Federal agencies are making their email systems more secure, just in the nick of time.
As of Dec. 18, nearly half of all federal website domains had adopted new security measures to protect against spoofed email traffic. Adoption of the new measures surged by more than a third to 47 percent during a 30-day span across November and December, according to data from cybersecurity firm Agari. The increase came ahead of a deadline — which passed on Jan. 15 — set by the Department of Homeland Security to adopt the new email security tool.
According to Agari’s research report, “U.S. Federal Government DMARC Adoption,” federal domain adoption of Domain-based Message Authentication, Reporting and Conformance, or DMARC, increased 13 percentage points in 30 days, from 34 percent on Nov. 18, 2017 to 47 percent on Dec. 18, 2017. There are 1,106 federal .gov domains, FCW notes.
In October, DHS issued a “Binding Operational Directive” on cybersecurity, which covered both email and web security measures. The goal of the directive, DHS says, is to get agencies to use standards that have been widely adopted in industry, and thus “ensure the integrity and confidentiality of internet-delivered data, minimize spam and better protect users who might otherwise fall victim to a phishing email that appears to come from a government-owned system.”
DHS Pushes New Email Security Protocol
At issue is DHS’s directive to agencies to adopt an email protection protocol called DMARC. The protocol, an industry standard, is an email authentication policy and reporting protocol that’s designed to prevent email spoofing — when malicious actors make it appear like the email is coming from someone else — which is the foundation of phishing. An initiative of the Trusted Domain Project, DMARC was finalized in 2015 by contributors, including Google, Yahoo, Mail.Ru, JPMorgan Chase and Symantec.
As FCW reports: “DMARC is designed to alert email senders of attempts to spoof or impersonate a web domain and to block spoofed emails from recipients before they are delivered. The protocol works in conjunction with a digital watermark supplied by the official domain owner.”
DMARC “builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (From:) domain name, published policies for recipient handling of authentication failures and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email,” notes DMARC.org.
DHS notes that setting a DMARC policy of “reject” gives agencies the “strongest protection against spoofed email, ensuring that unauthenticated messages are rejected at the mail server, even before delivery.”
Additionally, DHS notes that DMARC “reports provide a mechanism for an agency to be made aware of the source of an apparent forgery, information that they wouldn’t normally receive otherwise. Multiple recipients can be defined for the receipt of DMARC reports.”
DHS gave agencies until Jan. 15 to ensure that second-level agency domains have valid SPF/DMARC records, with at minimum a DMARC policy of “p=none” and at least one address defined as a recipient of aggregate and/or failure reports.
DMARC Helps Protect Federal Domains
“DMARC has proven to be an effective solution to secure our federal domains, but more work is needed to protect all federal domains. The time to act is now — deadlines to comply with BOD 18-01 are imminent,” Jeanette Manfra, assistant secretary for the office of cybersecurity and communications at DHS, said in a Jan. 2 statement distributed by Agari. “Cybersecurity is a critical component of our homeland security policy, but it is also a shared responsibility. It is crucial for U.S. citizens to trust that an email from a government agency is legitimate.”
Presumably, federal adoption of DMARC increased between the last date Agari provided data for (Dec. 18) and the DHS deadline (Jan. 15). “While still low, the set of government domains now has a significantly better adoption level than the commercial sector, where two-thirds (67 percent) of the domains have not published any DMARC policy,” the Agari report’s authors say, according to FCW.
By the middle of October, agencies must set a DMARC policy of “reject” for all second-level domains and mail-sending hosts. Agari notes in its statement that, of the billions of emails sent across the more than 400 federal government domains it secures, 96 percent of the emails are protected by the strongest DMARC policy (p=reject) nearly a year ahead of the deadline.
As a result, Agari says, the federal domains protected by DMARC at p=reject, including the U.S. Senate, Departments of Veterans Affairs and Health and Human Services, and the U.S. Post Office, have seen attempted fraud send rates decrease to less than 2 percent in December.
DHS also told agencies to adopt another email security protocol called STARTTLS, which, as FastMail notes, is “a way to take an existing insecure connection and upgrade it to a secure connection” using transport layer security (TLS) and its predecessor, secure sockets layer (SSL).
As DHS notes, when STARTTLS is enabled by a receiving mail server, the protocol signals to a sending mail server that the capability to encrypt an email in transit is present. Though it does not force the use of encryption, enabling STARTTLS makes passive man-in-the-middle attacks more difficult. As of Jan. 15, agencies were required to configure all internet-facing mail servers to offer STARTTLS.
Even though only roughly half of all federal domains had adopted DMARC by Dec. 18, Agari executives say there is positive news in the figures. CyberScoop reports that, according to Agari, 23 agencies “have achieved 100 percent DMARC adoption across all their email domains. This includes the Federal Trade Commission with 23 domains and the Consumer Product Safety Commission with 10.”