eWhite House Watch - Full Article

Protocols to Ensure Web and Email Security for Government Domains

With fake news becoming an ever-more-present issue in the media today, government agencies took measures to avoid this issue by developing a program to block fake or spoofed emails from being sent from government domain email addresses. The Department of Homeland Security took this initiative in October of 2017 by announcing that all federal agencies had exactly one year to implement the email authentication and reporting protocol program.

The program known as Domain-based Message Authentication, Reporting, and Conformance (DMARC) was created to prevent and monitor fake emails from being sent from a government domain as well as ensure web browser safety. It does this by focusing on two specific topics: email and web security, which were identified to be the two areas of concern that were at high-risk for fraudulence.

Email security is maintained by implementing programs to prevent attacks from the outside when the email is in transit and to “watermark” emails to ensure their authenticity before they are sent. When an email that does not pass the authenticity test is received by someone, the domain owner is immediately notified, which is a step that was previously unable to be taken before DMARC. The DMARC protocol additionally addresses web security by strongly reinforcing a policy made in 2015 known as Hypertext Transfer Protocol Security (HTTPS) and HTTP Strict Transport Security (HSTS), the former verifies the identity of a web service while also encrypting all information sent between the user and the website, and the latter simply ensures that browsers are always using a HTTPS connection.

Despite the DHS requiring that all government agencies implement the DMARC programs in a year, this was not necessarily done up-to-par. An article written by The Hill a year after the program’s release found that 60.5 percent of federal domains were compliant with the order and 74 percent published DMARC records. While this is a good number and definitely a step in the right direction, there is still 26% of government domains that did not reach the deadline provided by the DHS. Thus, within the next year, it is ideal that the rest of the government agencies will implement this security step to avoid fake emails and ensure that their web browsers are safe from unwanted encroaching spoofs.

Leave a Reply