Report: Insecure Contractor Emails Leave Government Vulnerable

Federal IT contractors aren’t using an email security tool that’s now mandated for agencies.

Out of 50 top government information technology contractors, 49 aren’t completely securing their email systems against spoofing and phishing attacks, according to a study released Wednesday.

Only one of those contractors, Engility, is rejecting spam and phishing emails that use its domains entirely. Another, Tetra Tech, is warning recipients those emails are questionable and possibly sending them to spam or quarantine folders, according to research from the Global Cyber Alliance, a cybersecurity advocacy organization.

Because contractors exchange frequent emails with federal employees, the lack of protection for contractor emails makes government more vulnerable to phishing attacks from nation-state and criminal hackers.

The tool, called DMARC, pings a sender’s email domain—irs.gov, for example—and asks if the sender—say, darryl.strawberry@irs.gov—is legitimate. If the domain says the sender is illegitimate, DMARC can send the email to the recipient’s spam folder or decline to deliver it entirely.

The Homeland Security Department ordered federal agencies to install DMARC across all their domains beginning in October. Just about two-thirds of agencies had installed the tool as of February, however, according to a study by the email security company ValiMail.  

The remaining 48 of the top 50 contractors in the Global Cyber Alliance study either had not installed DMARC, installed it incorrectly or configured it only to monitor phony emails, not to do anything about them.

The list of companies that have not installed top DMARC protection includes a who’s who of major government players such as Lockheed Martin, Boeing, Raytheon and CSRA.

The list is based on a tally from the publication Washington Technology, which is based, in turn, on the value of 2016 contracts on which the company is a prime contractor. That means the list excludes the value of companies’ subcontracting work.

DMARC must be installed on both email services to work. If it is, the tool will both prevent federal employees from opening phishing emails from spoofed accounts and prevent digital miscreants from spoofing federal domains to trick people into opening malicious emails.

More than 80 percent of commercial email inboxes are protected by DMARC because it’s standard among major providers including Google, Yahoo and Microsoft. Therefore, installing DMARC on government and contractor systems makes it far more difficult to use those domains to target citizens’ personal accounts with phishing attacks or to use commercial email domains to target agencies and contractors.

“Government contractors should shore up their defenses and adopt DMARC to protect against being targeted and to protect their government clients, with whom they exchange email,” Global Cyber Alliance CEO Philip Reitinger said in a statement.

“We know that the vast majority of attacks start with a phishing email. DMARC should be an operational standard to reduce the risk,” said Reitinger, who was formerly a top cyber official at the Homeland Security Department.

The Global Cyber Alliance formed in 2015 as a partnership to advance global cyber protections between the New York District Attorney’s Office, the Center for Internet Security, which runs a cyber threat sharing center for U.S. state and local governments, and the City of London Police.

Those founding organizations currently provide all of the alliance’s funding. Future funding will come from other government entities, foundations and public-private partnerships, a spokesman said.

This story has been corrected to accurately describe Engility's DMARC policy.