recommended reading

Who Needs Heartbleed When Many Dot-Govs Don't Even Encrypt Communications?


More than a quarter of federal websites are not properly configured with software to prevent intruders from intercepting data entered by citizens, according to a new study. 

Federal sites in general scored 10 percent lower than online banking services and social media networks at site security and server configuration, researchers at the Online Trust Alliance discovered.  

The study, released Wednesday, looked at 50 cabinet-level and other high-traffic, consumer-oriented federal websites, as well as purported federal sites set up by fraudsters. Phishing emails luring citizens to the bogus sites also were examined.

Industrywide, the average score for so-called SSL configuration was 83.4 on a 100-point scale, whereas the government average was 70.5. The government rating was dragged down by the large number of sites, 26 percent, that scored lower than 50, said Craig Spiezle, founder of the alliance and a study co-author. About 10 of the sites had no discernible SSL connection, he said. 

An SSL connection secures data transmitted when a citizen fills out, for instance, an online application for veteran benefits. This year, the results of the annual online trust audit incorporated tests for the infamous Heartbleed bug, a hole in SSL software that went unnoticed for two years. Social media and financial institution sites tied for first place in SSL use, with 86 points.

The study does not name the 50 government sites studied or list individual scores for security reasons. 

"There's a risk if you start calling these things out, you could expose a vulnerability of a site -- and that's the last thing we want to do," Spiezle said. "We're using tools that are readily available that anyone can use" to assess systems, “which means the cyber criminals can certainly use the same exact tools to evaluate how strong a site is or how weak it is." 

In addition to neglecting site security, many federal agencies failed to seal employee email addresses with technology to prevent mimicry, or "spoofing," the researchers found. One-third of agencies did not use email authentication, a technique that locks down email domains so swindlers can't impersonate a legitimate email sender.

By comparison,100 percent of e-commerce sites used some form of email authentication, as did 96 percent of social media sites. Because the federal sector has yet to fully embrace email authentication, "government sites are ripe for spoofing and spear-phishing attacks not only against constituents but also employees at other agencies," Spiezle said.

He cited a scenario of a criminal searching LinkedIn to find the name of a division director and someone who works for him, and then spoofing the boss' email address to send the employee an email fishing for sensitive information.

Many lower-level employees have public email addresses. The message purportedly from the boss could say something such as, "Great job on that presentation last week. Can you send me all the background details?" Spiezle offered as an example. 

A bright spot in the assessment is the government's supremacy in converting sites to Domain Name System Security Extension, a configuration that thwarts “man-in-the-middle” attacks where hackers redirect visitors to copycat sites.

Of the federal sites, 92 percent used DNSSEC, up from 88 percent last year. No other sector had transitioned more than 5 percent of sites. In 2008, the White House required all agencies to apply the system throughout the dot-gov domain by December 2009.

Obama administration officials did not respond to a request for comment on this year's report.  

To conduct the study, researchers reviewed more than 300 million email headers and about 8,500 Web pages, across sectors, between April 15 and May 23. The report has a least two limitations, the researchers acknowledged. A site's security practices might have changed since the sampling, and some sites might have been using security technologies the alliance's tools could not detect.

(Image via igor.stevanovic/

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.