Most federal websites fail to install add-ons for thwarting site redirects, despite mandate

A year and a half after a White House-imposed deadline, only 23 percent of federal websites have employed mandatory security measures to prevent hackers from transferring visitors to bogus websites, a General Services Administration official told Nextgov.

The George W. Bush administration in August 2008 directed all agencies to adopt by December 2009 domain name system security extensions, or DNSSEC, a set of digital signatures and keys that verify a Web address is authentic.

"That date has obviously come and gone, but the compliance portion of that has not been very stringently applied," said Lee Ellis, program manager of the dot-gov Internet domain that GSA operates. "We are working with [the Homeland Security Department] to try to bring those numbers up," he added, referring to the agency responsible for overseeing civilian cybersecurity.

According to a Homeland Security official, DNSSEC metrics have been incorporated into the fiscal 2010 and 2011 metrics established by the Federal Information Security Management Act. DHS also has established a DNSSEC Tiger Team, which has been working with other federal agencies to improve compliance. "Overall, we have seen a significant improvement from [fiscal] 2010 baseline numbers to now," the official said.

Earlier this year, GSA contracted with Internet traffic firm VeriSign to help support the rollout of DNSSEC governmentwide and run the government's domain name system. DNS is a service akin to a phone directory that looks up a website's alphabetical name in the Internet's address book of unique address numbers, called Internet protocol addresses. Once the URL is translated into numerical digits, a computer can connect to the correct website.

Fraudsters, however, have found ways to hijack the look-up process and send users to fake sites that mimic the users' intended destination to steal personal information.

So, the dot-gov domain and other commercial sites are phasing in DNSSEC, which validates the translations at every step of the domain tree. In the case of the Internal Revenue Service home page, for example, that would involve verifying the top-level ".gov" zone, then the second-level .IRS.gov and finally the Web address www.irs.gov to direct a computer to the site.

The lag time in deploying the technology stems from a lack of technical understanding, Ellis said.

Even Web surfers have trouble seeing the benefits of the specification, other computer experts have noted. While people have grown accustomed to trusting websites flanked by the "https" security protocol -- used by many electronic-commerce outfits -- DNSSEC typically is invisible to users.

"In many cases it's not as easy for an end user to know" that DNSSEC is in use, because "there isn't an indicator for a consumer today," said Joe Waldron, director of product management at VeriSign. He said the Internet services industry is expected to develop some sort of visual marker in the future.

Although most federal sites have yet to apply DNSSEC, there are some standout exceptions, such as full deployment across all Health and Human Services Department sites, Ellis said. NASA and GSA also are taking advantage of the security measure, as well as important IRS.gov sites that conduct sensitive transactions, he added.

"It is not necessarily a big cost," Ellis said, pointing out that the software, called BIND, is free. "It's more having someone trained well enough that knows how to transmit the keys back-and-forth.

"There's no reason we shouldn't be fully implemented at this time," he said. "It's a protection layer that allows trust within the government network and it prevents man-in-the-middle attacks."