BOSTON -- On the day President Joe Biden was sworn into office, a shadowy company residing at a shared workspace above a Florida bank announced to the world's computer networks that it was now managing a colossal, previously idle chunk of the internet owned by the U.S. Department of Defense.
The company, Global Resource Systems LLC, kept adding to its zone of control. Soon it had claimed 56 million IP addresses -- which are unique addresses that identify individual devices on the internet and allow information to be sent between devices -- owned by the Pentagon. Three months later, the total was nearly 175 million. That's almost 6% of a coveted traditional section of internet real estate where such large chunks are worth billions of dollars on the open market.
The entities controlling the largest swaths of the internet generally are telecommunications giants whose names are familiar: AT&T, China Telecom and Verizon. But now at the top of the list is Global Resource Systems.
After weeks of wonder by the networking community, the Pentagon on Friday has now provided a very terse explanation for what it's doing. But it has not answered many basic questions.
The change is the handiwork of an elite Pentagon unit known as the Defense Digital Service, which reports directly to the secretary of defense. The Defense Digital Service bills itself as a "SWAT team of nerds" tasked with solving emergency problems for the department and conducting experimental work to make big technological leaps for the military.
Created in 2015, the Defense Digital Service operates a Silicon Valley-like office within the Pentagon. It has carried out a range of special projects in recent years, from developing a biometric app to help service members identify friendly and enemy forces on the battlefield to ensuring the encryption of emails Pentagon staff were exchanging about coronavirus vaccines with external parties.
Brett Goldstein, the Defense Digital Service's director, said in a statement that his unit had authorized a "pilot effort" publicizing the IP space owned by the Pentagon.
"This pilot will assess, evaluate and prevent unauthorized use of DoD IP address space," Goldstein said. "Additionally, this pilot may identify potential vulnerabilities."
Defense Digital Service also hopes to "identify potential vulnerabilities" as part of efforts to defend against cyber-intrusions by global adversaries, who are consistently infiltrating U.S. networks, sometimes operating from unused internet address blocks.
The specifics of what the effort is trying to achieve remain unclear. The Defense Department declined to answer a number of questions about the project, and Pentagon officials declined to say why Goldstein's unit had used a little-known Florida company to carry out the pilot effort rather than have the Defense Department itself "announce" the addresses -- a far more routine approach.
What is clear, however, is the Global Resource Systems announcement that it is managing the millions of IP addresses, which subsequently directed a fire hose of internet traffic toward these Defense Department addresses.
Doug Madory, director of Internet analysis for Kentik, a network monitoring company, said his monitoring showed the broad movements of internet traffic began immediately after the IP addresses were announced Jan. 20. On that day, messages began to arrive telling network administrators that the once-dormant IP addresses assigned to the Pentagon could now accept traffic, but it should be routed to Global Resource Systems.
Incorporated in Delaware and registered by a Beverly Hills lawyer, Global Resource Systems LLC now manages more internet space than China Telecom, AT&T or Comcast.
"It is massive. That is the biggest thing in the history of the internet," Madory said, of the company's 175 million addresses -- about 1/25th the size of the current internet.
Madory said such large amounts of data could provide several benefits for those in a position to collect and analyze it for threat intelligence and other purposes. He published a blog post on the mystery Saturday morning.
The data may provide information about how malicious actors operate online and could reveal exploitable weaknesses in computer systems. In addition, several Chinese companies use network numbering systems that resemble the U.S. military's IP addresses in their internal systems, Madory said. By announcing the address space through Global Resource Systems, that could cause some of that information to be routed to systems controlled by the U.S. military.
The data could also include accidental misconfigurations that could be exploited or fixed, Madory said.
"If you have a very large amount of traffic, and someone knows how to go through it, you'll find stuff," Madory added.
Dormant IP addresses can be hijacked and used for nefarious purposes, from disseminating spam to hacking into a computer system and downloading data, and the pilot program could allow the Defense Department to uncover if those activities are taking place using its addresses.
