Humble email systems remain an attack vector for malicious cyberattacks on state and local governments, as evidenced by a recent attack on Missouri’s state government.
At a state and local level, there are thousands of domains that could benefit from the protection and benefits of email authentication — three times as many as the number of federal domains. However, almost no state and local governments are properly availing themselves of authentication standards that could improve email protections, especially from phishing attacks.
As it stands now, less than 1 percent of state and local government domains (and none of the U.S. states’ primary .gov and .us domains) are correctly protected against impersonation by using the leading email authentication standard, Domain-based Message Authentication, Reporting, and Conformance, known as DMARC, according to a report from Valimail, which sells online authentication tools.
“We think you need to authenticate all forms of email,” says Alexander García-Tobar, the CEO and co-founder of Valimail. He notes that email was built to be open, which lends itself to abuse, since anyone can attack anyone else. DMARC helps government agencies stop both inbound and outbound email attacks, García-Tobar adds.
According to García-Tobar, one-third of all state and local governments get hit with cyberattacks on an hourly basis, and half are targeted on a daily basis.
“We believe that, as an owner of a domain for state and federal agency, you have an obligation to safeguard information you have about users,” he says. “It is impossible for the states, municipalities and local utilities to be able to comply with PII or GDPR guidelines if you haven’t even locked down your email.”
Adopting DMARC not only enhances security but improves trust with residents and private sector companies that deal with the state or local government, according to García-Tobar.
What Is DMARC and How Can It Help State and Local Governments?
DMARC, an industry standard, is an email authentication policy and reporting protocol that is designed to prevent email spoofing — when malicious actors impersonate legitimate email senders to bait internal employees or fool those outside an organization — which is the foundation of phishing. An initiative of the Trusted Domain Project, DMARC was finalized in 2015 by contributors, including Google, Yahoo, Mail.Ru, JPMorgan Chase and Symantec.
DMARC “builds on the widely deployed SPF and DKIM protocols, adding linkage to the author (From:) domain name, published policies for recipient handling of authentication failures and reporting from receivers to senders, to improve and monitor protection of the domain from fraudulent email,” notes DMARC.org. According to the U.S. Department of Homeland Security, setting a DMARC policy of “reject” gives agencies the “strongest protection against spoofed email, ensuring that unauthenticated messages are rejected at the mail server, even before delivery.”
Additionally, DHS notes that DMARC “reports provide a mechanism for an agency to be made aware of the source of an apparent forgery, information that they wouldn’t normally receive otherwise. Multiple recipients can be defined for the receipt of DMARC reports.” According to the Valimail report, of the 4,273 domains it analyzed, only 220 (5.1 percent) had DMARC records. Of the groups it tracked in its quarterly reports, this is among the lowest adoption rates the firm has seen, the next closest being global media companies at 15 percent.
Of those state and local domains who have deployed DMARC, 63 were invalid due to syntax errors or other misconfiguration and 132 had correctly configured DMARC records but lacked enforcement (anti-spoofing protection) because they were set to a monitoring-only policy. Meanwhile, 25 were set to an enforcement policy (reject or quarantine), protecting these domains from impersonation.
Ultimately, that means that just 0.6 percent of state and local government domains had correctly deployed DMARC.
How Public-Sector Officials Can Enhance Email Security
There are several reasons why state and local government adoption of DMARC may be low, especially compared to the federal government, which Valimail says is now running on 80 percent of federal domains.
For one, there has been no mandate that state and local government adopt DMARC, unlike in the federal government, where agencies were required to do so in October 2017.
García-Tobar says there is also a lack of awareness among state and local government CIOs and CISOs regarding the threats from email and how easy it is to spoof emails. They assume that someone is securing their emails, but that is not possible unless domains are authenticated.
“Once we do a complimentary domain analysis, we show that a third or half of emails that have their domain or are sent from their domain as them are criminal,” García-Tobar says.
Agencies also face a lack of resources. “I don’t think people understand that there is an easy way to do this,” García-Tobar says, noting that 60 percent of agencies attempt to deploy DMARC on their own and find it impossible.
Another reason adoption is low is because of the risk of blocking “good” emails in order to stop “bad” ones from getting through, according to García-Tobar.
DMARC helps agencies stop email attacks and prevents malicious actors from impersonating official domains. The result is that “people now trust your emails,” García-Tobar says. That’s especially important for agencies like tax collection agencies that need residents and businesses to trust their communications so that they respond to notices and submit tax returns, for example.
Agency IT leaders can work with a variety of vendors to test whether their domains are covered by DMARC as well as how much of their email traffic is fraudulent. That then helps IT leaders prioritize which domains need to be locked down and secured first. Those are usually the ones that deal with personally identifiable information, García-Tobar says.
Once DMARC is deployed, it informs a gateway, anywhere in the world, that it should send a report back to the owner of the domain or anyone the owner authorizes. Those reports then show what is happening on the domain — that valid emails are getting through and malicious ones are being blocked, García-Tobar says.
“Email is the No. 1 way you can expose PII,” he says. “We think it’s a responsibility to get this done.”