran an article with the provocative headline: “U.S. cries foul over .army, .navy and .airforce”. Did it really, or was that nothing more than anti-nTLD propaganda? That article referenced a formality, in which the registry was alerted to the fact that “The string is confusingly similar to the name of a specific agency”. Beyond that, I don’t know if the government raised much of a fuss or seriously evaluated the repercussions. Truly, if the U.S.A. (which still oversees ICANN) had wanted to take possession of .ARMY / .NAVY / .AIRFORCE, then it could have overpowered ICANN and Demand Media (now Rightside) with a flick of its little finger.
Perhaps discussions between Demand Media and someone within the DoD took place, and perhaps the government was satisfied to relinquish control of its 3 armed services as dots. But I would recommend that the United States government re-evaluate that risky long-term decision. The military may find that it’s worthwhile to buy out Rightside’s 3 military TLDs in order to safeguard them for official military purposes and protect its own personnel and classified information against phishing.
The time for a buyout is now — before widespread private ownership, before civilian development, and before security breaches. Frankly, Rightside might do well to sell off its 3 assets to the best-funded organization on the planet. Certainly, the DoD could put .ARMY, .AIRFORCE, and .NAVY to good use, streamlining its clunky, acronym-filled URLs.
Once again, these are just my own private and tentative musings. I’m quite aware that no flag officers from the Pentagon are reading DomainNameWire. And equally aware that nobody at ICANN or Rightside asked for my opinion. This is one guy’s gut reaction rather than an involved study. Time may prove me wrong, and I might change my mind tomorrow.
Robbie says
I see no commercial value in any of these extensions, to be honest they have no right even being issued.
couponpages says
This is crazy! Why on earth would they make those TLDs open to the public? There is absolutely ZERO reason for them to even exist, when .MIL and .GOV allow consumers to clearly know when something is “Official”.
I’ve always hated when a business uses an official sounding names to make them seem important. This has bugged me even before the Internet.
Andrew Allemann says
One thing to note here is that many countries have armies, navies, etc. The Australian government objected to .navy on the grounds of a local law forbidding its use by anyone other than the official navy. (Then again, Australia objected to basically every new TLDs.)
Joseph Peterson says
Yes, it’s true that Australia, the UK, and even Canada have armies and navies.
That said, in this world of ours, there is a de facto international hierarchy:
http://en.wikipedia.org/wiki/List_of_countries_by_military_expenditures
37% of global military spending is by the USA, followed by China (11%) and Russia (5%). The UK and Australia are pretty far down the list. Canada drops off the bottom. Plus, much of the military apparatus of U.S. allies is an American hand-me-down or (sometimes) handout.
I’m no fan of U.S. foreign policy, but I’m a realist. And it’s pretty clear which English-speaking nation dominates the planet militarily and whose armed services are put in harm’s way most regularly. That’s not jingoism.
There’s also an established tradition of U.S. priority or favoritism when it comes to TLDs. After all, .COM skews toward U.S. companies (even if multinational), while Australia and the UK have had to content themselves with 3rd-level-domain ccTLD substitutes: .CO.UK and .COM.AU. There’s a similar hierarchy implied by .ORG.UK. Within the U.S., .US is almost nowhere to be found.
Certain things are not egalitarian at all, and military power is top of that unequal list. I’m not defending that, but it is a feature of this world. And ICANN remains under U.S. stewardship.
Given the U.S. government’s interests here and their ability to secure those interests, I think they made a mistake.
Joseph Peterson says
The rationale makes some sense, whether or not these TLDs would be strong sellers. Various civilian groups — companies and nonprofits — maintain strong connections to the armed forces. Many use words like “Army” or “Navy” to identify themselves, even though they’re not part of the military as such.
One example would be the Military Officers Association of America (MOAA.org), which is a lobbying group composed of veterans. Another example might be Navy Federal Credit Union (NavyFederal.org). Plenty of uniform suppliers are built on .COM. They’ll be targeted by cyber squatters any moment now.
There is a legitimate civilian interest in registering domains containing “Army”, “Navy”, or “AirForce” keywords. So I’m sure that Rightside and most others in the domain industry would regard .ARMY / .NAVY / .AIRFORCE as comparable to other nTLDs such as .LAWYER or .PLUMBING.
