The U.S. government wants to make it harder for hackers to spoof government emails.
On Monday, the Department of Homeland Security directed federal agencies to implement better security protocols on government emails and websites.
Agencies will be required to use a technology that helps prevent email spoofing, or impersonating government agencies via email. It's called DMARC, or Domain-based Message Authentication, Reporting and Conformance. Further, every federal website must be accessible through a secure connection -- that is, HTTPS instead of HTTP.
"We really think these two very simple-to-enable steps can have a dramatic influence in reducing common vulnerabilities that are commonly exploited by actors," said Jeanette Manfra, the Assistant Secretary for Cybersecurity and Communications at DHS.
Hackers often use an email spoofing technique to fool someone into clicking on a phishing link that looks like it's from a trusted domain. DMARC can help prevent that. Research shows that organizations using the protocol receive just 23% of email threats compared with those that don't, meaning spoofed emails are caught more often.
Agencies have 90 days to implement the new email protocols, and 120 days for the new web security standards. The DHS issued the orders as part of a binding operational directive, which does not apply to certain national security systems.
Related: Senator wants answers on voting machine security
Senator Ron Wyden, an Oregon Democrat, has pushed for stricter communications security. In July, Wyden sent a letter to Manfra asking the DHS to mandate DMARC adoption across the federal government. He has also called on the government to require a form of stronger encryption called STARTTLS on government email. Monday's directive requires agencies to implement that, too.
"I've been pushing federal agencies to take cybersecurity seriously, and today's new policy is a good, basic step," Wyden said in a statement. "STARTTLS encryption and anti-phishing technologies like DMARC are two cheap, effective ways to secure email from being intercepted or impersonated by bad guys. It's my hope that other government agencies recognize the clear security benefits of strong encryption, and that private sector companies move quickly to upgrade their own email security."
A few agencies already enable DMARC, including the Federal Trade Commission and Social Security Administration.
Last summer an "email prankster" sent a number of fake emails to White House officials purporting to be from Jared Kushner, senior adviser to the president. The new email security won't prevent those types of emails -- anyone can make a fake Gmail or Outlook account -- but it prevents someone from sending an email looking like it came from an official White House email address.
The DHS also hopes that the move will compel businesses and organizations to adopt stronger email security. According to a report from the Global Cyber Alliance, even top security firms don't implement the DMARC protocol. But it is supported by 85% of consumer inboxes, including Google and Yahoo which use it to protect users from fraudulent emails.
"Cybersecurity can be a complex and sometimes overwhelming area for people to think about," Manfra said. "What we're trying to focus on at DHS is: What are tangible things that people can do, that enterprises and organizations can do, that will have these broad, scalable consequences to improve security of the internet as a whole?"