Three-quarters of the federal government uses encryption. Homeland Security says that isn’t enough.
Homeland Security is ordering federal agencies to deploy basic web and email security features in an effort to boost cybersecurity across government.
Up until now, Homeland Security had been pushing businesses and enterprise customers to enable HTTPS web encryption across the board, which helps secure data in transit but also ensures that nobody can alter the contents of the website you’re visiting. The agency has also pushed DMARC, an email validation system used to verify the identity of an email sender, which helps to protect against inbound spoofed emails and phishing attacks.
Now, the Homeland Security has set its sights on government agencies, which have for years fallen behind.
The agency has issued a binding operational directive, giving all federal agencies three months to roll out DMARC across their networks. Enabling that email policy will prevent spammers from impersonating federal email addresses to send spoofed email.
The agency is also requiring within the next four months for all federal agencies to employ HTTPS.
If you thought the government already had that policy, you’re not wrong.
In 2015, the Obama administration issued a directive that all federal government sites should be HTTPS by default by the end of 2016. More than two years later, about one-quarter of all federal sites still don’t support basic website encryption.
Perhaps ironically, only 70 percent of all Homeland Security domains support HTTPS. Even fewer enforce the encryption by default.
The agency hopes that the remaining non-encrypted sites can get up to speed by early next year.
The order also asks that government agencies use other kinds of encryption, such as STARTTLS, a protocol that sends email over an encrypted channel when it’s available, on their email servers.
News of the announcement was lauded by one privacy-minded senator, who’s been on a crusade to get federal agencies up to speed on security.
Wyden called today’s move a “good, basic step,” in a statement to ZDNet.
“STARTTLS encryption and anti-phishing technologies like DMARC are two cheap, effective ways to secure email from being intercepted or impersonated by bad guys,” he said. “It’s my hope that other government agencies recognize the clear security benefits of strong encryption, and that private sector companies move quickly to upgrade their own email security.”