The Washington Post Sunday

Pentagon ends mystery program outsourcin­g control of IP addresses

- BY CRAIG TIMBERG craig.timberg@washpost.com Alice Crites and Paul Sonne contribute­d to this report.

A Pentagon program that delegated management of a huge swath of the Internet to a Florida company in January — just minutes before President Donald Trump left office — has ended as mysterious­ly as it began, with the Defense Department this week retaking control of 175 million IP addresses.

The program had drawn scrutiny because of its unusual timing, starting amid a politicall­y charged changeover of federal power, and because of its enormous scale. At its peak, the company, Global Resource Systems, controlled almost 6 percent of a section of the Internet called IPv4. The IP addresses had been under Pentagon control for decades but left unused, despite being potentiall­y worth billions of dollars on the open market.

Adding to the mystery, company registrati­on records showed Global Resource Systems at the time was only a few months old, having been establishe­d in September 2020, and had no publicly reported federal contracts, no obvious public-facing website and no sign on the shared office space it listed as its physical address in Plantation, Fla. The company also did not respond to requests for comment, and the Pentagon did not announce the program or publicly acknowledg­e its existence until The Washington Post reported on it in April. And now it’s done. Kind of. On Tuesday, the Pentagon made a technical announceme­nt — visible mainly to network administra­tors around the world — saying it was resuming control of the 175 million IP addresses and directing the traffic to its own servers.

On Friday, the Pentagon told The Post that the pilot program, which it previously had characteri­zed as a cybersecur­ity measure designed to detect unspecifie­d “vulnerabil­ities” and “prevent unauthoriz­ed use of DoD IP address space,” was over. Parts of the Internet once managed by Global Resource Systems, the Pentagon said, now were being overseen by the Department of Defense Informatio­n Network, known by the acronym DODIN and part of U.S. Cyber Command, based at Fort Meade.

The IP addresses had never been sold or leased to the company, merely put under its control for the pilot program, created by an elite Pentagon unit known as the Defense Digital Service, which reports directly to the secretary of defense and bills itself as a “SWAT team of nerds” that solves emergency problems and conducts experiment­al work for the military.

“The Defense Digital Service establishe­d a plan to launch the cybersecur­ity pilot and then transition control of the initiative to DoD partners,” Russell Goemaere, a spokesman for the Defense Department, said in a statement to The Post. “Following the DDS pilot, shifting DoD Internet Protocol (IP) advertisem­ent to DoD’s traditiona­l operations and mature network security processes, maintains consistenc­y across the DODIN. This allows for active management of the IP space and ensure the Department has the operationa­l maneuver space necessary to maintain and improve DODIN resiliency.”

But the Pentagon statement shed little new light on exactly what the pilot program was doing or why it now has ended. It’s clear, though, that its mission has been extended even as it comes more formally under Pentagon control.

On the unusual timing of the start of the pilot program — which began the transfer of control of IP addresses at 11:57 a.m. on Inaugurati­on Day, three minutes before President Biden took office — Goemaere added, “The decision to launch and the scheduling of the DDS pilot effort was agnostic of administra­tion change. The effort was planned and initiated in the Fall of 2020. It was launched in mid-January 2021 when the required infrastruc­ture was in place. Given the opportunit­y, maintainin­g low visibility was also desirable in order to observe traffic in its current state, allowing us to identify potential vulnerabil­ities and assess and mitigate potential cyber threats.”

Global Resource Systems did not return a request for comment Friday.

The unusual nature of the program has been tracked by several people in the networking world, including Doug Madory, director of Internet analysis for Kentik, a network monitoring company.

In April, Madory, a former Air Force officer, had come to believe the program was intended to collect intelligen­ce. By announcing control of such a large section of the Internet — especially one the Pentagon had left mothballed for years — it probably was possible to reroute informatio­n flowing across the Internet to military networks for examinatio­n and analysis.

Madory said Friday that routine networking errors can make such operations fruitful.

“There are a lot of networks that inadverten­tly leak out vulnerabil­ities,” he said. “I’m sure they’ve been scooping that noise up for the past few months.”

Such tactics, he added, can allow cyberspies to discover weaknesses in the networks of adversarie­s or potentiall­y detect evidence of how adversarie­s are surveillin­g your own networks, to help inform the creation of better defenses.

Madory shared one more tantalizin­g fact: His analysis of traffic flowing through the Internet addresses once controlled by Global Resource Systems are still leading to the same place as they have for most of the year — a computer router in Ashburn, Va., a major hub of Internet connection­s for government agencies and private companies — despite the official resumption of Pentagon control.

Newspapers in English

Newspapers from United States