A senator who’s been pushing US government agencies to adopt better cybersecurity hygiene is calling out the Department of Homeland Security for not using a standard technology that would protect people who receive emails from DHS from fraud, spam, and phishing attempts.
The technology in question is known as DMARC (Domain-based Message Authentication, Reporting and Conformance) and essentially allows recipients to automatically verify the identify of the sender. In other words, DMARC protects against spoofed emails. DHS does not currently use DMARC, according to an online testing tool.
Sen. Ron Wyden (D-Oregon) sent DHS a letter on Tuesday asking the agency to take “immediate steps to ensure hackers cannot send emails that impersonate federal agencies,” by implementing DMARC and pushing other agencies to do the same.
“This country faces serious cybersecurity threats, which some in the government use to justify increased surveillance,” Wyden told Motherboard in an emailed statement. “This anti-phishing technology is a no-brainer that increases cybersecurity without sacrificing liberty. I strongly believe that the government should be doing everything it can to adopt common sense cybersecurity technologies like DMARC, and encouraging the private sector to do the same.”
Wyden is asking DHS to scan all federal agencies’ systems to determine whether they use DMARC, to set up a system to receive automatic DMARC reports from agencies, and to force other agencies to enable DMARC. In 2016, the UK forced government agencies to use DMARC, a move that blocked 300 million phishing emails purporting to come from British tax authorities.
The DHS did not immediately respond to a request for comment.