DHS Email Mandate: DMARC Authentication Required for Federal Agencies
The U.S. Department of Homeland Security (DHS) has instructed (what the agency calls a Binding Operational Directive) federal agencies to use the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol for all email and websites using the .gov suffix.
DMARC is a set of email protocols that prevents spammers and phishers from using an organization’s name and email domain to conduct hacking attacks. Lower level implementations of DMARC warn an organization that their email domain is being spoofed but don’t block nefarious messages from being delivered.
Here the DHS is talking about the full package. The directive is significant because DMARC adoption rates among enterprises and government agencies are far lower than you might expect, given the estimated 85 percent of consumer email inboxes in the U.S. (including Gmail, Yahoo and Microsoft) and some 2.5 billion email inboxes worldwide running the security protocol.
Certain requirements of the order, which was endorsed by the Global Cyber Alliance (GCA) at a hosted discussion in New York City, must be implemented within the next 90 days and others within 120 days, DHS officials said. By the 90-day deadline, all federal agencies will be required to deploy DMARC to prevent cyber crooks from using federal agency email domains as a launching pad for attacks. Within 120 days, the orders get a bit more stringent: The Hypertext Transfer Protocol Secure (HTTPS) must be implemented for all websites to secure connections between users and government agencies. In addition, other protocols, not yet specified, must be used to guarantee data exchanges by users and the federal government are similarly secure.
Those are tall orders: The U.S. government has more than 1,300 domains. But Phil Reitinger, who helms the coalition begun in 2015 by New York County District Attorney Cyrus Vance, the Center for Internet Security and the City of London Police — said that the federal government is setting an example for the private sector to follow.
“Once federal agencies fully deploy DMARC, citizens cannot be phished by a criminal posing as a government employee,” he said. People should “expect the same of the companies on which we depend,” he said.
Recent studies reveal DMARC’s underuse among enterprises. In a GCA-conducted survey of 268 companies at the Black Hat conference in July, only 27 percent had deployed DMARC. Even more worrisome is of the 72 Black Hat attendees using DMARC, only six — just two percent of those asked— have fully deployed it, the study showed. The Black Hat results are not an anomaly: Only 15 percent of the 587 email domains scanned of companies exhibiting at February’s RSA Conference use DMARC.
Typically the federal government refrains from taking the lead on cybersecurity issues so on balance the DHS announcement, while a bit out of character — particularly with its clarion call to the business community — is welcome in more ways than proclaiming a required technology platform.
Industry experts attending the event included Vance, Jeanette Manfra, Assistant Secretary, Office of Cybersecurity and Communications, Deborah Snyder, New York State Chief Information Security Officer, Brian Heemsoth, Senior Director Global Security Innovation for Aetna, Aimee Larsen Kirkpatrick, Global Cyber Alliance Global Communications Officer and Shehzad Mirza, Global Cyber Alliance Director of Operations.