DHS orders feds to adopt DMARC email security
The Department of Homeland Security is using new powers to order federal agencies to adopt a form of email security that guards against spam and phishing.
A DHS Binding Operational Directive announced Monday in New York City by Assistant Secretary for Cybersecurity and Communications Jeanette Manfra gives federal agencies 90 days to begin to implement Domain-based Message Authentication, Reporting and Conformance (DMARC) for their email systems.
By Jan. 2018, all federal agencies will be required to implement DMARC across all government email domains. Additionally, by Feb. 2018, those same agencies will have to employ Hypertext Transfer Protocol Secure (HTTPS) for all .gov websites, which ensures enhanced website certifications.
Manfra clarified that individual agencies will continue to be responsible for their own cybersecurity policies, but will receive more capabilities and directions from DHS to help make email and website communications more secure.
“This directive is our way of showing that the federal government is a participant in the Internet, and we take our responsibility seriously,” said Manfra at a roundtable on the directive, noting how crucial it is for U.S. citizens to trust that an email from a government agency is legitimate.
To communicate and enforce this directive, DHS has partnered with cyber risk nonprofit Global Cyber Alliance and officials from the New York City government, with particular investment from the Manhattan District Attorney’s office.
“It’s a real sign that DHS and the federal government are stepping up and leading by example,” said Phil Reitinger, CEO of the Global Cyber Alliance.
“We needed a preventative, not a prosecutorial approach, to cybersecurity,” said Cyrus Vance, Jr., Manhattan District Attorney, noting that the DA’s office has had to do significant forensic analyses on devices, and couldn’t wait for other agencies to develop cybersecurity protocols.
The Manhattan DA’s office was one of the founding members of the Global Cyber Alliance.
DMARC is the industry standard measure to prevent hackers from spoofing emails — making their messages appear as if they’re sent by someone else. Spoofing is the basis of phishing, a hacking technique used in both crime and espionage, in which an email appearing to a come from a trusted friend or company provides an infected attachment or directs readers to a website where login and password credentials can be stolen.
In a recent survey, 135 federal email domains had DMARC deployed, out of a total of 1315 .gov domains. But fewer than half of those have it actually activated.
When an organization adopts DMARC, it can set the domain policy to p=none, which effectively leaves it switched off, or it can set p=quarantine or p=reject. In these modes, email purporting to come from the domain which isn’t in fact authorized, goes to spam or isn’t delivered at all for p=reject. This stops most email phishing and spoofing.
One issue is that most organizations have third-party services like marketing mailers that send email on their behalf. These messages can be sent to spam folders or even left completely undelivered if DMARC is not properly configured and set into p=quarantine or reject.
The directive announced Monday gives agencies a year before having to set p=reject.
The Global Cyber Alliance, which has adopted the motto of “Do Something, Measure It” stresses that an individual cannot protect oneself with protecting one’s neighbor. The government, and other organizations, contain and employ huge numbers of third party vendors, creating a supply chain rife with insecure neighbors, all using email accounts to share sensitive information.
According to the directive, even if individuals are using third party vendors like MailChimp to send out email campaigns, both the individual and the third party vendor will be required to employ DMARC verification protocols.
Manfra confirmed that email services contracted by the government will fall under this umbrella, and that DHS “hopes that this directive will encourage government agencies to use their purchasing power to make a difference in this arena.”
With questioned about scalability, Shehzad Mirza, the Director of Operations for the Global Cyber Alliance, noted that DMARC’s protocols can be applied to several other platforms that rely on email domains, such as websites, although most social media platforms are not an immediate target for similar protocols.
Manfra added that internal teams will continually scan government email networks to ensure compliance with the DMARC directive, in addition to red team activity aimed at high value assets, or segments of government networks for which a data compromise would result in significant consequences.
The move comes fewer than two months after DHS started collecting information about federal adoption of DMARC, a decade-old technology standard.
Currently, both large companies and cybersecurity vendors lag in DMARC adoption.
Still, the directive represents a strong voice of authority on email security from DHS, especially with the plethora of illegitimate online actors posing as government organizations, as well as the recent wide scale communications from government agencies like FEMA.
Nicole Softness contributed to this article.