The White House’s delay in implementing an important email security protocol leaves its domain names vulnerable to being used in a large-scale phishing attack, according to a new study.
Only one of the 26 email domains managed by the Executive Office of the President (EOP) uses the Domain-based Message, Authentication, Reporting and Conformance (DMARC) protocol to block phishing attempts, the nonprofit Global Cyber Alliance said. Eighteen of those domains haven’t started deploying DMARC.
A Department of Homeland Security directive gave federal agencies until Jan. 15 to implement DMARC, which creates a public record for checking whether an email sender is authorized to transmit a message on behalf of a domain. Spokespeople for DHS and the National Security Council did not respond to questions on whether the directive applies to the EOP. The White House has previously claimed it was exempt from a governmentwide-reporting requirement under an IT security law.
Email domains managed by the Executive Office of the President, including WhiteHouse.gov, OMB.gov, and USTR.gov, “are crown jewels that criminals and foreign adversaries covet,” Philip Reitinger, the alliance’s president, said in a statement.
Although agencies have made progress implementing DMARC, more than a month after the DHS deadlines passed, an analysis by software vendor Easy Solutions found that over 40 percent of 311 government domains still lacked a DMARC record.
The federal government has been waging a years-long war on phishing that is far from over. In July and August 2015, a spear-phishing, or more targeted, attack that U.S. officials blamed on Russian hackers disabled the Joint Chiefs of Staff’s unclassified email system for more than two weeks.
A steady stream of generic, email-based attacks continues. The Pentagon blocks 36 million malicious emails a day, a defense official said in January.
“We hope the White House utilizes [the alliance’s] research as a call to action to join their government peers in taking this critical, commonsense step,” Patrick Peterson, founder of Agari, an email security firm that has also published research on DMARC, told CyberScoop.
An NSC spokesperson did not reply to questions on the study’s findings by the time of publication.