Analysts who studied hundreds of federal websites found more than one-third did not have security measures to prevent hackers from intercepting visitors’ sensitive information or redirecting traffic to malicious phishing websites.
The Information Technology and Innovation Foundation (ITIF), a science and tech policy think tank, released a report Monday that said hundreds of federal websites “continue to fall short of requirements set by the federal government, as well as industry standards for web design and development.”
“Despite the common acknowledgment that federal websites fall far short of federal requirements and industry standards, little progress has been made to improve and modernize them over the course of the past year,” Daniel Castro, ITIF vice president and the report’s lead author, said in a statement.
For the second edition of their “Benchmarking U.S. Government Websites” report, the ITIF tested 469 federal websites that were ranked in the top 1 million sites globally and found that more than 90 percent failed at least one key performance measure and more than one-third failed at least one “important” security measure.
The analysts reviewed each of the websites for two security features that every popular federal website is required to have enabled. First, analysts tested each site to determine whether it had enabled Domain Name System Security (DNSSEC).
Using Verisign Labs’ “DNSSEC Debugger,” a web-based tool that determines whether a website has enabled the security feature, the analysts found 88 percent of the websites they tested enabled DNSSEC, down from 90 percent in the previous year.
DNSSEC helps servers deny fake requests by digitally “signing” each DNS request with a certified signature to ensure authenticity. The security measure prevents hackers from attacking the Domain Name System (DNS), which manages navigation by mapping domain names to IP addresses. However, DNS has no way of determining whether a domain name belongs to an authorized domain or not.
The security measures stop DNS attacks such as cache poisoning, which hackers use to redirect users to other webpages under the DNS. This sort of attack could lead to hackers setting up spoofed pages that are identical to actual federal websites in order to gather sensitive information from visitors or infect their computers with malware.
The security measures also prevent distributed denial of service (DDoS) attacks, which hackers use to flood a website with botnet traffic and overload the website for a period of time.
The report states that the federal websites for the Speaker of the House, the House of Representative, and the Congressional Budget Office all failed to enable DNSSEC.
In 2008, the Office of Management and Budget required all federal websites to deploy DNSSEC to remove threats of DNS-based attacks and improve the “overall integrity and authenticity of information processed over the Internet.”
The analysts also tested each site to identify whether it enabled Hypertext Transfer Protocol Secure (HTTPS).
Using Qualys SSL Labs’ “SSL Server Test,” which analyzes a website’s Secure Sockets Layer (SSL) certificates and found that 71 percent of the sites passed the test, up from 67 percent the previous year. SSL certificates ensure that all data being sent between the browser and server is encrypted.
Websites use an SSL certificate to authenticate the identity of a website and encrypt data that is being transmitted in order to ensure that hackers cannot intercept communications from a user, such as credit card information or other personal data, or manipulate data between the browser and the server.
The analysts found that the websites for the Government Accountability Office and the Speaker of the House failed to enable HTTPS, among others.
In total, 36 percent of the websites failed one of the security tests, down from 39 percent in the previous year.
The analysts also found that 60 percent of the sites they tested were accessible to users with disabilities, up slightly from 58 percent in their initial report. The report said that the main issues were a lack of labels that prevent blind users from being able to navigate certain websites with a screen reader
Although it is not required by law, analysts also reviewed the websites for their page-load speed and found that 37 percent failed the test, an increase on the 27 percent in the previous report. The report also found fewer federal websites passed their mobile page-load speed test, from 36 percent in the initial report to 27 percent in the report released Monday.
Only 61 percent of the websites they tested were mobile friendly, a slight increase from the 59 percent that were found to be mobile-friendly in the last report.
In 2016, the ITIF reviewed 297 of the most popular government websites and released a report that said “many federal government websites were not fast, mobile friendly, secure, or accessible.”
Since that report, the ITIF said that federal agencies have “made little progress at modernizing government websites.”
The report applauded President Donald Trump for taking a “general step in the right direction” by signing an executive order in May that established the American Technology Council to modernize IT infrastructure in the US. However, the report adds that the Trump administration needs to address these failures in order to endure the government can “provide all Americans with secure and convenient access to online government services and information.”
“Government websites get millions of visitors each day. As more people go online for public services and as security threats continue to evolve, it is important for federal websites to be more convenient, accessible, and secure,” Galia Nurko, an ITIF research fellow, said in a statement. “This report shows a significant amount of work left to be done to modernize federal websites and ensure that, as technology advances, federal websites improve in turn.”