Skip to main content

News

  • AddRemove
Media Coverage

US Agencies Sprint to Implement DMARC Ahead of Jan. 15 Deadline

5 January 2018
Legaltech News

U.S. government agencies are scrambling to implement Domain-based Message Authentication, Reporting, and Conformance (DMARC), a security protocol that can authenticate or reject the identity of email senders, ahead of a Jan. 15 deadline. The effort is part of a Department of Homeland Security (DHS) mandate issued last October requiring agencies using a .gov domain address to adopt two security protocols for web and email traffic.

The DMARC protocol is a way to cut down on email “spoofing,” where malicious users cloak their phishing attacks in an email address made to look like it’s from known or authorized server.

Spoofing, a common type of phishing attack, is of particular concern for government agencies. Marcus Christian, partner at Mayer Brown, explained that spoofing attacks using .gov domain names can often convince recipients to divulge personal information because of the sense of authority invoked by government association.

“For many people who receive emails from people who look like they’re coming from government agencies, there’s a certain official nature it takes on, so people let their guard down,” he said.

DHS issued its binding following a request from Sen. Ron Wyden, D-Oregon, last July citing an increase in phishing attacks impersonating government agencies and the success of governmentwide DMARC implementation in the U.K.

Agencies have been working overtime to implement the protocol. Phishing security company Agari on Tuesday released a report noting that DMARC adoption among government agencies grew 13 percent between November and December last year.

Even so, government agencies and established security protocols aren’t exactly a step ahead of cyberattackers. Last December, a German security researcher identified a set of vulnerabilities in email client applications that allows users to bypass anti-spoofing security protocols like DMARC.

Even without these vulnerabilities, DMARC is not a fail-safe method of ensuring hackers aren’t imitating government agencies in phishing attacks. Christian explained that the protocol certainly helps email servers recognize when they’re receiving falsified messages, but certainly not all. “Those emails would be caught more often. It’s a way to screen out some of those emails,” he said.

“When one is looking at this, one should think this is a step forward, but it’s not a panacea,” Christian said. “I think of this as one more approach to trying to combat cybercrime. In the broader scheme, it takes vigilance and persistence,” he later added.

Although government agencies routinely find themselves playing catch-up to the private sector in technology adoption, DMARC is one arena where they seem to be leading the way. Though many in the private sector use other security measures to avoiding phishing and spoofing attacks, a Federal Trade Commission Office of Technology Research and Investigation (OTech) study released last March found that only one-third use DMARC, and only 10 percent use it to its most secure setting (rejecting unauthenticated emails).

Christian noted, however, that government agencies should continue to look ahead to other safety measures they might be able to take against cybercriminals. “This DMARC approach, this isn’t something that was invented last week or last year; this is something that’s been around for more than a decade. As we come up with new approaches, it’s important not only think about this thing but the next thing. The criminals are always thinking of ways to circumvent defenses,” he said.

*****

Reprinted with permission from the January 5, 2018 edition of The American Lawyer © 2018 ALM Properties, Inc. All rights reserved. Further duplication without permission is prohibited.

The Build a Report feature requires the use of cookies to function properly. Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently. If you do not accept cookies, this function will not work. For more information please see our Privacy Policy

You have no pages selected. Please select pages to email then resubmit.