Dot-govs Score Points for Protecting Privacy but Poor Email Authentication Remains An Issue

Federal websites score high in privacy protection but get dinged on poor email authentication, according to a newly released report examining website security in both the government and the private sector. 

Almost half of dot-govs evaluated have failed to adopt adequate email authentication technologies, in particular those that help stop phishing attempts and spam, according the seventh annual report from the Online Trust Alliance.

The report scored websites from a wide variety of sectors based on three main categories: email and domain authentication; infrastructure security; and domain, brand and consumer protection.

Although federal sites scored high in the privacy category, they lagged behind in domain, brand and consumer protection, according to the report. Their scores were about average in the category in which sites were evaluated based on their own security, as well as their server and infrastructure security.

“We're seeing growth in many areas year to year, so it's a good step forward,” said Craig Spiezle, founder of the alliance and a study co-author, in an interview with Nextgov.

The report found that federal websites scored higher than any other sector in data protection, privacy and transparency, except for those entities specifically committed to safeguarding information. 

Federal websites don’t support advertising or share data with third parties, which likely contributed to their high scores in privacy, Spiezle said.

Federal sites had the second to lowest score in domain, brand and consumer protection, largely because of poor email authentication on top-level and subdomains, the found.

But one area where federal websites excelled was in their implementation of Domain Name System Security Extension, which adds a level of security to domain name system lookup. Its widespread implementation was likely due to a presidential directive, according to the report.

When it came to site, server and infrastructure security, federal websites scored about average compared with other categories. But they also showed a vast improvement from 2014.

The Federal Deposit Insurance Corporation was awarded the highest score of all federal sites.

The study included websites of cabinet-level and consumer-facing agencies. Researchers also took considered whether the sites had been breached in the past and overall site traffic, Spiezle said.

The scores for individual federal sites varied widely. Although some scored very low, other outliers scored bonus points for implementing emerging best practices.

OTA did not release specific agency website scores because to security concerns.

“One of the things that’s real concerning to us, if we disclose the scores, we're also going to disclose which sites are most vulnerable and we don't want to invite more targeted breaches," Spiezle said.

In the past, the organization has shared the report’s information, including scores, with the White House.

“We have offered the White House the opportunity to brief them on this, but they have not responded to confirm a time for a briefing yet,” Spiezle said.

(Image via Sergey Nivens/ Shutterstock.com)