Feds Must Encrypt Government Websites by Dec. 2016
Source: Stephanie Mlot
The White House now requires all publicly accessible federal websites and services to use a secure HTTPS connection.
Government agencies have until Dec. 31, 2016 to comply with the new HTTPS-Only Standard directive.
Unencrypted HTTP connections "create a vulnerability and expose potentially sensitive information about users," U.S. Chief Information Officer Tony Scott said in this week's announcement. That includes data like browser identity, website content, search terms, and other user-submitted details.
"To address these concerns, many commercial organizations have already adopted HTTPS-only policies to protect visitors to their websites and services," Scott continued. "[Monday's] action will deliver that same protection to users of federal websites and services."
The move comes after the ACLU in April alerted Scott to "dozens" of inspectors general (including those at the Departments of Justice and Homeland Security) who did not use HTTPS for online whistleblower complaints, including disclosures of waste, fraud, or abuse.
That includes the Departments of Agriculture and Treasury, the Consumer Product Safety Commission, the Corporation for Public Broadcasting, the U.S. International Trade Commission, the National Archives, and the Smithsonian. Not to mention the State Department's "Rewards for Justice" online terrorism tip line.
The danger lies in the transmission of information. When someone visits one of these official sites to file a report, their tip could be intercepted, putting not only the whistleblower's identity at risk, but also the confidentiality of their intelligence.
The White House's new memorandum, however, aims to patch those loopholes―albeit over an 18-month period.
The government's technical assistance and best practices are available online. The public can keep an eye on the conversion process via the Pulse dashboard.
"It is critical that federal websites maintain the highest privacy standards for the users of its online services," Scott said this week. "With this new action, we are driving faster Internet-wide adoption of HTTPS and promoting better privacy standards for the entire browsing public."
According to Politico, the Office of Personnel Management database breached by hackers was not encrypted, despite the fact that it housed sensitive information like Social Security numbers.
| }
|