Cybersecurity

Hacker Fears Have Frustrated Efforts to Downsize Dot-Gov Sprawl

Simon Booth/Shutterstock.com

Concerns about data compromises are partly to blame for drawing out an effort to merge roughly 2,000 dot-gov websites, according to federal officials and internal emails. 

But officials say they are still committed to making government services and information easier to navigate, as the website consolidation initiative approaches its three-year anniversary.

Combining National Oceanic and Atmospheric Administration website content with content from the Coast Guard illustrates the trickiness. The Coast Guard, a Homeland Security Department agency with a dot-mil suffix, is more of a bull’s eye for hackers than NOAA, officials say.

USCG employees shy away from sharing data with other agencies, one information technology employee complained on the government's Web content managers listserv in 2012. Nextgov retrieved the message, with the employee’s name redacted, through an open records request. 

The Coast Guard staff "are security maniacs because hackers like to target them," wrote a NOAA web manager in the Office of Space Commercialization, which is part of the Department of Commerce.

"I tried to syndicate RSS feeds from the CG server to the DOC server. It didn't work because DOC blocks external content, and the DOC guys said no way even when I explained that CG is rabid about security and that I control the content on their server. How are we ever supposed to avoid duplication of content if content cannot be shared?" the manager questioned.

Coast Guard officials acknowledge that personnel are worried about protecting their information when linking to other agencies’ machines. 

Each agency official responsible for a Web system "is of course concerned with protecting their networks and systems," Coast Guard spokeswoman Lisa Novak said. "One significant challenge is sharing data between separate domains such as .gov and .mil.  [The service] operates in the .mil environment and recent cyberattacks from applications that have an Internet facing component have sensitized [information technology] officials to closely monitor interconnections."

In June 2011, the Obama administration set a one-year goal to cut in half the government's 2,000 main dot-gov domains, such as USASpending.gov and IRS.gov.   

Around the time of the initiative’s two-year anniversary, Nextgov reported that, for the first time, there were fewer than 1,000 unique government domains.

Today, the number of separate sites has crept up to 1,223. Of those, about 305 are empty and redirect to another site, White House officials say.

Security Concerns

A reluctance to yield control of data frustrated the push to fuse some sites, the NOAA Web manager said. 

"IT managers are totally averse to downloading content to their network from an external network, no matter how secure that external network is," the manager said. "They cannot accept responsibility for viruses or malware getting into their network due to content syndication," through RSS feeds, for instance. 

The manager apologized for posting a long entry about an individual dilemma to the whole listserv, but reasoned other officials were experiencing the same problem. 

"This is something that is really bothering me as I try to implement the Web consolidation initiative on only two of the sites that I manage. Now multiply this by hundreds of government sites . . . without the right technology solutions, I start to wonder if we're really improving the federal Web or making it worse," the manager said.

The governmentwide initiative began with a three-month freeze on all new dot-gov websites to get a handle on the extent of webpage sprawl. Administration officials described the effort as a first step in fulfilling a June 13, 2011, presidential executive order to cut waste and streamline government operations. 

The emphasis was more on streamlining Internet operations than cutting waste.  The cost of maintaining some sites is relatively small, officials admitted.

To minimize the risk of breaches, Coast Guard officials sign a formal "interconnect security agreement” with partner agencies, Novak said. And before doing so, each USCG agency reviews the security posture of the other agency.

Novak could not address the specific ordeal the NOAA Web manager portrayed. She said the comments are vague in terms of identifying specific websites, systems and networks. In general, the Coast Guard "shares data and enjoys service that NOAA provides for several applications," Novak said. "We are currently exchanging data with our NOAA partners."

NOAA spokesman David Miller declined to speak about the manager’s troubles.  "NOAA continues to make consolidating websites a priority across the agency, but we cannot address specific security issues,” he said.

White House officials said the Office of Management and Budget works with agencies to ensure that security issues surrounding website mergers are handled in a timely manner. By law, agencies must make risk-based decisions regarding how to secure their own IT assets, they added.  

Officials said the public is welcome to track progress on the downsizing effort through a regularly updated chart on Data.gov. 

https://mail.google.com/mail/u/0/images/cleardot.gif

(Image via Simon Booth/Shutterstock.com)

Threatwatch Alert

Network intrusion / Stolen credentials / Unauthorized use of system administrator privileges / Software vulnerability

Hackers swipe payment card data on more than 1M UK travel service firm clients

See threatwatch report

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
// July 24