“I write to ask you to take immediate steps to ensure that hackers cannot send emails that impersonate federal agencies,” states Ron Wyden, United States Senator and member of the Senate Select Committee on Intelligence, in a letter sent last Tuesday, July 18th, to the Department of Homeland Security. “The threat posed by criminals and foreign governments impersonating U.S. government agencies is real.”
While the years-long partisan gridlock Washington has experienced may be threatening US national security in the long run, there is nothing stopping individual legislators from urging federal agencies to adopt the right priorities. With cybersecurity threats proliferating and victimizing private businesses, non-profit organizations and government agencies of all stripes, responding to email threats is the most critical step many can take to address the current threat environment. This is critical, as currently 91% of cyberattacks start with simple phishing emails, while email security spending is expected to make up less than 8% of security spending in 2017.
Thus, as part of his letter to DHS, Sen. Wyden encouraged all government agencies to adopt DMARC (Domain-based Message Authentication, Reporting and Conformance) to stop attackers from impersonating federal officials via email, primarily to siphon funds from US government agencies. It’s estimated that only 2 percent of the US government’s 1300 domains, like FTC.gov and FDIC.gov, currently use DMARC to block spoofed emails. DMARC adoption could present an important improvement for government cyber security.
DMARC Effective Against Imposter Emails
In 2016, the IRS reported a 400 percent increase in attempts by criminals to impersonate its agency through phishing, according to the Wyden letter. These attempts are similar in many respects to what is called Business Email Compromise (BEC), also known as CEO Fraud.
In these emails, imposters mask their identity by falsifying the “from” address in their emails, using the obscurity of their “reply-to” domains or other tactics in order to request immediate fund transfers under the apparent identity of high-authority individuals within the companies they target. According to reports, one unidentified US company lost nearly $100 million to a single attack like this, while the FBI reports that BEC is costing US businesses more than $2.3 billion per year.
The DMARC Standard
The DMARC standard was established by major internet companies like Yahoo, AOL, Comcast, Google, Microsoft, Bank of America and more specifically to stop attacks like this, which were affecting mail senders and receivers due to broad-based phishing scams attempting to hack emails on a massive scale. However, the spread of DMARC has not been as fast as the spread of attacks it would stop, and both agencies and businesses that fail to implement it will continue to risk falling victim to attack. 75 Percent of imposter emails spoof their reply-to address to fool victims, a tactic by which DMARC would most-often block a message unless the sender organization has authorized the exception.
Learn More About DMARC: Discover our DMARC Record Explainer and our Critique of DMARC
Why A Federal Agency DMARC Requirement Is a Good Thing
While legislators spend most their time wrenching and wrestling over large pieces of legislation that can have massive effects on society but rarely, if ever, get passed, on occasion small requirements and subtle new laws can lead to a massive benefit for government’s and their people. A requirement for every Federal Agency to implement a DMARC policy would certainly meet this standard.
The need for tangible legislation on this matter is ever-more apparent when considering that though many US Federal agencies like NIST, the FTC and more deploy DMARC, the Department of Homeland Security itself does not – a dangerous fact explicitly pointed out by Sen. Wyden’s letter. While a single senator’s letter may help create awareness, compelling an agency like DHS, with a total budget authority exceeding $65 Billion annually, to adopt a standard like DMARC will in all likelihood require a legislative mandate.
The fact that Sen. Wyden, a senior member of the Senate Select Intelligence Committee with regular DHS contact, felt compelled to write an open letter pointing out the DHS’s lack of a DMARC policy should alone prove a significant black eye for the agency and its cybersecurity efforts. While this further proves that legislation may be required to compel federal agencies to properly implement DMARC, Sen. Wyden’s letter provides more fuel for the fire by pointing out that the United Kingdom’s tax agency reduced their purported phishing email volume by more than 300 million, solely through its implementation of DMARC in 2016.
While tax scams and business email compromise are a concern for, the possibility of sensitive information being lost by DHS due to a preventable spoof is a critical matter of national security. Considering the US government’s efforts to prosecute activist leakers like Edward Snowden and Chelsea Manning, the absence of a comprehensive DMARC policy may prove to be the height of hypocrisy, and further dangerous fecklessness in responding to cybersecurity threats.
Leave a Comment