The Trump administration is now pushing federal agencies to finally adopt basic security protocols designed to protect government emails against spoofing and phishing attacks.
Photo: Department of Homeland Security
Reuters reported on Monday that a senior cybersecurity official at the Department of Homeland Security (DHS) has confirmed that the agency will issue a "binding directive" which requires the implementation of long overdue security measures. Within the next 90 days, civilian agencies will be required to adopt both DMARC and STARTTLS, two easy-to-implement technologies already widely used in the private sector.
STARTTLS is a basic encryption protocol designed to prevent the interception of email messages in transit, whereas DMARC is an email authentication system that combines two decade-old technologies (SPF and DKIM) designed to detect email spoofing and in turn minimise successful phishing attempts.
While the US intelligence community has already widely adopted such measures — which only happened after significant prodding — the fact that most government agencies have not has long been a point of admonition among security experts. The agency responsible for managing the Pentagon's email systems announced just this summer that it intended to adopt STARTTLS, which has been around for about 15 years.
But civilian agencies — such as the Departments of Education, Commerce, and Energy — had yet to make such an announcement. As the leading civilian cybersecurity authority, Homeland Security is charged with ensuring that federal agencies adhere to best security practices, and it is authorised to issue binding directives enforcing the new policies.
According to Reuters, the order to begin implementing STARTTLS and DMARC is expected to come down later today.
While the Trump administration will be widely praised for the decision, which comes on the heels of President Donald Trump declaring October to be "Cybersecurity Awareness Month," Senator Ron Wyden, Democrat of Oregon, deserves much of the credit.
Wyden wrote to DHS to push for DMARC adoption in July. Prior to that, he had publicly questioned the Department of Defence over why STARTTLS was not in use; the decision to adopt it followed shortly thereafter.
"I've been pushing federal agencies to take cybersecurity seriously, and today's new policy is a good, basic step," Wyden said in a statement. "STARTTLS encryption and anti-phishing technologies like DMARC are two cheap, effective ways to secure email from being intercepted or impersonated by bad guys.
Added Wyden: "It's my hope that other government agencies recognise the clear security benefits of strong encryption, and that private sector companies move quickly to upgrade their own email security."