DoD Shoring Up Website and Email Defenses

The Department of Defense is getting on board with some critical website and email protections that have been mandated across civilian Federal government agencies, even if it is lagging somewhat behind other departments in applying encryption and anti-phishing measures.

DoD is implementing steps such as using the HTTPS (Hypertext Transport Protocol Secure) protocol on public-facing websites and the Domain-based Message Authentication, Reporting and Conformance (DMARC) anti-phishing protocol for email. HTTPS helps ensure private interactions with websites; DMARC helps avoid phishing emails by confirming the authenticity of the sender.

DoD CIO Dana Deasy outlined the agency’s steps in a July 20 letter to Sen. Ron Wyden, D-Ore., who in May had written to Deasy, then newly installed as CIO, urging that DoD adopt the cybersecurity best practices being mandated for the rest of the Federal government.

“The Department has already been working for several years on the web and email security measures identified in the inquiry,” Deasy wrote, saying that DOD plans to have all but one of the cybersecurity measures fully in place by Dec. 31.

Like DoD, the Federal government overall has been working to add some online protections that have proven to be effective in both the private and public sectors. In 2015, the Office of Management and Budget issued a directive—memo M-15-13—requiring that all publicly accessible Federal websites and web services provide a secure connection by using HTTPS. Recognizable at the start of a URL, HTTPS verifies the identity of a website or web service, and encrypts nearly all interactions with a website, ensuring privacy and data integrity, and protecting users against the eavesdropping, information theft, and tracking that can more easily take place with the basic HTTP protocol.

DHS upped the ante in October 2017 with Binding Operational Directive (BOD) 18-01, calling for agencies to also use HTTP Strict Transport Security (HSTS), which ensures that browsers always use HTTP connections, and prevents users from clicking through security certificate-related warnings. According to Deasy’s letter to Wyden, HSTS is the one measure DoD doesn’t expect to complete by Dec. 31; Deasy said a plan for rolling out HSTS will be released at a later date.

For email, the directive called for applying DMARC and STARTTLS, which makes an unsecure connection into a secure connection using Secure Sockets Layer and Transport Layer Security (SSL/TLS). DMARC enhances Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), which “watermark” emails, and together can confirm an email’s origin. Several industry heavyweights, such as Facebook, Google, Microsoft, and PayPal have reported steep reductions in fraud and phishing since installing DMARC.

Although the Department of Homeland Security’s directive states that it doesn’t apply to designated national security systems, or certain systems operated by DoD or the intelligence community, DoD has decided to adopt those cybersecurity best practices. But like the rest of the Federal government, progress has been gradual.

As of Aug. 1, 66 percent of Federal web services (including those in DoD) were compliant with M-15-13 and BOD 18-01, according to the General Services Administration’s Pulse website, despite an original Dec. 31, 2016 deadline. For DoD—which isn’t officially answerable to DHS and the Office of Management and Budget—compliance for both directives was only at 3 percent, although the department was at 54 percent in enforcing use of HTTPS. With HSTS, which Deasy acknowledged would be bringing up the rear, compliance was at 4 percent.

For DMARC specifically, a first-quarter study by ValiMail found that 68 percent of Federal agencies had complied, which may have been short of the Jan. 15, 2018 target for full compliance, but it was still better than the pace set by other sectors, including tech, banking, and healthcare.

Recent