This article originally appeared in CPO Magazine on December 8, 2017.
U.S. Federal Government is a behemoth that touches every aspect of American life – and today the touchpoints for services and information that each U.S. citizen requires to comply with federal rules and regulations are increasingly found on the Internet. However, the latest report on the state of federal websites indicates that they fail on some key indicators regarding web security. The Information Technology & Innovation Foundation’s (ITIF) Benchmarking U.S. Government Websites report showed that there was plenty of room for concern but it wasn’t all gloom and doom. For instance an analysis of federal websites Secure Sockets Layer (SSL) certificates (which ensure that all data being sent between the browser and server is encrypted), found that around three quarters were making use of the certificates, bettering the result of the previous year. But there were areas where the federal websites could certainly use improvement when it comes to security vulnerabilities.
Federal websites – The tip of the iceberg?
With an estimated 4,500 federal websites which allow access to critical services and general information, the problem is very real. It all comes down to the old saying about numbers used by statisticians. Mark Twain attributed a scathing critique of statistical methods to the British Prime Minister Benjamin Disraeli when he wrote “There are three kinds of lies: lies, damned lies, and statistics.” The problem might extend further than so called ‘federal’ websites and security issues that affect these sites may have a trickle-down effect.
The fact of the matter is that U.S. citizens depend on those federal websites to access critical government services and information. This latest report finds that 91 percent of the most popular agency websites are failing to perform well in at least one key performance metric with one of the most important being web security.
The analysts responsible for the report found that of the hundreds of websites under scrutiny more than one-third did not have security measures to prevent hackers from accessing visitors’ sensitive information or redirecting traffic to malicious phishing websites.
Now these are ‘federal’ sites – but like much else involving governments across the globe, definitions can be slippery. At the core of many of these sites are databases that gather and supposedly protect information that can run the gamut from medical records, government hiring practices and the results of job interviews to location information. Social security numbers and other very sensitive information are just the tip of the iceberg. But dig a little deeper and the definition of a ‘Federal Website’ may be misleading. It could be said that these sites are the leaders of the marching band of data custodianship – but local and state sites are built on the foundation of the federal approach to security. If federal government sites fall prey to hackers the entire house of cards is at risk.
Web security – Are federal websites a ticking bomb?
In one of two tests administered on the sites, the analysts used Qualys SSL Labs’ “SSL Server Test,” which analyzes a website’s Secure Sockets Layer (SSL) certificates. The news was good – 71 percent of the sites passed the test, up from 67 percent the previous year.
SSL certificates ensure that all data being sent between the browser and server is encrypted. Should the lack of such certificates worry experts in security issues and users of federal websites? Yes it should. Websites use an SSL certificate to authenticate the identity of web servers and ensures that you are connecting to the official website. Users sharing sensitive information have peace of mind as the information you provide is encrypted and transmitted securely to ensure that hackers cannot intercept communications from a user, such as sensitive credit card information or other personal data, or alter data between the browser and the server.
In the second test, analysts examined each site to determine whether it had enabled the Domain Name System Security (DNSSEC).
Using Verisign Labs’ “DNSSEC Debugger,” which is a web-based tool that determines whether a website has enabled the security feature, the analysts found 88 percent of the websites they tested enabled DNSSEC, down from 90 percent in the previous year.
The security measure stops DNS attacks such as cache poisoning, which hackers use to redirect users to other webpages under the DNS. This sort of attack allows hackers to set up spoofed pages that are identical to actual federal websites in order to gather sensitive information from visitors or infect their computers with malware.
These security features also prevent distributed denial of service (DDoS) attacks. In these attacks hackers flood a website with botnet traffic and overload the website for extended periods of time. This tactic has been around for years and is a favorite attack strategy of foreign players who wish to cripple government sites.
Are U.S. federal websites getting better?
Better is a loaded word. There has been an incremental improvement, but analysts remain less than impressed. Last year, the ITIF reviewed 297 of the most popular government websites and released a report that said, “many federal government websites were not fast, mobile friendly, secure, or accessible.”
That’s a scathing evaluation – and the latest report does not pour salve on the slap that the federal information authorities received only a year ago in the first ITIF report in 2016. The ITIF pulled no punches in its latest evaluation when it said that federal agencies have “made little progress at modernizing government websites.”
Who is to blame when it comes to federal web security?
SSL problems, sub-standard web security (albeit getting better) and a seemingly lackadaisical approach by federal authorities to web security. Surely someone must be in fear of losing their job?
Not so fast say experts.
Chris Olson, CEO of The Media Trust, provided the following comments: “The problem with federal – and many enterprise – websites is that no one individual is in charge of the entire website operation.
“Different teams set up the technical infrastructure and contribute content for different purposes like communication, citizen-support, recruiting and reporting. The code enabling these functions can be leveraged to execute malicious activity; a fact demonstrated by the compromise of dozens of government-related websites earlier this year. As website functionality evolves so should security requirements. Today’s dynamic internet environment requires a continuous security approach to detect real-time security and performance failures before they have detrimental effects on citizens.”
Try that approach when elections and budgetary pressures take their toll on both manpower and carefully thought out strategies every four years as American elections roll around. The fact that web service provider and security consultants may change at regular intervals is an enormous challenge.
Perhaps the last word should go to Galia Nurko, an ITIF research fellow who was one of the team members who put the latest report together:
“Government websites get millions of visitors each day. As more people go online for public services and as security threats continue to evolve, it is important for federal websites to be more convenient, accessible, and secure.
“This report shows a significant amount of work left to be done to modernize federal websites and ensure that, as technology advances, federal websites improve in turn.”
