DHS issues binding directive to increase agency email security

DHS issues binding directive to increase agency email security

DHS Assistant Secretary for Cybersecurity Jeanette Manfra, speaking at an event in NY, said the agency would issue a binding directive to require implementation of two cyber security measures, known as DMARC and STARTTLS, meant to guard against email spoofing and phishing attacks.

The Trump administration is now pushing federal agencies to finally adopt basic security protocols created to protect government emails against spoofing and phishing attacks. About half of the websites online use HTTPS, but about one-quarter of all federal government sites still don't.

Jeanette Manfra, the assistant secretary for DHS' Office of Cybersecurity and Communications, .

STARTTLS is a basic encryption protocol created to prevent the interception of email messages in transit, whereas DMARC is an email authentication system that combines two decade-old technologies (SPF and DKIM) created to detect email spoofing and in turn minimize successful phishing attempts. DMARC can help prevent that. That was after hackers reportedly used spoofed emails pretending they were members of the Pentagon in May. As the leading civilian cybersecurity authority, Homeland Security is charged with ensuring that federal agencies adhere to best security practices, and it is authorized to issue binding directives enforcing the new policies.

While the Trump administration will be widely praised for the decision, which comes on the heels of President Donald Trump declaring October to be "Cybersecurity Awareness Month", Senator Ron Wyden, Democrat of OR, deserves much of the credit. The new requirements are "discrete steps that have scalable, broad impact" that will improve federal government cyber security, Manfra said. He has also called on the government to require a form of stronger encryption called STARTTLS on government email.

How do you know if that email from the IRS is really from the federal agency? STARTTLS is a form of encryption technology that protects email traveling between servers, making it more hard for a third-party to intercept.

A few agencies already enable DMARC, including the Federal Trade Commission and Social Security Administration. The agencies can direct all mislabeled emails to be sent to spam. The new email security won't prevent those types of emails - anyone can make a fake Gmail or Outlook account - but it prevents someone from sending an email looking like it came from an official White House email address. He said he hoped the decision would compel private sector companies to upgrade their own email security quickly. According to a report from the Global Cyber Alliance, even top security firms don't implement the DMARC protocol.

"Cybersecurity can be a complex and sometimes overwhelming area for people to think about", Manfra said.