Fed contractors aren’t using DMARC, new study finds
Just one of the 50 biggest federal IT contractors have adopted an important email security measure to guard against phishing, according to a new study.
The Global Cyber Alliance’s (GCA) survey of the who’s who of Beltway contractors, including Lockheed Martin, Booz Allen Hamilton, and AT&T, found that all but one – analytics firm Engility, failed to use the Domain-based Message, Authentication, Reporting and Conformance (DMARC) protocol to block phishing attempts.
Only one other contractor, the engineering firm and consultancy Tetra Tech, was implementing the second-highest DMARC control, in which phishing emails are quarantined. Meanwhile, more than half the contractors had yet to implement any DMARC policy whatsoever, according to the study.
Phishing is one of hackers’ favorite tools for breaching a network, and the federal government has been trying to defend against it for years. DMARC fights phishing by creating a public record for checking whether an email sender is authorized to transmit a message on behalf of a domain.
A Department of Homeland Security directive gave federal agencies until Jan. 15 to implement DMARC, and some agencies struggled to meet that deadline. Moreover, an agency is only as secure as its weakest link, and hackers have targeted contractors to collect sensitive U.S. government information. A 2014 investigation by the Senate Armed Services Committee, for example, concluded that Chinese hackers had breached contractors to the U.S. Transportation Command 20 times over the course of a year, but that the command was aware of just two of those incursions.
“Government contractors should recognize that threat actors don’t quit when they see an obstacle, they’ll simply look for another weak link,” GCA President Philip Reitinger said in a statement.
“Country leaders in the U.S. and U.K. are implementing DMARC because they understand the threat and the impact a well-designed phishing scam could have on a critical agency,” Reitinger continued. “The leading U.S. contractors, receiving billions of dollars and responsible for much of our country’s federal IT infrastructure, should take similar steps to secure the government and its citizens.”
GCA has been sounding the alarm on lax DMARC implementation wherever they see it. The nonprofit said in early April that only one of the 26 domains managed by the Executive Office of the President had used DMARC to block phishing attempts.
