Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

Security of U.S. Government Sites Improved Only Slightly: Report

The security of websites owned by the United States government has improved only slightly in the past months, according to a report published on Monday by the Information Technology and Innovation Foundation (ITIF).

The security of websites owned by the United States government has improved only slightly in the past months, according to a report published on Monday by the Information Technology and Innovation Foundation (ITIF).

ITIF has analyzed nearly 300 of the most visited U.S. government websites to see if they are fast, secure, mobile friendly, and accessible for users with disabilities. In terms of security, the study focused on whether these sites use HTTPS, DNSSEC, and if they are affected by known vulnerabilities.

According to ITIF, of the government websites included in the top 100,000 of the Majestic Million ranking, 75% use HTTPS, which encrypts communications between the user’s browser and the site. This represents a 3% decrease compared to data from a report published by the organization in March. However, overall, the percentage of government sites that have properly implemented SSL has increased from 67% to 71%.

Of the 260 sites tested for both reports, 31% showed improvement in SSL deployment, while 14% were less secure.

SSL score of federal websites

The U.S. Department of Homeland Security (DHS) recently ordered all federal agencies to start using web and email security technologies such as HTTPS, DMARC and STARTTLS within the next few months.

ITIF’s report shows that 8% of websites have not implemented HTTPS at all, but this is still an improvement compared to the 14% from the previous report. The Department of Defense (defense.gov) is one of the agencies that recently rolled out HTTPS, and the International Trade Administration (trade.gov) is among those that still lack the security feature.

SSL tests, conducted by ITIF using Qualys’ SSL Server Test, also showed that some government websites have important vulnerabilities. For example, the Trade Representative (ustr.gov) and National Weather Service (weather.gov) sites are vulnerable to POODLE attacks, and trade.gov and tsunami.gov (Tsunami Warning Centers) are susceptible to DROWN attacks.

As for DNSSEC, the protocol designed to prevent attackers from redirecting users to malicious sites via DNS spoofing, ITIF found that 90% of U.S. government websites have it enabled. Since the previous report, 15 federal sites activated DNSSEC and two deactivated the feature.

“Of the top 100,000 websites reviewed only 70 percent passed both the DNSSEC and SSL test. Several of these top 100,000 websites did not have DNSSEC or HTTPS implemented. One example is the Administrative Office of the U.S. Courts (uscourts.gov), which also scored low in the security category in the initial report,” ITIF said in its report.

Shortly after the DHS ordered federal agencies to improve their security, Agari analyzed government websites to see how many had implemented the DMARC anti-email spoofing protocol. In mid-October when the company published its report, nearly 82% of websites lacked DMARC entirely.

Related: U.S. Government Cybersecurity Ranks 16th Out of 18 Industry Sectors

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.

Audits

Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...