The U.S. Senate has begun shoring up the security of its websites, a step the House has yet to take. Yet both chambers of Congress are far from making their websites not only secure but also accessible.
The changes follow a March report from the Information Technology and Innovation Foundation titled “Benchmarking U.S. Government Websites,” which reviewed 300 of the most popular of the more than 6,000 websites on more than 400 domains by which the U.S. government provides services.
That got government’s attention, ITIF Vice President Daniel Castro told the Washington Examiner.
While it’s unclear whether the report was the motive, in the past month Senate websites have begun to make the jump to encrypted HTTPS, according to a ZDNet report. That extra “S” attached to the end of “HTTP” (which stands for HyperText Transfer Protocol) means added security, a layer of encryption and authentication for any web transactions between servers and web browsers being used by people on their computers and smartphones.
HTTPS certifies that these Senate webpages are not intercepted, modified or replaced while in transit and helps to shield users from being tracked. Initially something only e-commerce and bank websites used, HTTPS is quickly becoming fairly common, including on Facebook, where personal information of users is at risk.
The stakes are increasing as Google plans to mark all HTTP pages where users are able to input data as “not secure” on Chrome, the world’s most popular web browser. This issue is a direct threat to government websites where, for example, constituents would fill out a comment page or where a search box appeared.
While most of the big committee pages for the House have HTTPS protection, some, including House.gov and the website for the Appropriations Committee, do not. Dan Weiser, communications director for the House Chief Administrative Officer told the Washington Examiner that the House is “voluntarily converting all of its sites to HTTPS and [expects] to complete the transition in the near future.”
That’s progress, but the voluntary nature of web security is part of the problem, Castro said.
When ITIF released its report this year, it found in its sample that a whopping 92 percent failed to pass at least one of its benchmarks, which included speed, mobile friendliness, accessibility and security.
Leading the pack, Castro said, is the executive branch. The White House has mandated that all existing and new web services support and enforce HTTPS connections over the public Internet. Such a mandate doesn’t exist for the legislative and judicial branches.
The judicial branch, which handles sensitive court records, has “a pretty bad track record with IT,” Castro said, and the legislative branch isn’t much better. A follow-up post from ITIF in May, focusing specifically on the legislative branch, revealed that 99 percent of the websites it sampled failed at least one if its tests.
In both the reports from ITIF, the security benchmark not only looks at HTTPS, but also examined Domain Name System Security, “a set of protocols that add security to domain name system (DNS) lookup and exchange processes.” One does not exclude the other.
“You would want both,” Castro said. “It’s like locking your windows and locking your doors.”
To address these issues, ITIF recommended that the House and Senate adhere to the same standards as the executive branch, use shared services and embrace an “interagency working group on modernizing websites to share best practices, guidelines, and source code between the various agencies and branches of government.” ITIF is also planning to follow up with a six-month full report is late summer or early fall, Castro said.
ITIF recommends that the “federal government should build fast, convenient, secure and accessible websites so that anyone can access government services and information online.”
“The way to fix it,” Castro said, is to “start measuring these things and holding people accountable.” He added that this isn’t expensive because all it takes, for example, to obtain HTTPS security is to obtain a certificate from a third party, which can be done at “minimal cost.”
“Everyone should be significantly higher than they are,” he said.
Asked about whether the House or Senate has more issues, Castro said the House “has a bigger uphill battle.” He explained that although the Senate is all hosted together, plus has only 100 senators, the House committees are split between majority and minority party websites, thus splitting their resources.
Castro said agencies should use ITIF’s report not only to shore up their web services where they are lacking, but also to address systemic issues, including whether there is a lack of funding or training in certain areas. But Castro is concerned because the ITIF report examines only popular websites, but not those smaller ones with less traffic that likely get less attention.
“Is this just the tip of the iceberg?” Castro asked.
