Oct 16, 2018

Many government agencies miss email security deadline

Photo: Mike Clarke / AFP via Getty Images

A year ago, the Department of Homeland Security gave nearly all civil federal agencies 12 months to adopt an email security standard that prevents email fraud. In data as recent as Monday, 2 sets of researchers show that between a quarter and a half of those agencies' web domains failed to meet the Tuesday deadline.

Why it matters: Email was not designed to check whether a message claiming to be from an email address actually came from that address, and that's a big gap. Just imagine how much chaos an attacker could cause by sending fraudulent emails messages from "evacuation-warnings@EPA.gov." When properly set up, DMARC plugs that security hole.

Details: DMARC (formally Domain-based Message Authentication, Reporting and Conformance) lets email programs check if a server sent a message. If not, DMARC can instruct it to reject the message, send the message to spam or do nothing out of the ordinary.

  • "It's a common sense security measure, and it makes no sense to allow criminals to send fake emails," said Patrick Peterson, executive chairman and founder of email security firm Agari.

Homeland Security gave agencies until Tuesday to implement the reject option.

  • Intelligence and defense agencies were exempt and, according to a study by the security advocacy group the Global Cyber Alliance and Agari, almost entirely did not comply.

By the numbers: Of 1315 federal web domains checked Monday morning, email security company ValiMail determined only 57% had met the federal mandate. In the more formal study by the Global Cyber Alliance and Agari, a different sample of 1144 sites found that 74% had complied. That leaves between 26% and 43% that have not.

  • Agari found more distinct sites that met the mandate and VailMail found more distinct sites that didn't. Based on those findings, at least 851 comply with the mandate and at least 564 did not.

Some extremely big-name agencies fall far short on DMARC, according to the Global Cyber Alliance / Agari study.

  • 13 out of 25 —more than half — of the tested domains run by the Executive Office of The President (colloquially known as the White House) had not implemented DMARC. Another 3 of the domains implemented DMARC without setting it to reject email.
  • Just under half of the Department of Commerce domains (25 out of 52) had not implemented DMARC.
  • Amtrak's lone domain had not implemented it, either.

ValiMail CEO Alex Garcia-Tobar notes that the results of his group’s work are encouraging and disappointing at the same time.

  • "The government has made amazing progress — going from 4% last year to over 50% this year. I've never seen them work this quickly on a security project," he said.
  • On the other hand, the unimplemented systems could be a real problem, Garcia-Tobar said. "Anything less than 100%, agencies are wide open to impersonation."

Don't forget: Not all compliant domains are created equal. Valimail found the compliance rate was, for example, much higher in domains that did not send out emails than in the ones that did.

  • "It’s much harder to put rules in place for domains that send emails than ones that don't," said Garcia-Tobar.

Go deeper

Coronavirus dashboard

Illustration: Aïda Amer/Axios

  1. Global: Total confirmed cases as of 7 p.m. ET: 932,605 — Total deaths: 46,809 — Total recoveries: 193,177Map.
  2. U.S.: Total confirmed cases as of 7 p.m. ET: 213,372 — Total deaths: 4,757 — Total recoveries: 8,474Map.
  3. Business updates: Very small businesses are bearing the brunt of the coronavirus job crisis.
  4. World update: Spain’s confirmed cases surpassed 100,000, and the nation saw its biggest daily death toll so far. More than 500 people were reported dead within the last 24 hours in the U.K., per Johns Hopkins.
  5. State updates: Florida and Pennsylvania are the latest states to issue stay-at-home orders — Michigan has more than 9,000 confirmed cases, an increase of 1,200 and 78 new deaths in 24 hours.
  6. Stock market updates: Stocks closed more than 4% lower on Wednesday, continuing a volatile stretch for the stock market amid the coronavirus outbreak.
  7. What should I do? Answers about the virus from Axios expertsWhat to know about social distancingQ&A: Minimizing your coronavirus risk.
  8. Other resources: CDC on how to avoid the virus, what to do if you get it.

Subscribe to Mike Allen's Axios AM to follow our coronavirus coverage each morning from your inbox.

World coronavirus updates: Spain's health care system overloaded

Data: The Center for Systems Science and Engineering at Johns Hopkins, the CDC, and China's Health Ministry. Note: China numbers are for the mainland only and U.S. numbers include repatriated citizens and confirmed plus presumptive cases from the CDC

Two planes with protective equipment arrived to restock Spain’s overloaded public health system on Wednesday as confirmed cases surpassed 100,000 and the nation saw its biggest death toll so far, Reuters reports.

The big picture: COVID-19 cases surged past 900,000 and the global death toll surpassed 45,000 early Wednesday, per Johns Hopkins data. Italy has reported more than 12,000 deaths.

Go deeperArrowUpdated 3 hours ago - Health

FBI sees record number of gun background checks amid coronavirus

Guns on display at a store in Manassas, Va. Photo: Yasin Ozturk / Anadolu Agency via Getty

The FBI processed a record 3.7 million gun background checks in March — more than any month previously reported, according to the agency's latest data.

Driving the news: The spike's timing suggests it may be driven at least in part by the coronavirus.