More than 95 percent of emails domains overseen by the Executive Office of the President are at risk of being attacked by phishers and poses a "national security risk," according to a new study.
Of the 26 emails domains managed by the Executive Office of the President, the Global Cyber Alliance found 18 domains have not started implementing the Domain Message Authentication Reporting & Conformance protocol that prevents spammers from attacking email domains of those in all sectors.
The group said the highest level of DMARC rejects emails if they fail to meet authentication standards. Not implementing DMARC allows scammers and criminals to seize control of a domain and allow them to access money and threaten national security.
Some of the domains listed in the study include those for the White House, Office of Management and Budget, and Office of the United States Trade Representative.
Of the remaining eight email domains, only Max.gov has implemented the highest level of DMARC to prevent harmful emails from entering inboxes, the study said. Seven have deployed the lowest level of DMARC, which only monitors emails, but does not take any measures to reject spoofed emails.
None of the other domains reached even the second highest level of DMARC, which sends emails that do not meet DMARC’s standards to an inbox’s spam folder.
“Email domains managed by the EOP are crown jewels that criminals and foreign adversaries covet,” Philip Reitinger, president and CEO of the Global Cyber Alliance, said in a statement. “The lack of full DMARC deployment across nearly every EOP email address poses a national security risk that must be fixed.”
“The good news is that four new domains have implemented DMARC at the lowest level, which I hope indicates that DMARC deployment is moving forward," he added. "The EOP domains that have recently deployed DMARC at its lowest setting includes WhiteHouse.gov and EOP.gov, two of the most significant government domains. I hope that the government will move rapidly to block phishing attempts across all EOP domains.”
Last year, the Homeland Security Department ordered all federal agencies to implement DMARC. The directive, issued in October, required all second-level agency domains have at least the lowest DMARC policy within 90 days, and required that the highest DMARC policy be implemented within a year.
The Global Cyber Alliance is a nonprofit organization founded in 2015 by the Manhattan District Attorney’s Office, the City of London Police, and the Center for Internet Security and is designed to combat cyber risk.
