Ed Tucker is not all that worried about Fancy Bears or Cuddly dogs. He's worried about emails.
Not just any emails. Phishing emails. The kind that impersonate Her Majesty's Revenue and Customs (HMRC), otherwise known as the UK's tax collection authority.
As head of cyber-security at HMRC, his job is to make sure 50 million UK taxpayers can communicate securely with the authority. The flood of phishing emails that those taxpayers receive, claiming to be from the authority, make that a problem.
Tucker has spent the last three years implementing the email authentication protocol Domain-based Message Authentication, Reporting and Conformance (DMARC) across the HMRC with great success.
DMARC is a security process which works by determining which email servers are allowed to send messages on behalf of the organisation. If an email passes the checks it is deemed legitimate and delivered. If it fails then it is deemed fraudulent and is not delivered.
SC Media UK met up with Tucker at the HMRC offices on 100 Parliament Street in London to dig deeper into his herculean mission of implementing DMARC.
He can't speak enough about his yearning to protect HMRC customers from phishing attacks: “People don't understand the scale of phishing globally. The bigger the brand, the more abuse that happens, due to the size of the customer base.”
Tucker said, “we wanted to give our customers a better experience. So we knew that had to stop.”
As a body which collects around half a trillion pounds on behalf of the British government, Tucker said that he set off on the challenge with the mindset that HMRC must communicate with it's customers safely: “If the [tax] email didn't come from hmrc.gov.uk, it shouldn't be getting into anyone's inbox.”
This is especially true during tax return period, when many customers are busy using their online Personal Tax Account to submit their returns. This is phishing season for criminals trying to exploit taxpayers, notifying them of a rebate and advising them to click on some suspicious link to regain it.
“I've been a DMARC supporter for over three years now,” Tucker told SC, “and I was probably the first person across UK Government to start talking about DMARC. To finally land it on hmrc.gov.uk, our by far most abused domain, was a really beautiful moment. When we activated it, we really felt like we had achieved something.”
Tucker said that one of the biggest challenges in implementing the standard is figuring out how to carry out any work without the need to disrupt the huge workforce that works for the HMRC.
“Getting DMARC into Reject mode on hmrc.gov.uk has been an absolute labour of love,” said Tucker.
With all the various facets of the HMRC's email structure, it wasn't easy to understand exactly where genuine email was sent from. From there, rationalising the domains and subdomains also proved a challenge: “These two aspects were, for us, the major overhead. Once we'd done that the easy bit at the end was changing the text record over from Monitor to Reject to finally prevent the spoofing of hmrc.gov.uk.”
“We used a third party to help analyse the good and the bad emails and gather evidence of where everything was coming from. We knew it was a huge task.”
Tucker also said that a big part of the process was tidying up the HMRC's domain structure: “When you understand where all your email gets sent from, ensuring which should be on subdomains, and generally implementing a better structure, it makes your domains cleaner, getting all that work done first, made the last bit really easy.”
Ultimately, “the bad guys backed off.” As a result of Tucker's work, the numberof spam emails claiming to be from HMRC has reduced by 300 million this year. That's a significant decrease in the half a billion phishing emails sent to customers alleging to be from an ‘@hmrc.gov.uk' email address in both 2014 and 2015.
The other by-product of such a large reduction in all phishing emails is that it, “has allowed us to concentrate on focusing and investigating the things that matter. The process of determining what we need to investigate, where we look at mail headers, URLs and domains.”
“We have a great pre-existing relationship with Nominet too, so it's no issue for us to get domains taken down, and buy domains and park them so no one is able to maintain domains which are similar to our hmrc.gov.uk.”
Having won such a battle, he says, “People will never leave HMRC alone because we have 50 million customers.” But, added Tucker, we can make those criminals' jobs as difficult as possible,” and force them into using more spurious domains for this purpose, giving our customers a better chance to spot the phish. Sadly you'll never end phishing as it's too lucrative a business for the criminals. We just have to make things difficult and affect their ROI.”
Tucker recognises that the implementation of DMARC isn't a panacea, but he's proud that, for once, security measures that he implemented could be counted as an ‘enabler'.
In late 2016 Tucker won UK Security Professional of the Year, not just for his dedication to building security for HMRC, but for his massive contribution to shared best practice within the wider security world.
Tucker and his team were also highly commended in the Cyber Security Project of the Year for the HMRC's Cyber Security Command Centres. HMRC's cyber-team was recognised for designing, building and launching the Command Centres, and using integrated new technologies to further mitigate the threat to its digital services, transforming HMRCs ability to protect customers and systems.
Tucker isn't resting on his laurels though. “We're quite proud of what we've achieved, and we're now working with other government departments help them carry out the same process,” said Tucker.
Tucker assured SC that , “there are plenty of organisations that are also just as ripe for phishing.” HMRC was the first to do this, Tucker explained, “and because there were no manuals, we had to write our own and we're now sharing it with other departments such as the Department for Work and Pensions, the Ministry of Justice and the Foreign and Commonwealth Office.”
Tucker and the HMRC were one of the first organisations to work with the National Cyber Security Centre. As one of the first departments to apply the DMARC control, HMRC is now at the forefront of contributing to the delivery of the Active Cyber Defence Programme; an essential part of the government's National Cyber Security Strategy.
Tucker explained that he'd been a long term friend of the NCSC's technical director, Ian Levy, who pushed for the implementation of DMARC at HMRC to prove that it worked.
Tucker's next challenge is to figure out how to cut down on SMS phishing, which also targets HMRC customers.
Tucker is investigating how to control the use of Transmission Path Originating Address (TPOA) which SMS messages use to prevent HMRC customers from being sent fakes.
Tucker explained, “unlike email, where I can apply controls to determine legitimate from fraudulent, SMS offers no controls to prevent spoofing of an organisation. It's all down to TPOA spoofing, where criminals can freely send fraudulent SMS messages claiming to be ‘HMRC' and there is nothing technically I can do to stop them.”
“We really need the mobile industry to recognise this issue as it is rising significantly. We've set up a shortcode, 60599, so that customers can forward fraudulent texts to us, but in terms of prevention we need collaboration from the mobile industry. We can't allow SMS to become as abused as email.”
Looking to the future, Tucker thinks we should all be concentrating on the skills gap. He claims there is an abundance of people going through university courses which simply aren't arming students with enough practical knowledge of how to solve real work cyber-security issues on top of a lack of expertise in the security industry to truly learn from.
Tucker is a believer in educating the young of the risks the online world poses. He claims that children don't understand the risks posed by social media and adults are simply turning their heads the other way when it comes to protecting their children.
Speaking emphatically, Tucker concluded: “We need to ensure our children are safe, as they are the workforce of the future. The Children's Commissioner has brought the issues to the fore and it is incumbent on all of us to do our part in solving the real cyber-skills gap.”Tucker is currently working with leaders across child exploitation, online safety, education and social care to try and bridge that gap: “This is my next labour of love, not just as a security professional, but as a parent!”