The Department of Parliamentary Services is just weeks away from deploying domain-based message authentication, reporting and conformance (DMARC) on the aph.gov.au domain.
President of the senate Slade Brockman told senate estimates last week that DMARC would be introduced in early December to protect the email domain by “blocking emails generated by third-party distribution services”.
DPS has been working to introduce DMARC since receiving funding to do so last financial year, along with a number of other cyber security enhancements aimed at protecting the parliamentary computing network.
“These security changes mean that, from December 6 2021, emails generated by third parties using [an] aph.gov.au address will not be delivered,” Brockman said.
Brockman said DMARC is "critical to preventing cyber criminals impersonating our official site to send phishing emails to constituents and clients” and that it “would protect the aph.gov.au domain from being used for email spoofing, phishing attacks and cyber crimes”.
Parliamentarians that use third-party distribution services have already been told that they will need to create a new email domain to continue sending emails using the same platforms.
“There are a range of applications that ... essentially use our domain to send emails but are not authorised to do that activity, and as of December 6 they will be prohibited,” Brockman said.
“They are services that we don't manage or have any control over in the sense that we have no contractual arrangements with these vendors.”
Brockman said the “parliamentary network is one of the most highly targeted IT systems in the nation”, with parliamentarians an “attractive target for adversaries” attempting to exfiltrate data.
He cited two significant cyber attacks against the parliamentary computing network in recent years, without elaborating on the root cause of either.
The most high-profile attack against the parliamentary computing network took place in February 2019, when a limited amount of non-confidential data was stolen by a state-based actor.
The network was also targeted by an “unsophisticated brute-force” attack in March, leading DPS to lock down mobile devices for a week-long period.
“Email is the single most vulnerable pathway to compromise IT systems, and a compromise to the parliament network has significant ramifications for the… Commonwealth,” Brockman added.