We can likely all agree that governmental cyber security is an important issue. While the Attorney General has created a task force to deal with election hacking, there have been plenty of digital security fails in the past year. And the FCC doesn't seem to care too much about data privacy, either. Now, according to a report from security firm Global Cyber Alliance (GCA), more than 95 percent of the email domains managed by the Executive Office of the President (EOP) -- including WhiteHouse.gov -- could be used in a phishing attack due to lax security protocol. The top defense against email phishing and spoofing, says the report, is called the Domain Message Authentication Reporting & Conformance (DMARC).
Homeland Security is ordering federal agencies to deploy basic web and email security features in an effort to boost cybersecurity across government. Up until now, Homeland Security had been pushing businesses and enterprise customers to enable HTTPS web encryption across the board, which helps secure data in transit but also ensures that nobody can alter the contents of the website you're visiting. The agency has also pushed DMARC, an email validation system used to verify the identity of an email sender, which helps to protect against inbound spoofed emails and phishing attacks. Now, the Homeland Security has set its sights on government agencies, which have for years fallen behind. The agency has issued a binding operational directive, giving all federal agencies three months to roll out DMARC across their networks.
Last year, the UK blocked 80 million spoofed emails from entering government domains, thanks to wide deployment of the DMARC email authentication protocol. "That's how you stop people clicking on the link, because they never get the crap in the first place. Simple things done at scale can have a difference," said Dr Ian Levy, technical director of the UK's National Cyber Security Centre (NCSC) in October. At that time, 879 of the 3025 gov.uk domains, or around 29 percent, were protected by DMARC, he said. According to Stephen Gillies, who runs security advisory at Caret and Stick, DMARC's goal is "to bring some trust back to the From: field in email headers".
After suffering several security breaches over the past few years, the US government will finally require federal agencies to implement basic email security measures. According to Reuters, Homeland Security's deputy undersecretary for cybersecurity Jeanette Manfra has revealed at an event in New York that the agency will soon require other federal agencies to adopt DMARC and STARTTLS. DMARC helps detect and block spoofed emails to prevent impersonation of government officials. STARTTLS prevents emails from being intercepted en route to the recipient. Both are at least a decade old and have already been widely adopted by email providers like Google and Microsoft.