Most federal government websites lack minimum standards for cybersecurity, are painfully slow, and fail tests for mobile readiness.
An independent study by the Information Technology and Innovation Foundation (ITIF) found that more than 92 percent of the most popular federal government websites lacked fundamental cybersecurity protections. This, in spite of a policy from the Obama administration that called for all agencies to use secured HTTPS access — though with no consequences for those that don’t.
President Trump has yet to sign and implement a cybersecurity policy.
Among the 270 agencies that have failed to implement basic protections are the House of Representatives (house.gov), the Speaker of the House of Representatives (speaker.gov), and the U.S. Forest Service (fs.fed.us), the Department of Defense (defense.gov), the International Trade Administration (trade.gov), and the U.S. Courts (uscourts.gov).
Specific vulnerabilities include LongTermCare.gov and letsmove.gov, which are both vulnerable to the POODLE attack (for “Padding Oracle On Downgraded Legacy Encryption”), an exploit that lets attackers gain access to data being transferred within encrypted traffic. This vulnerability allows an attacker to control the internet connection between a browser and a computer server, and decrypt authentication code for transactional sites such as Netflix and your bank. In other words, it lets them do whatever they want.
SaferProducts.gov was found to be susceptible to man-in-the-middle attacks, which intercept a communication between two parties, masquerading as each party so that the actual parties think they are still communicating with one another. This enables active eavesdropping on private communications and allows the manipulator to request and receive trusted information like credentials and private keys.
In another example, the Tsunami.gov sites are vulnerable to the DROWN attack (for “Decrypting RSA with Obsolete and Weakened eNcryption”), which allows attackers to break encryption and read or steal sensitive communications, trade secrets, or financial data. This data typically includes usernames and passwords, credit card numbers, emails, instant messages, and confidential and classified documents. It also enables attackers to impersonate a secure website.
In addition to poor security, more than two-thirds of our government websites aren’t fast enough for mobile devices, and many desktop downloads resemble a 1998 dial-up connection. Almost half of them aren’t mobile-friendly (small buttons and text). And these aren’t a bunch of arcane websites either. They include the General Services Administration (gsa.gov), the National Weather Service (weather.gov), the Treasury Department (treasury.gov), the International Trade Administration (trade.gov), the Federal Trade Commission’s IdentityTheft.gov, and the National Cancer Institute (cancer.gov).
The study also found that while we have wheelchair ramps outside every federal building, we failed to install them on our apps. Forty-two percent of the websites reviewed failed the test for users with disabilities, including the International Trade Administration (trade.gov) and the Internal Revenue Service (irs.gov).
The performance, accessibility, mobility ,and speed tests only confirm our suspicions that the federal government is living in the dark ages relative to computer systems and modern mobile devices. But the cybersecurity failures are alarming. Even though the cause of the infamous Office of Personnel Management hack is widely known, it is still startling to learn that two years later, the majority of federal government websites are still insecure. If this happened in the private sector, heads would roll.
We are now past the first 100 days, and President Trump has yet to sign and implement a cybersecurity policy. Interrupting the North Korean missile-launch program may be a good thing, but failing to protect our government websites isn’t.
Steve King is the COO and CTO of Netswitch Technology Management.