A person familiar with the pilot effort, who agreed to speak on the condition of anonymity because the program isn't public, said it is important for the Defense Department to have "visibility and transparency" into its various cyber resources, including IP addresses, and manage the addresses properly so they will be available if and when the Pentagon wants to use them.
"If you can't see it, you can't defend it," the person said.
CALLS UNRETURNED
However, what a Pentagon spokesman could not explain Saturday is why the Defense Department chose Global Resource Systems LLC, a company with no record of government contracts, to manage the address space.
"As to why the DoD would have done that, I'm a little mystified," said Paul Vixie, an internet pioneer credited with designing its naming system and the CEO of Farsight Security.
Global Resource Systems did not return phone calls or emails. It has no web presence, though it has the domain grscorp.com. As listed in records, the company's address in Plantation, Fla., outside Fort Lauderdale, is a shared workspace in an office building that doesn't show Global Resource Systems on its lobby directory. A receptionist at the shared workspace said Friday that she could provide no information about the company and asked a reporter to leave. Records show the company has not obtained a business license in Plantation.
The only name associated with it on the Florida business registry coincides with that of a man listed as recently as 2018 in Nevada corporate records as a managing member of a cybersecurity/internet surveillance equipment company called Packet Forensics. The company had nearly $40 million in publicly disclosed federal contracts over the past decade, with the FBI and the Pentagon's Defense Advanced Research Projects Agency among its customers.
That man, Raymond Saulino, is also listed as a principal in a company called Tidewater Laskin Associates, which was incorporated in 2018 and obtained an FCC license in April 2020. It shares the same Virginia Beach, Va., address -- a UPS store -- in corporate records as Packet Forensics. The two have different mailbox numbers. Calls to the number listed on the Tidewater Laskin FCC filing are answered by an automated service that offers four different options but doesn't connect callers with a single one, recycling all calls to the initial voice recording.
Saulino did not return phone calls seeking comment, and a longtime colleague at Packet Forensics, Rodney Joffe, said he believed Saulino was retired. Joffe, a cybersecurity luminary, declined further comment. Joffe is chief technical officer at Neustar Inc., which provides internet intelligence and services for major industries, including telecommunications and defense.
In 2011, Packet Forensics and Saulino, its spokesman, were featured in a Wired story because the company was selling an appliance to government agencies and law enforcement that let them spy on people's web browsing using forged security certificates.
The company continues to sell "lawful intercept" equipment, according to its website. One of its current contracts with the Defense Advanced Research Projects Agency is for "harnessing autonomy for countering cyber-adversary systems." A contract description says it is investigating "technologies for conducting safe, nondisruptive, and effective active defense operations in cyberspace." Contract language from 2019 says the program would "investigate the feasibility of creating safe and reliable autonomous software agencies that can effectively counter malicious botnet implants and similar large-scale malware."
Deepening the mystery is Global Resource Systems' name. It is identical to that of a firm that independent internet fraud researcher Ron Guilmette says was sending out email spam using the very same internet routing identifier. It shut down more than a decade ago. All that differs is the type of company. This one's a limited liability corporation. The other was a corporation. Both used the same street address in Plantation, a suburb of Fort Lauderdale.
"It's deeply suspicious," said Guilmette, who unsuccessfully sued the previous incarnation of Global Resource Systems in 2006 for unfair business practices. Guilmette considers such masquerading, known as slip-streaming, a ham-handed tactic in this situation. "If they wanted to be more serious about hiding this they could have not used Ray Saulino and this suspicious name."
Guilmette and Madory were alerted to the mystery when network operators began inquiring about it on an email list in mid-March. But almost everyone involved didn't want to talk about it. Mike Leber, who owns Hurricane Electric, the internet backbone company handling the address blocks' traffic, didn't return emails or phone messages.
Despite an internet address crunch, the Pentagon -- which created the internet -- has shown no interest in selling any of its address space, and a Defense Department spokesman, Russell Goemaere, said Saturday that none of the newly announced space has been sold.
Information for this article was contributed by Frank Bajak and Terry Spencer of The Associated Press; and by Craig Timberg, Paul Sonne, Lori Rozsa and Alice Crites of The Washington Post.