DMARC inching its way onto Australian government domains
Domain-based Message Authentication, Reporting & Conformance (DMARC) is one of the simplest and easiest ways to prevent email spoofing, which is used by those conducting phishing campaigns or business email compromise scams, by verifying whether an incoming email is actually from the server it purports to be.
As of the end of 2018, only 5.5% of Australian government domains implemented DMARC, but that is set to change.
Thanks to Labor Senators asking seemingly every Australian government agency on the state of DMARC implementations, it is possible to have some idea how much progress has been made.
Of the responses made so far, the most important would be that of the Department of Parliamentary Services (DPS), which provides IT services to a number of other agencies.
On whether DMARC was “fully implemented”, DPS said it wasn’t complete yet, but it had money for the job.
“Implementation of DMARC is funded as part of DPS’ capital budget for 2020-21,” the department said.
Other agencies were more forthcoming, with ASC, formerly known as the Australian Submarine Corporation, stating that it had reached a stage where it honours the DMARC records of others, but had yet to publish its own DMARC DNS record.
Similarly, the Office of the Official Secretary to the Governor-General said its domains were in notification mode thanks to a recent Australian Cyber Security Centre (ACSC) assessment, and the actual implementation was by the “Office’s whole–of-government secure internet gateway provider”.
“The Office acts on advice from ACSC as part of its participation in their Cyber Uplift for Federal Government Systems program. ACSC have recommended that this is an effective mitigation against the threat of phishing emails,” it said.
Another set of agencies, such as the National Australia Day Council, swerved around answering any questions related to DMARC.
“Publicly reporting on individual agency’s compliance with the Essential 8/Top 4 or specific cyber mitigations in response to these questions on notice would provide a snapshot in time of the entire Federal Government’s cyber security maturity and as a result, may provide a heat map for vulnerabilities that malicious actors may exploit and thus increase an agency’s risk of cyber incidents,” the Council said.
A quick check shows the Council does have DMARC turned on.
Agencies were much more evasive on what steps they had taken following the press conference of Prime Minister Scott Morrison in June, where he said Australia was under attack from state-based actors, and said responding to 16 questions on this topic would provide a vulnerability heat map.
One of the usually more secretive agencies, the Office of National Intelligence (ONI), did provide some detail in its response.
“The primary ONI IT systems are accredited to meet PSPF and ISM policy requirements for classified information systems. In addition, these IT systems meet the Australian Cyber Security Centre (ACSC) Essential 8 security controls to a high maturity level,” it said.
“Subsequent to the ACSC threat reporting of said cyber attack against government systems, and in accordance with the ACSC Cyber Uplift initiatives, ONI conducted a qualitative compliance assessment against the Essential 8 security controls.
“Further details of ONI’s information technology security cannot be provided in an unclassified forum, as it goes to matters of national security.”
ONI reused the last paragraph when avoiding answering whether it had a DMARC record.
Last week, the Department of Parliamentary Services dragged its Parlview tool into the modern age, when it finally dropped the use of Flash.
DPS told ZDNet the new version would reduce the playback delay between its HTML5 real-time stream and Parlview, having additional screen captions, and more accurate searching.
Sayonara Flash Parlview, your playback resetting and browser crashing antics will not be missed.