A senator who's been pushing US government agencies to adopt better cybersecurity hygiene is calling out the Department of Homeland Security for not using a standard technology that would protect people who receive emails from DHS from fraud, spam, and phishing attempts.
The technology in question is known as DMARC (Domain-based Message Authentication, Reporting and Conformance) and essentially allows recipients to automatically verify the identify of the sender. In other words, DMARC protects against spoofed emails. DHS does not currently use DMARC, according to an online testing tool.
Sen. Ron Wyden (D-Oregon) sent DHS a letter on Tuesday asking the agency to take "immediate steps to ensure hackers cannot send emails that impersonate federal agencies," by implementing DMARC and pushing other agencies to do the same.
"This country faces serious cybersecurity threats, which some in the government use to justify increased surveillance," Wyden told Motherboard in an emailed statement. "This anti-phishing technology is a no-brainer that increases cybersecurity without sacrificing liberty. I strongly believe that the government should be doing everything it can to adopt common sense cybersecurity technologies like DMARC, and encouraging the private sector to do the same."
Wyden is asking DHS to scan all federal agencies' systems to determine whether they use DMARC, to set up a system to receive automatic DMARC reports from agencies, and to force other agencies to enable DMARC. In 2016, the UK forced government agencies to use DMARC, a move that blocked 300 million phishing emails purporting to come from British tax authorities.
The DHS did not immediately respond to a request for comment.
Oren Falkowitz, the co-founder of security company Area 1 and an ex-NSA hacker, said that in this day and age DMARC is considered basic cybersecurity hygiene.
"It's like if you were looking at a database and it didn't have a password," Falkowitz told Motherboard in a phone interview.
Chris Eng, vice president of research at security firm Veracode, noted that the DHS is outsourcing to Microsoft some of its email infrastructure, such as its mail exchange or MX.
"They are outsourcing a lot of the email security hygiene to Microsoft, which is not a bad thing," Eng said in an email.
Wyden has recently focused his efforts on pushing for the adoption of better cybersecurity standards across the US government. Earlier this year, Wyden asked the Pentagon's IT department why it wasn't using encryption for its emails. Three months later, Defense Information Systems Agency or DISA, the Pentagon's branch that oversees email, promised to change that within next year.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Get six of our favorite Motherboard stories every day by signing up for our newsletter.