But I question whether those benefits outweigh the risks.
Jon says
A huge issue separate from phishing is email impostors. If US Army uses say John.Smith@us.army.mil and some general gets email from John.Smith@us.army, he will often assume the email or genuine. A lot of secrets will be revealed. A lot of fun times ahead.
I personally also think that email impostors issue will kill .attorney, .lawyer, .law, .health, .healthcare, and everything else that is very sensitive. It is simply too easy to use new legal tlds to get attorney-client privileged information. If I am involved in a juicy lawsuit and I know my lawyers email is John.Smith@leeslaw.com and get an email from John.Smith@lees.law, the impostor will get all the confidential information from me. Then lawsuits will start flying against Godaddy and everyone else involved in new tlds.
Joseph Peterson says
Very true. I guess I lumped email impostors together with phishing.
Dan says
The only use I can really imagine for these TLDs would be military contractors and perhaps personnel blogs.
However, there is one key thing here which bugs me, the reasons you gave are not new and as with lots of these things is a very U.S. centric view.
Why should the U.S. Govt get these TLDs and not the UK Army or the German Army? If the Internet is truly global why does the U.S. always get first dibs?
Secondly, the issue of confusion between “public.army.gov” and “public.army” is exactly the same as other nations might have with “army.gov” Vs. “army.gov.uk” for example.
Now I’m sure there’s probably been at least some cases of confusion between a “.gov” and “.gov.CCTLD” so either it’s a non-issue or it’s already an existing concern and proper security training is simply a requirement of the modern age.
I do find the idea that military people don’t have time to worry about making sure the portal they’re sticking in credentials which provide access to sensitive materials is valid, everyone who deals with anything remotely sensitive should be trained and understand the security precautions to be confident that they are accessing the legitimate source.
Joseph Peterson says
@Dan,
The world isn’t equal. Never in the world’s history have the militaries of all nations been equally large or active. In today’s world, the U.S. military is certainly dominant. Given its size, activity, and prominence, it faces far more risks than the UK or Australian or German military. More wars. More active duty personnel. More self-appointed world governance. Like it or not, the UK and Germany are no longer empires, whereas the U.S.A. is.
In any case, the UK, Australian, and German militaries have long-standing cooperative relationships with the U.S. military. America has bases in Germany, after all. These countries share training programs, technology, information, and resources. So I doubt the UK or Australian military would be squabbling with the U.S. military if the latter owned .NAVY or .ARMY. Germany doesn’t even speak English; so why would they care?
It’s also true that Americans are more naïve when it comes to TLDs than people in countries where ccTLDs coexist with gTLDs. So the risk of confusion for American military personnel is actually greater than the risk for a British soldier who habitually distinguishes between .CO.UK and .COM.
If dot Brand proponents are correct, then consumers will begin seeing familiar companies as TLDs. If a U.S. soldier goes to .APPLE for his iPod, then he may assume that he can rely on .ARMY to conduct official army business.
That tendency to make assumptions based on new keyword TLDs would be new.
Mayer says
Agreed that these are a security risk and should not be available. The entire gtld program is foolish and this is just one tiny aspect of an overall ill-conceived plan.
Acro says
Tell that to ICANN’s Fadi Chehade, he has dreams of a global Internet away from US control.
But I saw no dot .Marines, surely a mistake? 😉
jane says
Your concerns over .airforce/.army/.navy are irrelevant, or to be more precise, are already a pre-existing issue under currently available TLD’s.
what if someone spoofs an official military/government website by dropping the .gov portion?
So instead of…
OFFICIAL.ARMY.GOV
…the phisher uses…
SPOOFOFOFFICIAL.ARMY
…may I point out subdomains such as…
SPOOFOFOFFICIAL.ARMY.GOV.WHATEVER.TLD
…most likely already are in use in such attacks.
The key is in training people to look at the full url, in this case, where the / would appear.
Kassey says
Excellent piece! Email impostors and phishing are real risks, because spies can exploit the weakest point in any security system — human being. Many people are simply lazy and don’t really check the website or email they are looking at. Remember that according to surveys the most popular passwords people use are “password” and “123456”.