DHS will scan agencies for DMARC, other hygiene measures
The Department of Homeland Security is now collecting data about federal agencies’ use of an industry-standard cybersecurity measure that blocks forged emails.
The collection is seen as a first step to encouraging wider adoption within the U.S. government, according to official correspondence.
In a letter to Sen. Ron Wyden, D-Ore., DHS official Christopher Krebs says the department, “is actively assessing the state of email security and authentication technologies … across the federal government,” to include Domain-based Message Authentication, Reporting and Conformance (DMARC).
DMARC is the industry standard measure to prevent hackers from spoofing emails — making their messages appear as if they’re sent by someone else. Spoofing is the basis of phishing, a major form of both crime and espionage, in which an email appearing to a come from a trusted third party directs readers to a website where login and password credentials can be stolen.
Krebs says DHS’s 24-hour cyber watch center, the National Cybersecurity and Communications Integration Center (NCCIC), “will soon be scanning federal agencies as part of its cyber hygiene service to incentivize the adoption of these technologies.” NCCIC already recommends the use of email authentication techniques like DMARC, Krebs says and “As we gain a better understanding of existing practices across the federal … government, DHS will consider additional options for promoting its implementation.”
The letter comes in response to last month’s call from Wyden for DMARC to be adopted and switched on across the federal government. As of Aug. 1, only 135 federal email domains out of 1315 — just 10 percent — had some form of the DMARC protocol deployed, according to the non-profit Global Cyber Alliance. And most of those sites did not have it switched on yet.
Wyden’s office called the letter’s announcement “a positive step.”
A federal agency can create a DMARC record in a matter of minutes, but once the policy is deployed, it has to be switched on. All the largest internet email providers like Google, Microsoft and Yahoo have it turned on for their users. If both sender and receiver have the policy switched on, email attempting to spoof the sender’s address will be delivered to recipient’s spam folder, or — if DMARC is switched to its highest setting — will not be delivered at all.
If DMARC is not switched on — as with more than half of the federal agencies that have it deployed — the domain owner will still get notified of spoofing attempts.
DHS “is also working to establish a central collection point for DMARC reports” that will give officials there “better situational awareness into phishing campaigns and the abuse of government [email] domains,” Krebs says. He adds that, because DMARC reports are open-source, “NCCIC welcomes all parties to contribute to the effort.”
The letter was applauded by observers as a sign of progress towards greater adoption of basic cyber hygiene measures like DMARC.
“We welcome DHS’s call for ‘all parties to contribute’ to its e-mail security efforts,” said Phil Reitinger, CEO of the Global Cyber Alliance. “We are happy to see that DHS fully recognizes the value that DMARC offers. We applaud the leadership role that DHS has taken in this matter and are hopeful that this process leads to the full implementation of DMARC across the federal government.”
“Preventing emails that impersonate federal agencies is a critical cybersecurity risk, so it is wonderful to see DHS respond so quickly and positively to this important subject raised by Sen. Wyden,” said Patrick Peterson, founder and executive chairman of Agari, an email security firm and one of the founders of the DMARC standard.
