Cyber Risk

Trump administration imposing new email security protocols for agencies

WASHINGTON (Reuters) - The Trump administration on Monday will order federal agencies to adopt common email security standards in an effort to better protect against hackers, a senior Department of Homeland Security official said.

Jeanette Manfra, Acting Deputy Undersecretary for Cybersecurity at the DHS, testifies about Russian interference in U.S. elections to the Senate Intelligence Committee in Washington, U.S., June 21, 2017. REUTERS/Joshua Roberts

DHS Assistant Secretary for Cybersecurity Jeanette Manfra, speaking at an event in New York, said the agency would issue a binding directive to require implementation of two cyber security measures, known as DMARC and STARTTLS, intended to guard against email spoofing and phishing attacks.

The new requirements are “discrete steps that have scalable, broad impact” that will improve federal government cyber security, Manfra said.

DMARC, or domain-based message authentication, reporting and conformance, is a decade-old popular technical standard that helps detect and block email impersonation, such as when a hacker might try to pose as a government official or agency.

STARTTLS is a form of encryption technology that protects email traveling between servers, making it more difficult for a third-party to intercept.

Civilian agencies will have 90 days to implement the new security measures, Manfra said.

Many agencies already use DMARC and STARTTLS but recent reviews have found the protocols are not used universally across government.

Foreign governments and other hackers have pilfered millions of personal records and other sensitive data from the U.S. government in recent years. The Trump administration has made upgrading government agencies’ much-maligned network security a top cyber priority.

Democratic Senator Ron Wyden, who earlier this year pushed federal agencies to adopt the security standards more widely, said in a statement the moves were “two cheap, effective ways to secure email from being intercepted or impersonated by bad guys.”

He said he hoped the decision would compel private sector companies to upgrade their own email security quickly.

An August report from the Global Cyber Alliance, an international non-profit, found that federal government adoption of DMARC had been rising in recent months but that less than 10 percent of domains had the protocol fully implemented.

Usage of DMARC is much higher on the consumer level with 85 percent of inboxes, including those hosted by Alphabet's Google GOOGL.O or Microsoft MSFT.O, supporting the standard, according to the Global Cyber Alliance.

Reporting by Dustin Volz; Editing by Chizu Nomiyama and Bill Trott