Securing government email is a critical step for U.S. cybersecurity

The Department of Homeland Security issued a binding operational directive (BOD 18-01) in October, requiring all federal agencies to implement several key measures to increase the security of their email and their websites.

The website security requirements help the government catch up to what most commercial websites are already doing: Use HTTPS. If you’ve seen the little “lock” icon in the corner of your browser, that means the website you’re visiting is using HTTPS — it lets you know that you’ve got a secure connection. Soon, most government websites will offer that security, just as most commercial websites do today.

The email part of the DHS directive catapults the U.S. government into a leadership position. It requires agencies to implement email authentication, through a set of standards (especially Domain-based Message Authentication, Reporting and Conformance, or DMARC) that help email servers and email clients verify the authenticity of emails they receive. It also requires agencies to use STARTTLS with their mail servers, which is essentially HTTPS for email communications.

Leadership from the government

Authentication through DMARC is the more significant component of these two email requirements, and if the U.S. government implements it in 2018, it will put it well ahead of most businesses, who have not yet started to realize the benefits of authenticated email. 

Email authentication means that whenever you receive an email, you can trust that it really does comes from the organization whose domain name appears in the From field. Think of it as a certified, validated return address.

Unfortunately, most emails today are not subject to authentication -- and hackers know it. Emails with fake “from” addresses, also called email impersonation attacks or phishing attacks, are by far biggest vectors hackers use to initiate cyberattacks.

It’s as simple as putting “USCIS.gov” in the From: line of an email message, and Joe Cyberpunk can make it look like his email is an urgent message from the U.S. Customs & Immigration Service.

You might think few people would fall for such a scam, but they do -- all the time. Studies have shown that 56 percent of people click on links in email messages from unknown senders, even after they’ve been taught about the risks. And these are stats for unknown senders, not senders posing as a known government agency, such as the IRS — which phishers frequently impersonate.