GDS boosts government security with HTTPS/HSTS and DMARC

News by Roi Perez

The Cabinet Office's Government Digital Service has mandated that all UK government agencies should be using HTTPS and DMARC to increase their online defences.

As of Saturday 1 October, all government departments will be required to use the Domain-based Message Authentication, Reporting & Conformance (DMARC) protocol for all emails sent and received.

The new directive has come from the Cabinet Office's Government Digital Services (GDS), to detect and reduce malicious emails spoofing the domain to attack citizens and governmental staff.

In a blog post, GDS said that, “These updates are aimed at maintaining secure services and trust in digital government services. In relation to this, we'll soon be publishing new security content in the Service Manual to help service teams pass the Service Standard. Stay tuned!”

As well as this, all government services are being asked to run on the more secure HTTPS, and mandates that all service use HTTP Strict Transport Security (HSTS). This setting tells modern browsers your service will only use secure connections and information should be sent encrypted.

GDS said that: “In September, we plan to submit the domain to the browser manufacturers' HSTS preload list. This means that all modern browsers will only ever connect to government services via HTTPS. If your service is only available over unsecured connections, it will stop working in modern browsers once this happens. This may also affect testing environments hosted on”

Patrick Peterson, founding member of DMARC and founder and executive chairman at Agari, said: “Email is the number one entry point for data breaches, and the use of DMARC email authentication protocol for all .gov email domains will greatly reduce the risk of breaches and cyber-attacks. This includes targeted email attacks such as Business Email Compromise (BEC) and spear-phishing, which target governmental staff by impersonating senior officials, and phishing attacks that target members of the public by spoofing the .gov brand.”

According to a press release from DMARC, Her Majesty's Revenue & Customs (HMRC) head of cyber-security, Ed Tucker, has spoken lots on the agencies work implementing DMARC, DKIM.

This is presumably in response to a report in the Telegraph newspaper, which said that the HMRC describes itself as the UK's most phished organisation. A report found thousands of taxpayers have been targeted by fraudsters trying to use fake emails to access people's online tax records.  

According to the report, in 2015 there were 17,000 fraudulent or incorrect repayment claims to HM Revenue and Customs, potentially worth up to £100 million in total. HMRC said it has closed 22,210 fake websites since 2014.

Having worked with DMARC for the past few years, Tucker said HMRC has been able to “rebuild trust and retake the email channel.”

Peterson continued: “DMARC has a proven track record for success. Ciaran Martin, director-general cyber GCHQ, recently cited an example of DMARC stopping 58,000 daily malicious emails from an account named during its first trial, for example. A new generation of UK citizens expects a range of digital services which are more convenient, less costly and green. Email is a key underpinning of these digital services and this initiative ensures the government can operate efficiently and keep UK citizens safe.”


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews