Reston, VA – The Online Trust Alliance (OTA), an Internet Society initiative, today released analysis that shows top government agencies are increasingly adopting the best practices to help prevent their emails and websites from being spoofed or impersonated following a recent U.S. Department of Homeland Security (DHS) directive. However, 62 percent have not implemented key email protection, Domain-based Message and Reporting Conformance (DMARC), placing US citizens at risk. OTA’s researchers found: 1) government agency use of DMARC nearly doubled between May and the end of Oct., 2) nearly all of the top government agencies are using “HTTPs everywhere” and 3) slightly more than half of the government agencies analyzed have implemented Transport Layer Security (TLS).
On Oct. 16, 2017, DHS issued the directive mandating government sites adopt three major technology standards. These are DMARC to prevent phishers from successfully impersonating agency emails, HTTPs everywhere to ensure that an entire web session is encrypted, and TLS for email which adds message level encryption and helps maintain the privacy of emails in transit between mail servers. This directive builds on an earlier one for agencies to adopt technology meant to prevent website fraud called Domain Name System Security Extensions (DNSSEC). According to OTA, 93 percent of the top government agencies have adopted DNSSEC.
“OTA has been working with the U.S. government to enhance security practices since 2010, and we thoroughly applaud the virtual overnight improvement following DHS’ recent directive,” said Jeff Wilbur, director of the OTA Initiative at the Internet Society “However it remains discouraging to find that less than 40 percent of top agencies have started their DMARC adoption, and even worse that only 14 percent are enforcing protection of their email using DMARC.”
The table below summarizes the DMARC, TLS and HTTPs everywhere adoption rates by top U.S. federal government agencies in OTA’s 2016 and 2017 Online Trust Audit, and a recent update on Oct. 30. DMARC allows senders of email to specify a policy to receivers regarding how to handle email that fails authentication – the policy can be “none,” “quarantine” (i.e., place it in the equivalent of a spam/junk folder) or “reject.” Most notable in the table below is the nearly doubling of sites with valid DMARC records between May and October 2017, and the rise in domains with a “reject/quarantine” policy. The top federal sites are also approaching 100-percent adoption of HTTPs everywhere. OTA also found that only five percent of analyzed government agencies have adopted the DMARC reject policy, TLS for email and HTTPs everywhere combined.
| DMARC | TLS for Email | HTTPs Everywhere | ||
|---|---|---|---|---|
| Record | Reject/Quarantine | |||
| May 2016 | 20% | 9% | 54% | 50% |
| May 2017 | 20% | 11% | 46% | 91% |
| Oct 2017 | 38% | 14% | 52% | 95% |
This growth in DMARC adoption is due in part to the collective efforts of several organizations and OTA members including Agari, dmarcian, the Global Cyber Alliance and ValiMail.
“Since the formation of OTA, we have worked closely with the White House and numerous agencies, driving the development and adoption of best practices and technologies to improve the resiliency of the Internet and help stop consumers from being victimized” said Craig Spiezle, OTA founder and chairman emeritus. “OTA and its members look forward to continued work with DHS and others to enhance the protection of our digital society and economy from the rising levels of cybercrime.”
OTA’s work with the U.S. government to prevent email and website spoofing formally began in 2010 when it worked with the White House on initiatives to help address the mounting levels of email spoofing and phishing. This work led to a grant from DHS in 2011 to develop Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) training material for a broad set of government agencies. Email authentication such as SPF, DKIM and DMARC, and site security practices such as HTTPs everywhere, DNSSEC and use of Extended Validation certificates have been advocated and tracked for several years in OTA’s Online Trust Audit. The Audit is recognized as benchmark research evaluating responsible online privacy and data security practices of more than 1,000 consumer-facing organizations across the public and private sectors.
OTA has a number of resources government organizations can use to meet this DHS mandate, which can be found on the following pages:
OTA’s federal agency list was curated with input from various agencies and stakeholders including the White House, FBI, DHS, FTC and the Commerce Department, looking at cabinet level agencies, sites and domains that have been targeted in the past, sites with breaches and top ranked sites for traffic. OTA will continue to monitor progress against this directive and encourages all organizations to consider adopting these well-proven best practices.
About OTA:
The Online Trust Alliance is an initiative within the Internet Society (ISOC), a global non-profit with the mission to promote the open development, evolution, and use of the Internet for the benefit of all people throughout the world. OTA’s mission is to enhance online trust, user empowerment and innovation through convening multi-stakeholder initiatives, developing and promoting best practices, ethical privacy practices and data stewardship.
Formed 25-years ago, ISOC focuses on the pillars of expanding access and promoting online trust. ISOC facilitates open development of standards, protocols, administration, and the technical infrastructure of the Internet, 2) Serves as a focal point for cooperative efforts to promote the Internet as a positive tool to benefit all people throughout the world and 3) Provides management and coordination for on-strategy initiatives and outreach efforts in humanitarian, educational, societal, and other contexts.