Federal Researchers Developing New Spoof-Proof Email Security System

About a month after the Office of Personnel Management notified employees about a recent hack, the federal government is ramping up research and development of secure email systems. 

The National Institute of Standards and Technology is designing a “security platform” to authenticate mail servers using crytographic keys. The platform would let individual users encrypt emails.

The system aims to “provide Internet users confidence that entities to which they believe they are connecting are the entities to which they are actually connecting," according to a NIST draft report on the topic. A subpar system, the draft said, could result in "unauthorized parties being able to read or modify supposedly secure information, or to use email as a vector for inserting malware into the system," among other consequences. The draft report is open for comment until Aug. 14, 2015. 

NIST soon plans to issue Federal Register notices to vendors developing individual parts of the end-to-end system, Curt Barker, a NIST adviser, told Nextgov. 

Though he declined to share the names of specific companies, he said NIST has identified vendors for the "office automation environment," and "server-based electronic mail security products," among other components. Barker said he hopes those notices are issued in the next couple weeks, so NIST and the vendors can start collaborating on a system that can be demonstrated to federal agencies and to private sector organizations. 

Those vendors will be asked to participate in a "collaborative relationship" with NIST, without being directly compensated, he said. 

The group is "taking commercial, 'off the shelf' components and composing solutions using those components so that we can demonstrate to the potential users and . . . cybersecurity technology providers, 'Yes, this is practical and scalable,'" Barker said. 

Though many of the components of this new email security system are on the market individually today, "it really hasn’t been composed into a demonstrable and scalable product at this stage," according to Barker. 

The goal of the project, he said, is to build an email encryption system and then demonstrate to users that "they can integrate the security platform into an existing system," even if they plan to get the components from other vendors. 

And though NIST has been working on this project for about a year, Barker said, recent reports of federal data breaches have "upped the sense of urgency on a couple of our projects."

(Image via runLenarun/ Shutterstock.com)