Even without full compliance, DHS happy with email hygiene mandate

Despite reports from researchers criticizing the rate at which the government is adopting domain and email security protocols, the government is happy with agencies' progress.

At a Jan. 16 event, a Department of Homeland Security official said the department was encouraged by how many federal agencies have complied with a directive to start implementing Domain-based Message authentication, Reporting and Conformance (DMARC) protocols, which allow for improved detection and management of spoofed emails. 

Last year, DHS issued binding operational directive 18-01, instituting a series of deadlines for federal agencies to implement new email and website security standards. By Jan. 1, 90 days after the order was issued, agencies are expected to have configured all second-level domains with DMARC records and set those policies to "monitor," meaning they will take no action on suspicious emails that do not have a valid Sender Policy Framework or DomainKeys Identified Mail signal.

Jeanette Manfra, assistant secretary for cybersecurity and communications at the Department of Homeland Security, said binding operational directives are "a relatively new authority" and acknowledged that DHS is still learning how to enforce compliance.

It says [BOD's are] binding. I'm not exactly sure what sort of enforcement mechanism I have in place to make it binding," said Manfra, adding "We don't have the authority to slap some fine on, and we're not going to kick some federal agency off the Internet."

Cybersecurity firm Agari recently released a pair of surveys on how federal agencies were meeting adoption timelines for BOD-18-01. The first of those deadlines, Jan. 15, mandated that all federal domains start deploying early stages of DMARC protection and set the stage for more stringent email authentication requirements for the next deadline, set for October 2018.

Just 63 percent of domains reported meeting this deadline, but Agari notes that number still represents a huge leap from the 18 percent who reported the same when the BOD was initially rolled out. Another firm, Proofpoint, released research that found a lower federal DMARC compliance rate of 47.1 percent at the Jan. 15 deadline. It also found that 15 percent of domains have already met requirements for the October 2018 deadline. (Both Agari and Proofpoint offer DMARC-related contracting services to the federal government.)

Manfra said that just "shining a light" of these vulnerabilities can lead to significant improvements in federal cybersecurity, even if they do not achieve 100 percent compliance. She also said DHS expected to see 90 percent compliance with the Jan. 15 mandate by the end of January and 96 percent compliance with the second timeline by October 2018.

Agari founder Pat Peterson said the modern Internet architecture was built in the 1980s without authentication or security measures because the concept of a nation state-directed cyberattack was unheard of at the time.

"There's not a single Internet citizen who doesn't use email every day, and so they did a good job in terms of creating a functional medium," said Peterson. "But guess what?...There was not threat model in 1982 for the nation-state attacker going after the United States federal government and trusting citizenry."

Manfra built on those thoughts in her keynote, saying the Internet and networks "are designed based off of interoperability and trust, and the adversary uses that against us."

The move to issue BOD 18-01 actually came out of a conversation DHS had with the private and non-profit entities like the Cyber Threat Alliance, who told Manfra and White House cybersecurity coordinator Rob Joyce that adoption of DMARC security protections was a relatively simple action that the federal government could take to dramatically reduce its threat profile. Its wide use in the private sector meant it was only a matter of federal agencies emphasizing the tool.