To help ensure the safety and security of government websites, the Office of Management and Budget now requires all government agencies to put up a new security mechanism onto their websites. This mechanism, called DNS Security Extensions, or DNSSEC for short, would prevent hackers from hijacking the traffic from government websites and sending it to their own fake websites, a common hacking problem. The Office of Management and Budget issued a mandate in August 2008 for all of the U.S. government agencies to implement this additional security measure by December 31, 2009. Now that it’s well past the deadline, an independent agency followed up to see if the security measure was actually implemented. The investigation showed that aside from most of the sites not having this up yet, many of them had not even started working on it yet.
At first, you might not worry much about this, but when you really think of the trust you expect from these sites, it is pretty scary of how easily you can get tricked into a phishing scheme. For example, if you’re filing your taxes online through the IRS.gov website, you might be redirected to a scammer’s website that looks and acts just like the real website. The main difference? The hacker can capture all your information without you being the wiser.
The investigation shows that not only are DNSSEC signatures past their deadline, only about 20% of all the government agencies started using this on their websites compared to most other countries that have had this already installed on all their government websites. Another shocking part of the story is that there were some government agencies that have put up this security mechanism onto their websites in under 3 days, which just shows that the agencies that are falling behind just have been focusing on other things and don’t consider this to be a priority.
“We found about 20% of agencies had signatures as of last week,” says Mark Beckett, vice president of marketing for Secure64. “Eighty percent don’t have any signatures up there. One can speculate about why that is. They may be working on it but haven’t pushed the signatures into production yet. All you can tell from the outside looking in is that there’s no evidence of progress on the DNSSEC mandate.”
At the moment, we’re not sure when all of the government agencies will finally secure their websites and catch up with other nations, but it’s time for these agencies to start taking cyber security more seriously.