Cybersecurity Czar Backs Wyden Call for Mandated Government Use of DMARC
President Donald Trump's cybersecurity coordinator Rob Joyce called a request from Sen. Ron Wyden, D-Ore., to require governmentwide use of an email authentication tool, a "great idea." Speaking with reporters after a USTelecom event Wednesday, Joyce said use of the Domain-based Message Authentication, Reporting and Conformance (DMARC) standard (see 1703030015) would better secure agency emails against fraudulent impersonation, and it's exemplifies measuring risk within government.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The Department of Homeland Security should "use its authority under the Federal Information Security Modernization Act to mandate that federal agencies adopt this cybersecurity technology, which will prevent fraudsters from being able to send emails that purport to come from .gov domains," Wyden wrote in a Tuesday letter copied to Joyce. He wants DHS to add DMARC scanning as part of its cyber hygiene program, issue a directive to require executive branch agencies to enable the tool and create a central system with the General Services Administration to receive DMARC reports.
Asked whether increased calls for accountability with heads of government agencies that suffer breaches meant their dismissal, Joyce said breaches will occur and the important thing to focus on is planning. "It's more that you're responsible and accountable for important practices than the binary decision" of whether an agency has been breached, he said. Regarding Secretary of State Rex Tillerson's reported decision to shutter the Office of the Coordinator for Cyber Issues, folding it into another office, Joyce said he is "confident" that the secretary "is not going to impair cybersecurity."
Eliminating the State Department's cyber office "would be folly," Computer & Communications Industry Association President Ed Black said. He said it's "disappointing" the department is dismantling the office "that coordinates with other countries on cyberattacks. This is a time to increase our digital defenses." Black lauded work of Christopher Painter, department cyber coordinator, who's reportedly leaving at month's end.
Joyce, who formerly led NSA’s hacking division, said government made progress since May's executive order aimed at strengthening federal networks and critical infrastructures and addressing rising threats from botnets and automated attacks (see 1612020050, 1612050044 and 1612060049). He told the event the EO is an "initial starting point" that is collecting information and data on risks with progress being made on deterrence and workforce development. "We're moving very fast in terms of government speed," he added, with the cyberthreat "growing" and more investment needed.
Venable attorney Ari Schwartz said during a panel discussion that it's difficult to know whether agencies are keeping pace. He said it's better than five years ago but not enough agencies and others are employing a risk management approach. He said that the EO does a good job of telling the government to get its house in order, something that wasn't the case. Christopher Boyer, AT&T vice president-global policy, said a cybersecurity challenge for industry and government will be finding experts, which depends a lot on an organization's resources.