Let’s reclaim email, says HMRC cyber security head

Government and industry must tackle spam to reclaim email as a communications channel, says head of cyber security at HMRC

Government and industry must tackle spam to reclaim email as a communication channel, according to Edward Tucker, head of cyber security at HM Revenue & Customs.

“We are losing the ability to use email because spam degrades it as a communication channel,” he told Whitehall Media’s Govsec 2014 conference in London.

As a guide to the public service and wider organisations, HMRC is compiling a whitepaper on how to implement the controls it is putting in place to combat fraudulent email.

But the long-term plan is to reclaim email as a communication channel, said Tucker.

“The decision has yet to be finalised, but HMRC is looking at ways of using secure emails and links, which will have to be backed up with an innovative education to enable taxpayers identify legitimate emails form HMRC,” he said.

In the interests of security, HMRC does not email taxpayers directly about any personal or business tax information, but Tucker said this is inconvenient because it could be an effective way of communicating.

The challenge, he said, is that spam is a component of most malware campaigns, with the UK being one of the most targeted countries in the world.

According to a recent study by security firm Proofpoint, the UK is targeted by three times as many phishing links to Trojans and exploit kits as the US, and five times as many as Germany.

To tackle the problem of fraudulent emails purporting to be from HMRC, the government department has adopted a blended approach of technical controls, active monitoring, takedown services and policies.

HMRC is in the process of implementing the three main technical controls available for ensuring fraudulent emails are eliminated by internet service providers (ISPs).

The two main controls are the sender policy framework (SPF), the domain key identified mail (DKIM) and the domain-based message authentication, reporting and conformance (DMARC) specifications.

So far, SPF and DMARC have resulted in 94% to 100% of fraudulent emails being eliminated by ISPs, with the 6% failure rate due to some smaller ISPs not following all the rules.

Buying up all domain names that could be used for fraudulent purposes is the next key component of the HMRC’s strategy to identify any attempted abuse of the domain.

“Once we have acquired these domains, we park them and apply technical controls to ensure they cannot be used by anyone else to dupe taxpayers,” said Tucker.

HMRC also reviews all new domain name registrations to ensure that would-be fraudsters cannot set up new potentially misleading domains that are not yet owned and parked.  

“This has proved to be a highly effective way of preventing abuse,” said Tucker.

Next is active monitoring. “This helps implement SPF by identifying where legitimate email is being sent from and feed illegitimate email to takedown services,” said Tucker.

“But active monitoring is not something I would recommend you try to do on your own, rather than hand it over to a specialised service,” he said.

HMRC uses an internal and an external takedown service to ensure that emails and websites abusing the department’s domain name are eliminated.

Finally, HMRC has implemented a series of organisational policies to ensure that legitimate emails do not look like spam and are easy to identify as being legitimate.

In closing, Tucker reiterated that HMRC is looking to reclaiming email as a communication channel, and will share its strategy in the whitepaper that is planned for publication later this year.

He called for cross-industry support in this goal. “We need to tackle this as an industry, not on a domain-by-domain basis,” said Tucker.

Read more on Hackers and cybercrime prevention