Yesterday, in an event in Washington DC, the Cybersecurity Tech Accord took a decisive step to enhance the security of email communication, one of the most vulnerable areas in cybersecurity and one of the most targeted by cyber criminals worldwide. Building on existing efforts by like-minded organizations, governments and businesses, we endorsed Domain-based Message Authentication, Reporting & Conformance (DMARC), an email authentication policy and reporting protocol that helps prevent impersonation attacks via email. We did so in partnership with the Global Cyber Alliance (GCA), an international non-profit organization that has made eradicating global cyber risk its mission.
For the past two years, GCA has focused on the risk of phishing and strongly supported DMARC adoption to empower public and private organizations to defend against malicious emails. The GCA implementation guide has helped many businesses create a DMARC policy to protect their brand. The Cybersecurity Tech Accord signatories will support GCA in promoting the adoption of the DMARC protocol on a broad scale and commit to implementing the solution across our own operations, following through on our promise to protect users and customers from evolving cyber threats. As a first step, the Cybersecurity Tech Accord signatories will, under the GCA’s guidance, implement internal education measures around email security.
Email remains one of the primary communications channels for private individuals, organizations and government institutions and has become a preferred attack method for impersonation and fraud. Data on email threats in the first half of 2018 showed that approximately 6.4 billion emails sent worldwide each day are fake with the United States as the main source, and healthcare and government being the most impacted sectors. The fraudulent practice of phishing emails are the entry weapon of choice for many cyber criminals and have become more sophisticated over time.
DMARC is the first and only widely deployed technology that helps protects customers and the brand. Designed on the basis of real-world experience by some of the world’s largest email senders and receivers, DMARC builds on a system where senders and receivers collaborate to improve mail authentication practices of senders and enable receivers to reject unauthenticated messages. DMARC allows:
Domain owners to
- Signal that they are using email authentication (SPF, DKIM).
- Provide an email address to gather feedback about messages using their domain – legitimate or not.
- A policy to apply to messages that fail authentication (report, quarantine, reject).
Email receivers to
- Be certain a given sending domain is using email authentication.
- Consistently evaluate SPF and DKIM along with what the end user sees in their inbox.
- Determine the domain owner’s preference (report, quarantine or reject) for messages that do not pass authentication checks.
- Provide the domain owner with feedback about messages using their domain.
However, DMARC adoption has been slower than its founders would have expected. Lately efforts have been undertaken at government and industry level to see this protocol implemented more consistently. In October 2017, the US Department of Homeland Security issued a directive that requires all federal agencies to implement DMARC for every domain they own. The UK government has made concrete steps in this direction already in 2016, when Government Digital Service (GDS), part of the UK’s Cabinet Office required that other governments department adopted DMARC to protect their online services. This is despite the fact that the research from GCA, published today, shows the 1,046 organizations that have used GCA’s DMARC tools saved $19 million dollars since the start of 2018.
The Cybersecurity Tech Accord welcomes these developments but believes that it is vital for DMARC adoption to accelerate across sectors with businesses and governments taking a decisive step to enhance email security. Failing to address this issue exposes internet users everywhere to cyberattacks and the internet more broadly to systemic cybersecurity challenges. That is why we are committed as a group to advancing our email security policies and encourage other businesses to do the same with the objective to have a more secure internet ecosystem.