Homeland Security orders federal agencies to start encrypting sites, emails

Three-quarters of the federal government uses encryption. Homeland Security says that isn't enough.

(Image: CBS News/file photo)

Homeland Security is ordering federal agencies to deploy basic web and email security features in an effort to boost cybersecurity across government.

Up until now, Homeland Security had been pushing businesses and enterprise customers to enable HTTPS web encryption across the board, which helps secure data in transit but also ensures that nobody can alter the contents of the website you're visiting. The agency has also pushed DMARC, an email validation system used to verify the identity of an email sender, which helps to protect against inbound spoofed emails and phishing attacks.

Now, the Homeland Security has set its sights on government agencies, which have for years fallen behind.

The agency has issued a binding operational directive, giving all federal agencies three months to roll out DMARC across their networks. Enabling that email policy will prevent spammers from impersonating federal email addresses to send spoofed email.

The agency is also requiring within the next four months for all federal agencies to employ HTTPS.

If you thought the government already had that policy, you're not wrong.

In 2015, the Obama administration issued a directive that all federal government sites should be HTTPS by default by the end of 2016. More than two years later, about one-quarter of all federal sites still don't support basic website encryption.

Perhaps ironically, only 70 percent of all Homeland Security domains support HTTPS. Even fewer enforce the encryption by default.

The agency hopes that the remaining non-encrypted sites can get up to speed by early next year.

The order also asks that government agencies use other kinds of encryption, such as STARTTLS, a protocol that sends email over an encrypted channel when it's available, on their email servers.

News of the announcement was lauded by one privacy-minded senator, who's been on a crusade to get federal agencies up to speed on security.

Wyden called today's move a "good, basic step," in a statement to ZDNet.

"STARTTLS encryption and anti-phishing technologies like DMARC are two cheap, effective ways to secure email from being intercepted or impersonated by bad guys," he said. "It's my hope that other government agencies recognize the clear security benefits of strong encryption, and that private sector companies move quickly to upgrade their own email security."

Contact me securely

Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5.

Read More

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All