It remains to be seen whether data security experts will be assigned to a White House tech squad recently forged to ensure government websites work better than the initial, botched HealthCare.gov, Obama administration officials said Monday.
Privacy advocates, and even Google, are calling on websites worldwide to offer stronger safeguards, following a spate of data breaches and allegations of government snooping.
In June, a study on online trust found that social networks outperform government sites in protecting site visitors with encryption.
The new U.S. Digital Service was described Aug. 11 by officials as a small team of America’s best digital experts who will “remove barriers to exceptional service delivery and help remake the digital experience that people and businesses have with their government.”
Officials on Monday told Nextgov they are still building the crew and consulting with agencies to identify weak spots in site design and performance, so the focus of projects is unknown.
If the past year is any indicator, security is a “gap area” in government-speak.
Federal Sites Not Immune To Security Concerns
Several federal websites have either inadvertently leaked data or unwittingly exposed visitors to viruses.
More than a quarter of federal websites are not properly configured to prevent intruders from intercepting data entered by citizens, according to June research from the Online Trust Alliance. The sites scored 10 percent lower than online banking services and social media on encryption.
Many of the problems with the rollout of HealthCare.gov involved security holes, not just functionality issues. Major vulnerabilities were found more than two months after the site launched Oct. 1, according to the top cyber official at the Center for Medicare and Medicaid Services, which oversees the site. Critics note that HealthCare.gov launched without undergoing a complete security test.
Federal sites have also not been immune to high-profile software defects that jeopardized the privacy of user information on commercial sites. This spring, HealthCare.gov account holders were instructed to reset their passwords, following the discovery of Heartbleed, a bug in a widely used encryption tool.
There are numerous examples of security mistakes on other agency sites that could’ve welcomed in hackers. Here are a few:
- Early this year, a joint Pentagon-Department of Veterans Affairs e-benefits website was compromised during a software upgrade. For a brief period, some veterans and service members who had logged into the eBenefits Web portal were able to see a combination of their own information as well as data from other site users.
- A Marine Corps recruitment site last fall reportedly redirected users to anti-military propaganda, after a breach by the Syrian Electronic Army, a pro-regime hacktivist collective.
- In May 2013, Energy Department nuclear workers who visited a federal website related to toxic exposure were exposed to data-stealing software implanted by a hacker. The Labor Department's “Site Exposure Matrices” public website is intended to help Energy personnel determine appropriate compensation after contracting nuclear-related illnesses on the job. It is believed attackers exploited a weakness in Labor's site to infiltrate the computers of Energy personnel visiting it.
In a bid to promote stronger site protections Internet-wide, Google just announced it will boost the search rankings of sites that use encryption. Specifically, a site's placement in search results will be partly based on whether the page uses "HTTPS," a method of securing online communications.
Let’s see if the new Digital Service can get all the dot-gov pages to the top.