For all the focus on GDPR, there is a U.S.-based security mandate that was scheduled to go into effect in January. To better protect federal agencies from cyberattacks, the Department of Homeland Security (DHS) required the implementation of Domain-based Message Authentication, Reporting and Conformance (DMARC) for email systems. As a CISCO blog post on the DMARC topic reported back in the fall:
DHS has officially recognized what we have known all along, email is the number one threat vector and federal agencies are at risk for phishing, business email compromise and ransomware. . . . . According to the 2017 Midyear Cisco Cybersecurity Report, $5.3 billion was stolen due to business email compromise fraud between October 2013 and December 2016, an average of $1.7 billion per year. Implementing an email security solution with DMARC can help mitigate this risk.
At the same time, agencies were also required to use HTTPS to promote encrypted communications.
So, January 2018 is in the books. How are these agencies doing in terms of meeting these fairly simple protocols?
According to Tara Seals at InfoSecurity, DMARC adoption surged coming up to the January 15 deadline, with a 38 percent increase in a 30-day period, based on research by Agari. Seals also wrote:
Agari research also shows the effectiveness of the DMARC security control across federal agencies. Of the billions of emails sent across the more than 400 federal government domains secured by Agari, 96 percent of the emails are protected by the strongest DMARC policy (p=reject), including those in the US Senate, Veterans Affairs, Health and Human Services and the US Post Office. All of these have seen attempted fraud send rates decrease to less than 2 percent in December.
However good the adoption rate was, more than half of federal agencies had not made the changes with less than two weeks to go. Easy Solution investigated more than 300 agencies in February to see where things stood after the mandate deadline. The results weren’t promising. More than 100 agencies have done nothing, and eight in 10 agencies overall did the bare minimum. The Easy Solution blog also reported this:
Surprisingly, and somewhat disconcertingly, some agencies that fall into the Economic and Health sectors shook out near the bottom of the pack. Most egregious is the fact that the Office of Personnel Management (OPM), which suffered a rather catastrophic breach in 2015 to the tune of 21.5 million stolen records failed to achieve even the bare minimum of p=none.
I know that asking government agencies to do something in 90 days may be pushing the envelope of expectations, but honestly, this is a pretty minor adoption – one that Congress had to push for before anything was done. No wonder it’s doubtful we’ll ever see GDPR-style regulations passed across the U.S.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba