Should DHS do more with DMARC data?

The federal government is nearing an Oct. 16 deadline to comply with a Department of Homeland Security directive on email and website security. One U.S. Senator believes that date should mark the beginning -- not the end -- of the department's work with the trove of data that the order has produced.

Last year, DHS issued a binding operational directive requiring federal agencies to implement a series of tools to protect public-facing federal websites and email from spoofing. One of those tools, Domain Message Authentication Reporting and Conformance, allows agencies to better identify and reject fraudulent emails designed to look they are coming from legitimate government addresses.

That directive gave agencies one year to implement the highest level of DMARC protections and establish a channel for sending regular reports to DHS.

In an Aug. 2 letter Sen. Ron Wyden (D-Ore.) asked National Protection and Programs Directorate what, if anything, it plans to do with all the data agencies are sending their way.

"I would like to understand what steps DHS has taken to analyze this information and turn it into actionable cyber intelligence," Wyden wrote.

In an Aug. 31 letter obtained by FCW, NPPD Undersecretary Christopher Krebs told Wyden the department has not yet developed a plan to make use of agency DMARC reporting.

"Currently, DHS has not implemented analysis of the DMARC reports," wrote Krebs. "As agencies implement and submit their reports to DHS, we are collecting data in a common format for future analysis."

DHS isn't required to analyze the data, but Wyden, who was calling for DHS to implement enhanced DMARC protections before the directive was developed, believes it's the next logical step in safeguarding federal networks.

"I am disappointed to see that DHS has yet to analyze any of the reports generated when hackers attempt to send emails impersonating federal agencies," said Wyden in a statement to FCW. "These reports are a source of useful information that DHS should be using to go after hackers and prevent future attacks. Instead, the reports are sitting unread."

He pointed to the National Cyber Security Centre in the U.K. as a model for DHS to follow. After the NCSC instituted similar policies across the government in 2016, it set up a central system to receive and synthesize agency DMARC reporting to gain better insight into the frequency and tactics behind malicious email attacks on government networks.

In February 2018, the British agency released a report detailing some of the insights gleaned from its data analysis, finding that it identified "a number of complications -- both technical and driven by adversary behavior – around implementing DMARC at a national level."

For example, U.K. agencies initially faced tens of millions of spoofed email attacks every month. While analyzing the data, NCSC noticed that the frequency of spoofed email attacks dropped considerably since they began collecting the data, indicating just how quickly hackers were dropping the tactic in response to hardened government defenses.

Wyden believes those kinds of insights can help the U.S. government more quickly respond to shifts in adversary tactics and prioritize or reallocate cybersecurity resources. He expressed disappointment that DHS has not yet moved to do the same.

First, though,  DHS must actually get agencies to send in their data.

In Krebs' letter to Wyden, he wrote that "64 percent of agencies are over 80 percent compliant" in enabling automatic transmission of DMARC reports to DHS. A department spokesperson clarified to FCW that as of Aug. 31, 63 of the 99 agencies being tracked had at least 80 percent of their domains sending DMARC reports to DHS. That number has bumped up to 71 as of Sept. 11. Overall, 56 agencies are 100 percent compliant with sending DMARC reports, meaning 44 percent aren't finished less a little more than a month out from the Oct. 16 deadline.

Following a Sept. 11 speech, Matthew Travis, deputy undersecretary of NPPD, told FCW that DHS is currently focusing all of its energy on getting agencies to fully comply with Directive 18-01. The final months before the Oct. 16 deadline will be "a rush to the finish line" for some departments, but Travis said that officials are actively thinking about how to make better use of DMARC reporting.

In June, the department had discussions with members of the Global Cyber Alliance to figure out "how we can do more with [DMARC data] and how we can promote greater adoption of it," including for government contractors, he said. "We're thinking about it, that's as far as I can talk about at this point," said Travis. "It is a priority and we're looking at a number of ways for how we can do it."