Email is the front door for more than 90 percent of all successful cyber attacks, and the days of misspelled words or offers from Nigerian bankers are giving way to more sophisticated phishing attempts that are populated with ransomware and zero day malware.
The theft of 21.5 million current and former federal officials from the Office of Personnel Management happened through email. The IRS annually alerts the public about email scams. And with the recent hurricanes impacting several states and territories, agencies are telling the public to be on the lookout for con artists.
These are just a few of the ever-growing bodies of evidence that helped the Homeland Security Department issue its sixth Binding Operational Directive today, and second in just over a month, requiring agencies to apply email and website security protocols over the next four months.
DHS is giving agencies 30 days to come up with a plan to implement the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol and the STARTTLS protocol, which signals to a sending mail server that the capability to encrypt an email in transit is present.
Then agencies will have 90 days to implement the initial capability of DMARC on all second-level agency domains, and ensure all Internet-facing mail servers offer STARTTLS.
“What I really like about DMARC is it’s not complicated. Cybersecurity can be very daunting discipline to take on, and it’s important to take discrete, tangible steps that will have very scalable broad impact across the global eco-system,” said Jeanette Manfra, the assistant secretary in the DHS Office of Cybersecurity and Communications, at the Global Security Alliance event in New York City today. “Both the government and our citizens that depend upon interaction with the government deserve a trusted relationship.”
The use of DMARC and STARTTLS is a big step to creating that trusted relationship because it acts as a “watermark” on the sender’s email.
Manfra said both the sender and receiver must authenticate the email through DMARC and two underlying protocols called Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM).
“Depending on the policies that the mail provider has in place will determine what will happen to the email. DMARC does not block email, but if the authentication match doesn’t happen it will flag it, and the policy will quarantine or reject it,” she said.
More and more Internet service providers are using DMARC. The Global Security Alliance says more than 4.8 billion inboxes—76 percent worldwide—use DMARC today, which is up from 2.7 billion inboxes in 2015.
By the government implementing the protocol, agencies will be able to complete the authentication with the general public who use Google’s Gmail or Yahoo’s email service, or any number of private sector providers.
The directive comes after Sen. Ron Wyden (D-Ore.) wrote a letter to DHS asking it to issue a BOD requiring the use of DMARC.
In addition to DMARC, DHS is requiring agencies to complete the implementation of cybersecurity standards called HTTP secure and HTTP Strict Transport Security (HSTS).
“Federal agencies must make more progress on HTTPS and HSTS deployment, including by removing support for known-weak cryptographic protocols and ciphers,” DHS stated in the BOD. “According to DHS’s Cyber Hygiene scanning data, 7 of the 10 most common vulnerabilities seen across federal agency networks at the issuance of this directive would be addressed through complying with the required actions in this directive related to Web security.”
DHS gave agencies 120 days to fully implement HTTPS and HSTS.
The Office of Management and Budget in June 2015 gave agencies until December 2016 to implement HTTPS. The latest data from Sept. 28 on the CIO Council website shows 78 percent of all websites use HTTPS and STARTTLS.
“This is to ensure that anyone engaging with the federal government via a federal website or web services is able to have a more secure connection,” Manfra said.
Manfra said the move to DMARC also shouldn’t surprise agency chief information officers or chief information security officers.
DHS started working with some agencies to use DMARC earlier this spring, but wanted to use the power of the directive to push the use of the protocol along more quickly.