The U.K. has seen a marked drop in phishing email purportedly coming from its tax agency after adopting DMARC.
The U.K. has seen a marked drop in phishing email purportedly coming from its tax agency after adopting DMARC.

Sen. Ron Wyden, D-Ore., Tuesday urged the deputy undersecretary of cybersecurity at the Department of Homeland Security (DHS) to mandate federal agencies adopt the Domain-based Message Authentication, Reporting & Conformance (DMARC) standard to prevent hackers from sending emails that impersonate federal agencies.

The standard, which is not yet widely adopted by the federal government, including DHS, “would make it significantly harder for fraudsters and foreign governments to impersonate” agencies, Wyden wrote in a letter to Jeanette Manfra.

"The FBI reports that impersonation attacks are rising in frequency and cost the U.S. billions each year,” ValiMail CEO Alexander García-Tobar said in comments to SC Media. “It's time for all U.S. commercial and government organizations to do their part and lock down their domains, enforce industry standards like DMARC, and prevent their own brands from being used to attack anyone on the Internet, including employees, customers, partners and innocent bystanders."

Noting the clear threat to the U.S. by emails supposedly coming from .gov domains, Wyden said that the National Institute of Standards & Technology (NIST) and the Federal Trade Commission (FTC) “strongly recommend” the standard, which has been configured “in the most strict ‘reject' mode” by the Social Security Administration, the FTC and the Federal Deposit Insurance Corporation (FDIC) “so that email service providers can automatically reject phishing emails impersonating their agency.”

Wyden pointed to the impact government-wide DMARC adoption in the U.K. where it has led to a reduction in “phishing email purporting to come from” the country's tax agency “by a staggering 300 million messages in one year.” The U.K's National Cyber Security Centre (NCSC), he said, “also created a central system to receive and process DMARC reports from all government agencies,” which gives it “cross-government visibility into efforts by adversaries to impersonate any of the more than 100 U.K. government domains currently feeding reports into the system.”

The senator laid out three steps that DHS should take immediately to adopt DMARC – adding the standard to its efforts to scan agency systems for vulnerabilities under its Cyber Hygiene program, partner with the General Services Administration (GSA) to create a central system similar to the NCSC's and through a Binding Operational Directive require “executive branch agencies to enable DMARC with a reject or quarantine policy.” He also directed DHS to mandate that agencies send their DMARC reports to the centralized reporting system so the agency can have visibility into efforts to impersonate them.

“DMARC is a proven tool that can protect U.S. citizens and government agencies,” stressed Phil Reitinger, president and CEO of the Global Cyber Alliance. “Sen. Wyden is absolutely correct that DMARC should be implemented by federal agencies. Cybersecurity is vital to the national security of the U.S. and DMARC is a necessary front-line defense that should be implemented by public- and private-sector organizations.  I believe leaders in the U.S. government understand this and are working toward that goal.”