Sen. Ron Wyden has asked the Department of Homeland Security how it is turning the implementation of an important email security protocol at federal civilian agencies into “actionable cyber intelligence” to guard against hackers.
In a Aug. 2 letter, Wyden, D-Ore., asks the department how it is analyzing reports that civilian agencies are required to send DHS about attempts by hackers and spammers to spoof federal email accounts. The senator also wants to know if there are agencies that aren’t sending those reports.
“[R]equiring agencies to transmit email impersonation threat data to DHS is only the first step,” states Wyden’s letter to Chris Krebs, DHS’s undersecretary of the National Protection and Programs Directorate. “DHS must then collate and analyze those reports in order to understand the scope of the threat and to determine how best to protect federal agencies from impersonation.”
The anti-phishing email protocol, known as Domain-based Message, Authentication, Reporting and Conformance (DMARC), requires a public record for checking whether an email sender is authorized to transmit a message on behalf of a domain. It is an industry standard and experts consider it an effective way to repel the unrelenting wave of phishing attempts that the federal government faces every day.
A DHS directive gave civilian agencies until mid-January to adopt the minimum level of DMARC. While some agencies struggled to meet that deadline, a recent study shows they are catching up and on track to meet an October deadline for implementing the highest form of DMARC, which completely blocks spoofed emails from being sent.
The DHS policy also required agencies to automatically send the department reports on fraudulent emails. That reporting gave DHS “an unparalleled, government-wide perspective on efforts by malicious actors to impersonate federal agencies,” Wyden wrote.
The Oregon senator wants to know if the reports have helped agencies implement that top DMARC measure to reject emails. He also asks Krebs if the department is sharing DMARC analytics with state, local, tribal, and territorial governments.
Wyden requests a response by Aug. 31.