HTTPS Encryption Isn’t Enough to Secure Federal Websites

.gov website cybersecurity government

After some fits and starts, Federal agencies are gaining ground in efforts to better secure their websites and email systems by employing HTTPS encryption, and installing the Domain-based Message Authentication, Reporting and Conformance (DMARC) anti-phishing protocol, among other measures

But it’s been a fairly long road. The Office of Management and Budget first required Federal civilian agencies to install HTTPS back in 2015, during the Obama administration. Compliance lagged, and last October the Department of Homeland Security brought down the hammer with Binding Operational Directive 18-01, giving agencies tight deadlines to implement HTTPS, DMARC, and to take several other steps.

When an initial deadline arrived in February, only 54 percent of agencies had complied. But progress has been steady, if not perfect, since. A running tally kept by the General Services Administration shows that, as of Oct. 25, 74 percent of agencies have met the requirements of both the OMB and DHS mandates (still less than the 100 percent DHS mandated by now in a directive last October, but since when do all agencies hit any deadline? It’s progress.)

The Symposium covers today’s most pressing cyber issues – holistic security, AI, IoT, cloud, security-as-a-service, and more. Join us on October 30. Learn more and register

But while the growing number of agencies that are getting in line is good news for Federal cybersecurity, these steps aren’t any kind of final destination, experts say. HTTPS, DMARC and other measures are just steps along the way toward securing websites and communications.

HTTPS, which stands for Hyper Text Transfer Protocol Secure, is widely used across the Internet as a security upgrade to the old HTTP, encrypting traffic with the Transport Layer Protocol (or its precursor, Secure Sockets Layer protocol). Originally used to secure financial transactions and sensitive communications, it’s broadly used now as a way to authenticate websites and protect the identity and communications of users.

But HTTPS isn’t a silver bullet. It protects data in transit, and deters man-in-the-middle and similar attacks. But it’s just a small piece. It won’t stop software exploits, brute force attacks or  distributed denial of service (DDDS) attacks. And it can be hacked.

DMARC similarly has significant benefits for email security, because it confirms the authenticity of a sender. It strengthens Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM), better enabling them to “watermark” emails, which makes spoofed emails easier to detect and reject. Prominent players such as Facebook, Google and PayPal have reported significant reductions in email abuse and fraud as a result of implementing DMARC. But DMARC also has its limits, including the fact that both sender and recipient have to have it installed in order for it to work. It also can be difficult to implement and scale for the cloud.

DHS is aware of the limitations, which is why its directive also orders agencies to take other steps, such as using HTTP Strict Transport Security (HSTS), which ensures that browsers always use proper connections, and prevents users from clicking through security certificate-related warnings.

Beyond public-facing websites, agencies also could consider other steps to protect data and communications, such as internal application encryption, data-at-rest protections, and–very important these days–making sure cloud providers are taking all the right steps. Agencies are well aware by now that hackers–be they private operators or groups working for nation-states–don’t sleep. Security advancements shouldn’t stop either.

Recent