Why millions of the Pentagon's dormant internet addresses suddenly sprang to life

By HAMZA SHABAN | The Washington Post | Published: April 27, 2021

During the final minutes of the Trump presidency, an obscure company in South Florida announced to the world's computer networks that it would begin managing a massive swath of the internet owned by the U.S. military.

In the months since, the company has claimed control of nearly 175 million IP addresses. Such huge chunks of traditional internet real estate, amounting to almost 6% of usable addresses in the original addressing scheme of the web, would be worth billions of dollars on the open market.

With no public explanation of what had taken place, the dramatic shift in IP address space allotment sparked impassioned speculation among network administrators and the internet industry. That interest only increased when the Pentagon, after weeks of inquiries from The Washington Post, finally offered an explanation.

Here's what you need to know about the Pentagon's unusual move.

Q: What made the internet handover so noteworthy?

A: The change in control of the addresses came just three minutes before Donald Trump left the presidency - at 11:57 a.m. Jan. 20, just before President Joe Biden assumed office under the Constitution. There was no press statement remarking on the change, just a notification through internet channels that previously dormant Pentagon addresses were now available to accept traffic. The mystery was heightened by the company that had assumed control of the addresses, a previously little known entity, Global Resource Systems LLC. The transaction struck internet networking experts as highly unusual. The scale of the IP address handover was historic, and the absence of a clear explanation fueled speculation: had the addresses been sold? Until Friday, the Pentagon had declined to provide answers.

Q: What is an IP address, and why does the Pentagon have so many?

A: An internet protocol address is a unique series of numbers that identifies a connection on the internet. It's how the internet knows to find your device and connect it to the items you've requested online. The Defense Department's Advanced Research Projects Agency, a research arm of the Pentagon, funded the work that formed the basis of the internet and long has had a huge allocation of addresses.

Q: How did people find out that the unused addresses were now accepting traffic?

A: The announcement that Global Resource Systems would begin operating the Pentagon addresses took place on the messaging system that tells internet companies how to route traffic across the world. Through what's known as the Border Gateway Protocol (BGP), messages began to arrive telling network administrators that long-dormant IP addresses assigned to the Pentagon could now accept traffic. Within three months, the number of IP addresses Global Resource Systems controlled totaled 175 million. But there was no other public word about the change until a Washington Post story Saturday.

Q: What do we know about Global Resource Systems LLC?

A: Global Resource Systems now manages more of the internet than other far better known companies, including AT&T, China Telecom and Verizon. But the company was founded only in September and has no publicly reported federal contracts and no obvious public-facing website. Its offices, according to public records, are in a shared-work space in an office building in Plantation, Fla., outside Fort Lauderdale. Its name does not appear on the building's lobby directory. Defense Department officials have declined to answer questions about why they are using such a little-known company to carry out such a major effort.

Q: How does the Pentagon explain the massive handover?

A: Brett Goldstein, the director of a Pentagon unit called the Defense Digital Service, said that his team had authorized the activation of the IP addresses as a "pilot effort" to improve cybersecurity. The Defense Digital Service reports directly to the secretary of defense and is tasked with solving emergency problems for the Defense Department and developing technology for the military. Goldstein's statement said, "This pilot will assess, evaluate and prevent unauthorized use of DoD IP address space. Additionally, this pilot may identify potential vulnerabilities." Goldstein's statement went on to describe the initiative as one of the Defense Department's "many efforts focused on continually improving our cyber posture and defense in response to advanced persistent threats" - internet security jargon usually applied to state-sponsored hackers. "We are partnering throughout DoD to ensure potential vulnerabilities are mitigated," he said.

Q: Does that explanation make sense?

A: Dormant IP addresses can be hijacked and used for nefarious purposes, from disseminating spam to intercepting large amounts of data intended for elsewhere, and the pilot program could allow the Defense Department to determine if those activities are taking place using its addresses. A person familiar with the pilot effort, who agreed to speak on the condition of anonymity because the program isn't public, said it is important for the Defense Department to have "visibility and transparency" into its various cyber resources, including IP addresses, and manage the addresses properly so they will be available if and when the Pentagon wants to use them.

But the newly activated addresses also are attracting large amounts of internet traffic that an organization as large as the Pentagon could collect and analyze for intelligence purposes, said Doug Madory, director of internet analysis for Kentik, a network monitoring company, who was among those trying to decipher what was happening. The data could provide information about how malicious actors operate on the Web, offering the Pentagon a glimpse of exploitable weaknesses in computer systems. Analysts could also glean insight from the internet traffic, learning what other entities are scanning for online and what devices they are using to retrieve data, Madory said. Accidental misconfigurations that could be exploited or fixed could also be among the data, he said.