The United Kingdom may have the most forward looking policies and deployment plans of any major government. Last week Chancellor of the Exchequer Philip Hammond announced a £1.9 billion national cyber security strategy that includes a broad series of measures, and will continue a series of improvements in email security that the UK government has undertaken in the past several years.
“From speaking with businesses and government agencies in the UK, they’ve gone beyond questions of protecting their own domains, their own messages. They’re looking holistically at how to protect all UK citizens and businesses online, and how to make that a competitive advantage for the UK economy,” said Steve Jones, executive director of DMARC.org. Mr. Jones has just finished two weeks of events and meetings in Europe and the UK.
The Dutch government made early moves to recommend and require the use of DKIM and DMARC, and Dutch companies like XS4ALL and MailMerk have been early and strong proponents of email authentication. In Germany the federal BSI and eco.de’s Certified Senders Alliance (CSA) have recommended DMARC and shown that DMARC reporting is compatible with German federal and state privacy laws (in German here). And the CSA is requiring member firms to adopt strong authentication measures to continue membership in their programs.
But as important as those announcements have been, over the past several years the UK has built from effective trials, to clear policies, to broad deployment plans – and has a vision of improving email security across the nation.
Several years ago Ed Tucker, head of cyber security at UK’s Her Majesty’s Revenue and Customs, warned that strong measures had to be taken to ensure that email was not rendered useless as a communications channel due to spam and phishing. HMRC undertook a lengthy process to implement email authentication for what they’ve described as “one of the most phished brands in the world.” That process proved effective, producing the advice site CISO Central along the way to promote the practices they had developed as well as best practices gathered from around the world. These early measures were able to lead to massive reductions in email impersonating the tax and customs service.
The HMRC program provided valuable guidance and inspiration for the Government Digital Service (GDS), part of the United Kingdom’s Cabinet Office, which devised and announced a program to bring email authentication and strong web connection security to all UK government websites. In June 2016 the GDS announced that these standards would have to be met by October 1st of this year.
While this was occurring, the government’s communications intelligence and security organization GCHQ was working with other departments to make these practices a baseline for the UK government and industry. The National Cyber Security Centre has been formed to provide a coordinating body for these and other efforts. They have mandated the use of DKIM, SPF and DMARC by all government departments, and is producing a dashboard to support this program and on-going verification.
These plans are reinforced by last week’s announcements, and NCSC will expand their programs to protect DNS and lower-level routing information communicated through the BGP protocol. In total, the goal is no less than to make the UK one of the “safest places in the world to do business.”