Sen. Ron Wyden, D-Ore., wants to understand what the Department of Homeland Security (DHS) has learned from Domain-based Message Authentication, Reporting, and Confirmation (DMARC) reports about cyber criminals using email to impersonate Federal agencies.
In an August 2 letter to Christopher Krebs, under secretary, National Protection and Program Directorate at DHS, Wyden asks how DHS is turning DMARC reports from Federal agencies into “actionable cyber intelligence” and poses a few follow up questions for Krebs. He asked for answers by the end of the month.
Last October, DHS issued Binding Operational Directive (BOD) 18-01, which required civilian Federal agencies to implement cybersecurity best practices – which include DMARC. DMARC is an email authentication protocol that verifies the authenticity of an email’s sender to prevent spoofing and phishing. These email exploits remain some of the most common attack vectors used by hackers targeting Federal systems, prompting the DHS BOD requiring agencies to adopt the protocol.
When used by the Federal government, DMARC prevents email spoofing by sending reports to DHS whenever a specious email that is spoofing a Federal agency is sent. Since January of this year, civilian agencies have been required to enable automatic DMARC reporting to DHS. Meaning that DHS has, as Wyden describes in his letter, “an unparalleled government-wide perspective on efforts by malicious actors to impersonate Federal agencies.” On October 16 of this year, agencies will also be required to enable a more restrictive DMARC mode which will cause emails impersonating civilian agencies to be automatically rejected by many large email providers, including Google and Yahoo.
While Wyden praised the work done so far on stopping spoofing, he noted that DMARC reports are only the first step. He stressed that the collected data must be properly analyzed so DHS can “understand the scope of the threat” and “determine how best to protect Federal agencies from impersonation.”
DHS has received DMARC reports for six months, prompting Wyden to ask what steps DHS has taken to analyze the data and turn it into actionable information. Wyden asks Krebs to respond to five questions by the end of August:
- “Which civilian agencies have yet to enable the automatic transmission of DMARC reports to DHS?
- How is DHS analyzing DMARC reports? Please describe any challenges, if any, the agency has encountered in analyzing this data.
- What actionable cyber intelligence has DHS distilled from these reports?
- How has DHS analysis enabled agencies to authenticate their email infrastructure and move towards a DMARC ‘reject’ policy, as they are required to do by October 16, 2018?
- Does DHS provide DMARC analytics capabilities to state, local, tribal, and territorial governments? If not, why not?”