The Trump administration is urging domain operators to include an extra layer of security on federal websites in an attempt to reduce the risk that hackers will spy on site visitors.
The goal, which officials said could take “a few years” to achieve, is to get all websites with the .gov internet domain to use a standard that always encrypts a user’s connection to that site. Using that encryption by default is a way for agencies to boost security for a swath of public data being routed through internet domains they control.
The security benefits of doing that “are meaningful and necessary to continue meeting the public’s expectation of safety on .gov services,” the General Services Administration, which oversees top-level domains for the U.S. government, said in a blog post published Sunday.
The initiative builds on use of the HTTPS, a security protocol that internet users have come to expect from websites. HTTPS is meant to ensure that websites are legitimate, and protects data transmitted between a web page and its visitors. An additional feature, known as HTTP Strict Transport Security, makes sure browsers are always using an HTTPS connection to a site.
GSA officials want that HTTP Strict Transport Security functionality enabled automatically for federal websites.
By Sept. 1, the agency said, the Transport Security feature must be enabled automatically for all new federal websites that come online. Meeting the deadline will require cooperation between federal, state, local and tribal government bureaucracies. GSA said it is planning an information campaign, with the help of civic organizations, to spread awareness about the transition.
There is also the tedious task of retroactively implementing the feature for existing federal websites. Currently, some government websites don’t have HTTPS capabilities, according to GSA. A 2015 White House memo mandated a switch to the protocol by the end of 2016. Another issue the new GSA initiative is trying to address is internal “intranet” agency sites that the White House never ordered to move to HTTPS.
“Preloading an existing [top-level domain] is substantially more challenging than preloading a new one, because preloading requires that HTTPS be supported everywhere the domain is used for web services, including sites on both the internet and intranet alike,” GSA said.
The Department of Homeland Security’s cybersecurity wing also will work with .gov domain owners to help prepare for the update.