Basic Encryption: Boeing & Northrop Grumman lag behind competitors, rest of internet

Seven weeks ago Motherboard reporter Lorenzo Franceschi-Bicchierai penned The World’s Biggest Military Contractors Don’t Encrypt Their Websites. Lorenzo’s good read probably caused some red faces at Raytheon, Lockheed Martin, Boeing, and Northrop Grumman. The reason is simple: the lack of HTTPS on your site signals that you lag behind the security curve.  This is unfortunate if you are a company with billions in cybersecurity contracts.

Lorenzo’s piece clearly had an impact. As I write this, it looks like the websites of Raytheon and Lockheed Martin have HTTPS-by-default enabled. Nice work CISOs and your teams! 

Boeing and Northrop Grumman still lagging as of late November 2017

Unfortunately not all of the companies followed suit.

Boeing and Northrop Grumman Websites Lagging Behind Competitors

As I write this, Boeing and Northrop Grumman still do not have HTTPS encryption enabled-by-default. This is pretty remarkable for companies that regularly ask for billions in taxpayer money. Even the often-lagging US Government implemented an HTTPS-only standard back in 2015. Yet companies like Northrop Grumman actively market themselves, and their products, as at the forefront of cybersecurity.

Boeing has had several wakeup calls about cybersecurity in recent weeks.  A must-read story by Raphael Satter of the Associated Press highlighted that Russian hackers had targeted Boeing employees, among other defense contractors. Then, last Week the Department of Homeland Security announced that they had remotely hacked a Boeing 757 at an airport.  A more subtle wakeup call on cybsersecurity issues may be found by visiting the boeing.com website in a Chrome browser: you will get a “Not Secure” notification next to the URL.

Boeing Website in November 2017: still not using encryption

This is Google’s helpful reminder to web users about the privacy of their personal data when visiting sites served over HTTP (i.e. without encryption). It is also one of Google’s not-so-subtle nudges to website operators (like downranking websites without encryption in search results) that HTTPS-by-default is essential to a safe internet

Northrop Grumman has a 2 billion dollar cybersecurity business, and pitches itself as a trusted partner to government in both offensive and defensive capabilities. Somehow, the company has still not gotten around to enabling HTTPS encryption.

The combination of northropgrumman.com and Google Chrome is unintentionally funny today

I wonder how the many fine employees who work in cybersecurity at Boeing and Northrop Grumman feel about their employers lagging so far behind basic cybersecurity good practices? I suspect some are secretly embarrassed.

HTTPS: A Cheap Signal That Your Company Gets It

Although there has been a tremendous push towards serving all websites using encryption, HTTPS is still not universal. Ask any expert in cybersecurity: for the past couple of years lack of HTTPS is a major red flag on any site selling anything cyber-related. At this point, lack of HTTPS on any website selling anything is a reason to browse the heck out of there.  HTTPS on a website, on the other hand, a great indicator that your company is keeping up with basic norms and good practices on the internet.

If you work at a company that has not enabled HTTPS, take a look Google’s argument for enabling it, then ask your IT staff what the roadmap is for HTTPS implementation.

While you are at it, take a peek at these simple digital security steps for everyone.