More Layers of Security Anticipated for Government Websites
The Cybersecurity and Infrastructure Security Agency will take over the day-to-day management of the official .gov top-level domain in April, adding a greater emphasis on security for the domains used for government websites.
See Also: Account Takeover Goes Mobile
Over the last 20 years, the .gov top-level domain has been managed by the General Services Administration, which supports many of the basic functions of federal government agencies. Over the years, the .gov domain has been used by the websites of each branch of the federal government as well as every state. Several hundred counties and cities, as well as tribes and territories, also use the .gov domain.
The Consolidated Appropriations Act of 2021, which former President Donald Trump signed into law in December 2020, includes a provision called the DOTGOV Act, which allows CISA to take over the management of the .gov domain because it’s now considered part of the nation’s critical infrastructure.
The shift of oversight to CISA is designed to pave the way to adding layers of security for .gov websites.
Some fraudsters waging phishing attacks have spoofed government websites in their effort to entice email recipients to click on malicious links.
For example, last month, the IRS warned that it was tracking several domains designed to spoof the tax agency’s official site (see: IRS Warns of Fresh Fraud Tactics as Tax Season Starts).
A report released Tuesday by security firm Proofpoint found fraudsters have stepped up spoofing of government websites over the past several weeks, especially as COVID-19 vaccinations have increased and the $1.9 billion economic stimulus bill was debated in Congress. Sites spoofing the U.S. Health and Human Services domain are being used to spread malware, conduct business email compromise schemes and phish for credentials, Proofpoint reports.
In making the announcement this week that CISA will take over the management of the domain in April, Eric Goldstein, the agency’s executive assistant director for the cybersecurity division, noted: “Using .gov provides security benefits, like two-factor authentication on the .gov registrar and notifications of DNS changes to administrators. … We’ll endeavor to make the [domain] more secure for the American public and harder for malicious actors to impersonate.”
Focus on Security
CISA will now be responsible for maintaining an official list of all websites, hostnames and services that use the .gov top-level domain.
CISA also must deliver a report on the type of data that .gov domains collect and how it can be used to counter malicious activity on websites.
The director of CISA will be required to create an “implementation plan on how to improve the cybersecurity benefits of the .gov internet domain” as part of a five-year plan to improve security, according to the appropriations measure passed last year. This includes “a modernization plan for the information systems that support operation of the .gov top-level internet domain, such as the registrar portal, and how these information systems will remain current with evolving security trends.”
Roger Grimes, data-driven defense evangelist at the security firm KnowBe4, says CISA is better prepared that GSA to help ensure the security of .gov websites.
“By turning it over to CISA, the primary agency in charge of U.S. cybersecurity and resilience, it can only allow better control and quicker responsiveness to emerging threats,” Grimes says. “CISA is raising the bar in every way that we need a federal protective agency to do it, short of legally requiring very strong cybersecurity for all businesses.”
Under the .gov domain’s current security structure, it’s too easy for fraudsters to attempt to register a .gov domain, Grimes say. But he points out that there have been improvements over the last two years, including a requirement for notarized signatures as part of the registration process to acquire a .gov website.
“Maliciously created .gov domains are not a huge problem right now – but they could be,” Grimes notes. “It was not difficult at all to get a .gov for most of the existence of the internet. You simply filled out an official government form and made the request. Only because the process was not abused much, the GSA did not do much to verify the validity of the applicant. The identity assurance was weak.”
Stephen Banda, senior manager for security solutions at Lookout, also notes that a more centralized management approach to the .gov domain would help to counter modern threats to government infrastructure.
“The move to centralize management of .gov domains with CISA emphasizes the severity of cybersecurity threats against U.S federal government agencies,” Banda says. “Cybercriminals continue to evolve their tactics and increasingly target government organizations. At Lookout, we see a range of cybersecurity threats targeting federal personnel, especially as they telework from their smartphones, tablets and Chromebooks.”
CISA’s Role Expanding?
CISA could soon take on other new security tasks as well.
Last month, when both the U.S. Senate and House held hearings concerning the attacks that targeted SolarWinds, lawmakers appeared open to giving expanded authority and resources to CISA to conduct threat hunting throughout federal government networks and coordinate the sharing of intelligence it receives from the private sector (see: House SolarWinds Hearing Focuses on Updating Cyber Laws).