Dem senator wants govt-wide use of email tool to thwart impersonating hackers

A Democratic senator is pressing the Department of Homeland Security (DHS) to mandate the government-wide use of an email authentication tool “to ensure that hackers cannot send emails that impersonate federal agencies.”

Sen. Ron Wyden (D-Ore.) made the request in a letter to a top official at the National Protection and Programs Directorate (NPPD), the DHS office in charge of securing cyber and physical infrastructure.

“I write to ask you to take immediate steps to ensure that hackers cannot send emails that impersonate federal agencies,” Wyden wrote Tuesday to Jeanette Manfra, the DHS official. “The threat posed by criminals and foreign governments impersonating U.S. government agencies is real.” 

{mosads}Rob Joyce, President Trump’s cybersecurity coordinator, was also copied on the letter.

Specifically, Wyden asked DHS to require agencies to use a tool called the Domain-based Message Authentication, Reporting and Conformance (DMARC), a standard developed by the industry that lets organizations send impersonating emails to a spam folder or have them rejected by victims’ email providers. 

The department could use its authority under the Federal Information Security Modernization Act (FISMA), passed in 2014 to mandate the adoption of DMARC across executive branch agencies, Wyden said.

Wyden also recommended that DHS require agencies to submit DMARC reports to track “any efforts by criminals and foreign governments to impersonate U.S. government agencies.”

The authentication standard is recommended by the National Institute for Standards and Technology, a nonregulatory federal agency that develops a widely-lauded cybersecurity framework for government agencies. 

Some federal bodies, including the Federal Trade Commission (FTC), use DMARC. The FTC has also recommended businesses enable DMARC to stop phishing scams. 

Britain has implemented DMARC government-wide.

“Industry-standard technologies exist, and are already used throughout the private sector and even by a few federal agencies, which, if enabled, would make it significantly harder for fraudsters and foreign governments to impersonate federal agencies,” Wyden wrote Tuesday. 

The Democratic senator has previously pressed agencies on their use of the email authentication tool, knocking the IRS in April for using DMARC on the least restrictive setting.

Last year, the IRS reported a 400 percent increase in the number of phishing scams and malware incidents during the 2016 tax season.