Department of Defense USA

A secretive Pentagon program that started on Trump’s last day in office just ended. The mystery has not.

Control of a remarkable 6 percent of the Internet was handed over to a Florida company as part of a cybersecurity pilot project. Now the Pentagon has taken all 175 million IP address spaces back.

Pentagon program that delegated management of a huge swath of the Internet to a Florida company in January — just minutes before President Trump left office — has ended as mysteriously as it began, with the Defense Department this week retaking control of 175 million IP addresses.

The program had drawn scrutiny because of its unusual timing, starting amid a politically charged changeover of federal power, and because of its enormous scale. At its peak, the company, Global Resource Systems, controlled almost 6 percent of a section of the Internet called IPv4. The IP addresses had been under Pentagon control for decades but left unused, despite being potentially worth billions of dollars on the open market.

Adding to the mystery, company registration records showed Global Resource Systems at the time was only a few months old, having been established in September 2020, and had no publicly reported federal contracts, no obvious public-facing website and no sign on the shared office space it listed as its physical address in Plantation, Fla. The company also did not respond to requests for comment, and the Pentagon did not announce the program or publicly acknowledge its existence until The Washington Post reported on it in April.

And now it’s done. Kind of.

On Tuesday, the Pentagon made a technical announcement — visible mainly to network administrators around the world — saying it was resuming control of the 175 million IP addresses and directing the traffic to its own servers.

On Friday the Pentagon told The Post that the pilot program, which it previously had characterized as a cybersecurity measure designed to detect unspecified “vulnerabilities” and “prevent unauthorized use of DoD IP address space,” was over. Parts of the Internet once managed by Global Resource Systems, the Pentagon said, now were being overseen by the Department of Defense Information Network, known by the acronym DODIN and part of U.S. Cyber Command, based at Fort Meade.

[Minutes before Trump left office, millions of the Pentagon’s dormant IP addresses sprang to life]

The IP addresses had never been sold or leased to the company, merely put under its control for the pilot program, created by an elite Pentagon unit known as the Defense Digital Service, which reports directly to the secretary of defense and bills itself as a “SWAT team of nerds” that solves emergency problems and conducts experimental work for the military.

“The Defense Digital Service established a plan to launch the cybersecurity pilot and then transition control of the initiative to DoD partners,” Russell Goemaere, a spokesman for the Defense Department, said in a statement to The Post. “Following the DDS pilot, shifting DoD Internet Protocol (IP) advertisement to DoD’s traditional operations and mature network security processes, maintains consistency across the DODIN. This allows for active management of the IP space and ensure the Department has the operational maneuver space necessary to maintain and improve DODIN resiliency.”

But the Pentagon statement shed little new light on exactly what the pilot program was doing or why it now has ended. It’s clear, though, that its mission has been extended even as it comes more formally under Pentagon control.

On the unusual timing of the start of the pilot program — which began the transfer of control of IP addresses at 11:57 a.m. on Inauguration Day, three minutes before President Biden took office — Goemaere added, “The decision to launch and the scheduling of the DDS pilot effort was agnostic of administration change. The effort was planned and initiated in the Fall of 2020. It was launched in mid-January 2021 when the required infrastructure was in place. Given the opportunity, maintaining low visibility was also desirable in order to observe traffic in its current state, allowing us to identify potential vulnerabilities and assess and mitigate potential cyber threats.”

Global Resource Systems did not return a request for comment Friday.

The unusual nature of the program has been tracked by several people in the networking world, including Doug Madory, director of Internet analysis for Kentik, a network monitoring company.

In April, Madory, a former Air Force officer, had come to believe the program was intended to collect intelligence. By announcing control of such a large section of the Internet — especially one the Pentagon had left mothballed for years — it likely was possible to reroute information flowing across the Internet to military networks for examination and analysis.

[Internet protocol from 1989 leaves data vulnerable to hijackers]

Madory said Friday that routine networking errors can make such operations fruitful.

“There are a lot of networks that inadvertently leak out vulnerabilities,” he said. “I’m sure they’ve been scooping that noise up for the past few months.”

Such tactics, he added, can allow cyberspies to discover weaknesses in the networks of adversaries or potentially detect evidence of how adversaries are surveilling your own networks, to help inform the creation of better defenses.

Madory shared one more tantalizing fact: His analysis of traffic flowing through the Internet addresses once controlled by Global Resource Systems are still leading to the same place as they have for most of the year — a computer routerin Ashburn, Va., a major hub of Internet connections for government agencies and private companies — despite the official resumption of Pentagon control.

Alice Crites and Paul Sonne contributed to this report.

By Craig Timberg Craig Timberg is a national technology reporter for The Washington Post. Since joining The Post in 1998, he has been a reporter, editor and foreign correspondent, and he contributed to The Post’s Pulitzer Prize-winning coverage of the National Security Agency.  Twitter