DHS Demands That Federal Agencies Start Using Email Security Protocols

In an attempt to make email more secure, the U.S. Department of Homeland Security just announced it will now require federal agencies to adhere to two security protocols: DMARC and STARTTLS. These measures should make it harder for hackers to intercept emails or impersonate government officials via email.

In particular, DMARC—which stands for Domain-based Message Authentication, Reporting and Conformance—can detect spoofed emails and stop them from being sent when it’s clear someone is trying to impersonate a federal agency. The point of DMARC is to make it harder for hackers to implement email phishing scams, because they can now only use unprotected domain names.

On the other hand, STARTTLS is an encryption protocol that protects email as it travels from one server to another, making it harder for hackers to intercept it. Together, STARTTLS and DMARC can help reduce the odds of individuals getting emails that look like they were legitimately sent from the White House—but were really sent by hackers who are phishing through email.

Government agencies are required to start using these two email protocols within 90 days. However, some private companies have been using them for years. For example, Uber, Apple, Facebook, LinkedIn, and Amazon already use DMARC.

So it’s kind of surprising that use of these security protocols is just now required of government agencies. In fact, less than 10 percent of federal domains use DMARC, with the Social Security Administration and the Federal Trade Commission being two of them. Even the agency in charge of the Pentagon’s email just recently began using STARTTLS a few months ago.

The small number of federal agencies using the right email security protocols was worrisome enough that one Democratic Senator—Ron Wyden—sent a letter to the Department of Homeland Security. In the letter, he asked the government to require federal agencies to start using DMARC so they could avoid allowing phishing scams to continue unchecked. He pointed out that the technology does exist, yet it’s mostly private companies using it, not federal agencies.

Considering the fact that the IRS alone saw a 400 percent increase in cyber criminals impersonating the agency in an attempt to get money from email recipients, the required use of better email security protocols is long overdue. Hopefully the directive will help reduce the number of phishing emails that hackers have been sending to people over the years while pretending to be government agencies.

Photo Credit: HaticiSosyal Flickr via Compfight cc

SaveSave

Author
Recent Posts

Shelly Kramer

Shelly Kramer is a Principal Analyst and Founding Partner at Futurum Research. A serial entrepreneur with a technology centric focus, she has worked alongside some of the world’s largest brands to embrace disruption and spur innovation, understand and address the realities of the connected customer, and help navigate the process of digital transformation. She brings 20 years' experience as a brand strategist to her work at Futurum, and has deep experience helping global companies with marketing challenges, GTM strategies, messaging development, and driving strategy and digital transformation for B2B brands across multiple verticals. Shelly's coverage areas include Collaboration/CX/SaaS, platforms, ESG, and Cybersecurity, as well as topics and trends related to the Future of Work, the transformation of the workplace and how people and technology are driving that transformation. A transplanted New Yorker, she has learned to love life in the Midwest, and has firsthand experience that some of the most innovative minds and most successful companies in the world also happen to live in “flyover country.”