In a letter sent Tuesday to the Department of Homeland Security, Sen. Ron Wyden (D-OR) called for federal agencies to implement stricter controls on e-mail that would prevent hackers from impersonating email addresses of federal agencies.
Wyden called for the use of an email protocol called Domain-based Message Authentication, Reporting and Conformance (DMARC). The protocol can be used to filter or block spoofed emails that use a real domain address but are sent from a third-parties such as an attacker.
“I write to ask you to take immediate steps to ensure that hackers cannot send emails that impersonate federal agencies,” Wyden wrote. “The threat posed by criminals and foreign governments impersonating U.S. government agencies is real.”
It’s estimated that that only two percent of the government’s 1,300 domains, such as FTC.gov and FDIC.gov, use DMARC to block spoofed emails, according to Global Cyber Alliance, an organization that promotes DMARC as an industry standard.
DMARC wards off email spoofing, which is central to most phishing attacks. The premise behind DMARC is that it checks email against both the Domain Keys Identified Mail and Sender Policy Framework validation systems. If a message satisfies these checks it is sent through to the recipient, otherwise it’s quarantined or blocked.
In 2016, the Internal Revenue Services reported a 400 percent increase in attempts by criminals to impersonate the agency through phishing, Wyden said. In the letter, Wyden cited a case where a phishing campaign sent emails purporting to come from the Defense Security Service, part of the U.S. Department of Defense, but were instead part of a phishing ploy.
“Most government agencies have not deployed DMARC in a blocking capacity,” said Philip Reitinger, president and CEO of Global Cyber Alliance. “The federal government is not alone. There is a lot of work to be done across government and industry.”
In his letter (PDF), Wyden notes that the British government recently implemented the DMARC protocol and has already seen it shore up its email security.
“Government-wide implementation of DMARC has had a huge impact in the United Kingdom. In 2016, the U.K. required all government agencies to enable DMARC. As a result, the U.K.’s tax agency has stated that it reduced the number of phishing emails purporting to come from that agency by a staggering 300 million messages in one year,” he wrote.
Wyden is calling for the DHS to add DMARC scanning of federal agency systems as part of its existing Cyber Hygiene program. He is also calling for General Services Administration to create a central repository for DMARC reports across all government agencies in order to shine a brighter light on who is attempting to impersonate U.S. government agencies.
Last year, Google adopted the DMARC protocol for its web-based email. The move followed similar initiatives from Yahoo and AOL; Yahoo moved its mail services to DMARC in November 2015.
Phishing remains a constant and viable threat, not only from cybercriminals interested in fraud and financial crime, but also in targeted attacks by criminal and nation-state attackers.