Pentagon emails go astray, all the way to Mali

Millions of sensitive internal emails written by military staff employed by the Pentagon have been sent to the West African government of Mali, an ally of Russia, because of a basic typing error. The Pentagon email used by all the military ends with the suffix “.mil”. But by leaving out the ‘i’ by mistake, the emails have been going to “.ml” which is the domain used by Mali, a country that has been suffering from civil war and terrorism since 2012. None of the misdirected emails have included classified intelligence. But sensitive information has ranged from the travel itinerary of General James McConville, the US army chief of staff, prior to a trip to Indonesia earlier this year, personnel medical and tax records, maps of installations and photos of bases. Johannes Zuurbier, a Dutch internet specialist who was contracted by Mali to manage the .ml domain, told the Financial Times he first came across the flow of email traffic from the Pentagon ten years ago, and sounded warnings. However, with no sign of the wrongly directed emails coming to an end, he began collecting examples and wrote to the Pentagon this month. He said his contract with the Mali government was due to finish and warned: “This risk is real and could be exploited by adversaries of the US.” A Pentagon official said wrongly addressed emails were “blocked” before they left the .mil domain. But Zuurbier said that since January he had collected nearly 117,000 misdirected emails from the Pentagon, with about 1,000 arriving in Mali on one day alone. “If you have this kind of sustained access, you can generate intelligence even just from unclassified information," Admiral Mike Rogers, former head of the US National Security Agency (NSA), told the paper. Zuurbier said he tried many ways to let the Pentagon know what was happening, including appealing to the Dutch authorities to contact the US. Worried about the implications of the wrongly addressed emails he took legal advice. He gave a copy of the advice he received to his wife “just in case the black helicopters landed in my backyard”, he told the FT. “The department of defence [DoD] is aware of the issue and takes all unauthorised disclosures of controlled national security information seriously,” a spokesman for the office of the Secretary of Defence, said. “DoD has implemented policy, training and technical controls to ensure that emails from the .mil domain are not delivered to incorrect domains,” he said.