DMARC: States Should Follow Federal Directive to Enhance Email and Web Security

The Department of Homeland Security (DHS) has mandated that all federal executive branch agencies implement Domain-based Message Authentication, Reporting and Conformance (DMARC) to improve email security. In the same directive, DHS also mandated better Web security protections be put into place. I believe state and local governments should follow the lead of their federal counterparts and make implementing DMARC a priority. Here’s why.

by / October 20, 2017
Credit: Shutterstock/Rawpixel.com

When an email arrives in your inbox, how do you really know the sender? When information is accessed across the Internet, are you sure that the data has not been seen by others who were not authorized? How can we minimize spam, better protect users and ensure the integrity and confidentiality of the Web data we send and receive?

Bottom line, what practical steps can help ensure the trustworthy processes involved with the delivery of emails and Web-delivered data?

These questions have been around for decades, but new, mandated actions are now being taken to strengthen the security surrounding two of the original, and most prevalent, activities online — namely sending and receiving email and surfing the Web.  

New Federal Government Security Directive

In the past week, Elaine C. Duke, the acting secretary over the U.S. Department of Homeland Security (DHS), released Binding Operational Directive (BOD-18-01), to improve operational security for federal agencies.

The directive requires agencies to take immediate action and submit their plan to implement Domain-based Message Authentication, Reporting and Conformance (DMARC) for better email authentication. The goal is to drastically reduce email spoofing. According to the directive, “Setting a DMARC policy of “reject” provides the strongest protection against spoofed email, ensuring that unauthenticated messages are rejected at the mail server, even before delivery. Additionally, reports provide a mechanism for an agency to be made aware of the source an apparent forgery, information that they would not normally receive otherwise.”

The directive also requires agencies to submit their plans to implement better Web security by using Hypertext Transfer Protocol Secure (HTTPS) and HTTP Strict Transport Security (HSTS). The directive explains these mandates by stating that these actions remove “weak cryptologic protocols and ciphers.” In addition, “seven of the ten most common vulnerabilities seen across federal agency networks ... would be addressed through complying with these required actions.”

According to a recent Agari report on federal agencies:

     - Federal agencies are vulnerable to phishing and email fraud, with over 82 percent of their domains lacking DMARC entirely.

     - 9.3% of Federal domain have a none (Monitor) policy. This policy monitors for authentication abuse, but does not prevent it. When combined with the number of domains without any DMARC policy, Agari can conclude that over 90 percent of federal agency domains are vulnerable to digital deception.

     - NIST recommends using DMARC authentication tools to provide protection against phishing (SP 800-177, Trustworthy Email, Section 4.6).

More Details On DMARC & HTTPS

You can learn all about the background of DMARC at: https://dmarc.org/ — including the history and resources available

Last year, the United Kingdom (U.K.) took very similar steps regarding the use of DMARC and HTTPS. Here’s an excerpt from that announcement:

“Patrick Peterson, founding member of DMARC and executive chairman at email security firm Agari, welcomed the move.

‘Email is the number one entry point for data breaches, and the use of DMARC email authentication protocol for all .gov email domains will greatly reduce the risk of breaches and cyber-attacks,’ he argued.

‘This includes targeted email attacks such as Business Email Compromise (BEC) and spear phishing, which target governmental staff by impersonating senior officials, and phishing attacks that target members of the public by spoofing the .gov brand.’

The move will certainly go some way to improving the government’s cybersecurity posture, but it will have to do more about accidental data loss if it wants to really prevent breaches.”

Side note: This is another reason for us to monitor global cyberdevelopments, especially in the areas of what foreign governments are doing with cybersecurity.

According to The Hill.com back in July, several congressional leaders urged action by DHS.

“Sen. Ron Wyden (D-Ore.) made the request in a letter to a top official at the National Protection and Programs Directorate (NPPD), the DHS office in charge of securing cyber and physical infrastructure.”

Earlier this past week, Infosecurity magazine reported on the benefits of DMARC:

“A DMARC policy thwarts cyber-criminals who hack into user accounts and then scrape the address books; they then use a different server to spoof messages from the hacked user to his or her own contacts. They do this for spam and fraud purposes, for phishing and to spread malware. DMARC combats this by allowing a sender to indicate that its emails are protected, and authenticates that messages are coming from the domain that they purport to be coming from. In practice, it means that it will be more difficult for nation-state actors or fraudsters to impersonate federal employees.

HTTPS meanwhile provides encrypted communications between a user and a server, preventing communications from being intercepted or eavesdropped upon.”

CNN reported that the U.S. government is making federal communications more secure through this DHS move:

“A few agencies already enable DMARC, including the Federal Trade Commission and Social Security Administration.

Last summer an "email prankster" sent a number of fake emails to White House officials purporting to be from Jared Kushner, senior adviser to the president. The new email security won't prevent those types of emails — anyone can make a fake Gmail or Outlook account — but it prevents someone from sending an email looking like it came from an official White House email address.

The DHS also hopes that the move will compel businesses and organizations to adopt stronger email security. According to a report from the Global Cyber Alliance, even top security firms don't implement the DMARC protocol. But it is supported by 85% of consumer inboxes, including Google and Yahoo which use it to protect users from fraudulent emails.”

What About DMARC Use in State and Local Governments?

So with the federal government now making the move to enforce these DMARC and HTTPS, should state and local governments do the same?

Many private-sector technology providers as well as Fortune 500 companies already use these technologies, such as Google, which is putting all of its top-level domains (TLDs) on their forced HTTPS list.

“As part of its push for wider adoption of HTTPS, Google has now starting to enable HTTP Strict Transport Security (HSTS) for a "large number" of its TLDs.

The HSTS policy ensures that web browsers only use an HTTPS encrypted connection to sites that support HTTPS. All major browsers switch to, for example, https://gmail.com even if the user types in the http address. HSTS aims to prevent downgrade attacks, such as POODLE, which weaken or strip out encryption. …”

Some state governments are already adopting DMARC for the same reasons that the federal government is making this move. SC Magazine reported this week that New York is adopting DMARC.

“New York State CISO Deborah Snyder said the state is adopting DMARC as well, making it a policy at the state level. Employing the protocol can make it easier for New York ‘to get understanding of where threats are coming from.’”

I think this is the right move by New York, and I urge other states (and local governments and private-sector companies) to follow this DHS example and take the same steps that DHS is mandating for federal agencies.

No, adding DMARC will not solve all phishing problems, but it will certainly improve your situation. And yes, you still need good cyber training and other protections to stop online scams.  

Let me be clear: This is NOT currently a mandate for state and local governments at this time, but it will eventually become the defacto-standard to do business with the federal government soon. I expect that most governments will move in this direction within the next few years. However, planning for this implementation should begin immediately.

Final Thoughts

My main advice for state and local government IT leaders is this: Why not implement DMARC and HTTPS now — just as the federal government is mandating? The security benefits are immense, and these steps will likely become marks of legal “due diligence” in the near future.

For non-technical leaders reading this article, I have a few recommendations. First, make sure that implementations of these security features are mandatory and apply across all of your email systems and domains. Second, it takes time to plan and implement the plan that DHS has mandated, so allow your team enough time to get these technologies in place — just as the feds are doing.

Finally, take policy action now with a timeline. This is a great move by DHS. This is also a (fairly rare) moment when practical steps are being taken by DHS in a federal governmentwide manner to improve cybersecurity. Don’t miss this opportunity to do the same within your enterprise.

Bottom line: My advice is to get DMARC and HTTPS-only website access (with HSTS), as described in the DHS memo, implemented within your state or local government or private sector company — and soon.

You’ll be glad you did.