DHS Imposes Email Security Measures on Federal AgenciesDirective Requires Adoption of DMARC Anti-Spoofing System
A new directive from the U.S. Department of Homeland Security elevates federal agencies' email security to a standard widely adopted by commercial email providers, including Google, Yahoo and Microsoft.
DHS on Monday issued Binding Operational Directive 18-01 with the aim of bolstering email and web security by deploying the email security protocol DMARC, or Domain-based Message Authentication, Reporting and Conformance, and taking other steps.
Federal agencies can ensure the integrity and confidentiality of internet-delivered data, minimize spam and better protect users who might otherwise fall victim to a phishing email that appears to come from a government-owned system by implementing security standards that have been widely adopted in industry, the directive says.
How DMARC Works
DMARC is designed to fit into an organization's existing inbound email authentication process by helping email receivers determine if the purported message aligns with what the receiver knows about the sender, according to Dmarc.org. If not, DMARC includes guidance on how to handle the non-aligned messages.
DMARC exploits two existing mechanisms, DomainKeys Identified Mail, or DKIM, and/or Sender Policy Framework, or SPF. It allows the administrative owner of a domain to publish a policy on which DKIM and/or SPF are employed when sending email from that domain and how the receiver should deal with failures. DMARC also provides a reporting mechanism of actions performed under those policies.
DMARC doesn't protect email, but rather the people who use it, says Phil Reitinger, chief executive of the cybersecurity advocacy group Global Cyber Alliance. "Once federal agencies fully deploy DMARC, citizens cannot be phished by a criminal posing as a government employee," says Reitinger, a former top cybersecurity policymaker at DHS. "The federal government is stepping up and setting an example that the private sector should follow. If the U.S. government can deploy DMARC across more than 1,300 domains, then we should expect the same of the companies on which we depend."
Email: No. 1 Attack Vector
Email security weaknesses have plagued federal government agencies for years.
"Our No. 1 attack vector was through email, either targeted, spear phishing email or just regular spam-type of email," IT security consultant Charles Armstrong, the former CIO at DHS's U.S. Customs and Border Protection agency, said in an interview earlier this year with Information Security Media Group.
Speaking at a Global Cyber Alliance roundtable on Monday, DHS Assistant Secretary for Cybersecurity and Communications Jeanette Manfra said implementing DMARC isn't complicated. "Cybersecurity can be a very daunting discipline to take on, and it's important to take discrete, tangible steps that will have very scalable broad impact across the global eco-system," Manfra said. "Both the government and our citizens that depend upon interaction with the government deserve a trusted relationship."
More than 4.8 billion inboxes - 76 percent of all worldwide - employ DMARC, up from 2.7 billion in 2015, according to the Global Security Alliance.
Federal agencies have 30 days to develop a plan of action to comply with the directive. Under the directive, besides implementing DMARC, agencies within 90 days must configure internet-facing systems to offer STARTTLS, which is a way to take an existing insecure connection and upgrade it to a secure connection using SSL/TLS, cryptographic protocols that provide communication security over a computer network.
Within 120 days, federal agencies will be required to employ HTTPS, or Hypertext Transfer Protocol Secure, for all websites to furnish more secure connections between citizens and government agencies. They also must use other protocols along with HTTPS to help ensure that communications with the federal government are secure.