Skip Links

80% of government Web sites miss DNS security deadline

Opinions differ as to whether Dec. 31, 2009, deadline was realistic

By , Network World
January 21, 2010 05:00 AM ET

Network World - Most U.S. federal agencies -- including the Department of Homeland Security -- have failed to comply with a Dec. 31, 2009,  deadline to deploy new authentication mechanisms on their Web sites that would prevent hackers from hijacking Web traffic and redirecting it to bogus sites.

Agencies were required to roll out an extra layer of security on their .gov Web sites under an Office of Management and Budget mandate issued in August 2008, although at least one expert calls that yearend deadline "a little aggressive."

Aggressive or not, independent monitoring indicates that only 20% of agencies show signs of deploying this new security mechanism, which is called DNS Security Extensions, or DNSSEC for short.

DNSSEC is an Internet standard that prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.

Secure64, a DNS vendor, researched 360 federal agencies to see how many of their Web sites showed signs of digital signatures on their .gov domains.

"We found about 20% of agencies had signatures as of last week," says Mark Beckett, vice president of marketing for Secure64. "Eighty percent don't have any signatures up there. One can speculate about why that is. They may be working on it but haven't pushed the signatures into production yet. All you can tell from the outside looking in is that there's no evidence of progress on the DNSSEC mandate."

"The 20% number is completely believable," says Paul Hoffman, Director of the VPN Consortium and an active participant in DNSSEC standardization efforts at the Internet Engineering Task Force. "NIST has been working on DNSSEC, but the individual agency IT departments aren't doing anything. DNSSEC is not a priority."

The Obama Administration's failure to meet this critical cybersecurity deadline comes at a time when dozens of U.S. companies including Google, Yahoo and Adobe have reported cyberattacks by Chinese hackers.

OMB officials declined to say why the agency hasn't enforced the DNSSEC deadline for executive branch departments.

"With specific regard to the encryption of DNS databases, the government is committed to data protection and integrity. The steps taken to date by departments and agencies are being evaluated for their effectiveness," OMB spokesman Tom Gavin said in a statement.

Not everyone sees cause for concern in missed deadline.

"The OMB deadline was a little aggressive,'' says Steve Crocker, an Internet pioneer who is CEO of Shinkuro, an R&D company engaged in DNSSEC-related work. "I would take it as a very positive sign that there was any movement at all. What I'm hearing is that of the many, many things that all the federal CIOs are forced to pay attention to, DNSSEC is one that is likely to get attention in 2010.''

Crocker says it's realistic for the majority of federal agencies to support DNSSC in their .gov subdomains by the end of 2010.

"Missing the mark by one year is pretty good news in this business,'' Corcker says. "There is a gradual tightening of security going on up and down the Internet protocol stack. DNSSEC isn't the be-all-and-end-all, but it's an important piece. The technical community has been working on DNSSEC for 20 years. The top part of .gov is signed, and now we're seeing the other pieces coming along.''

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News