A bipartisan U.S. Senate bill designed to help local governments move their websites onto the federally administrated .gov domain, a step widely considered to make sites more secure, was endorsed Monday by the National Association of State Chief Information Officers.
The DOTGOV Online Trust in Government Act, introduced last week by Sens. Gary Peters, D-Mich., Ron Johnson, R-Wis., Amy Klobuchar, D-Minn., and James Lankford, R-Okla., would direct the Department of Homeland Security to help local governments migrate to .gov websites, which are standard for federal agencies and have been adopted by every state government, but are used inconsistently among lower rungs of government, which the bill’s sponsors say undermines citizens’ trust in their local authorities’ online presences.
The .gov top-level domain — or TLD, as the suffixes on web addresses are known — includes a variety of security features that commercially available web addresses, like those ending in .com or .org, do not, including active vulnerability monitoring, a round-the-clock help desk and mandatory two-factor authentication for all users. Sites on .gov are also capable of being “preloaded” in web browsers using HTTPS, a protocol that runs over an encrypted connection, rather than the standard, unsecured HTTP protocol.
Matt Pincus, NASCIO’s government affairs director, told StateScoop that the group has promoted wider adoption the .gov domain since 2003, when it was first made available to non-federal entities.
“As state CIOs are having to help locals and counties, this is one thing everyone should do that would make everyone more secure and the state CIOs lives easier,” he said.
Several state CIOs and chief information security officers are already pushing their local counterparts to make the switch, like Michigan CISO Chris DeRusha, who lent his support for the DOTGOV bill in a Senate press release. While many cities and counties have built their web brands on sites ending in .com or .org out of convenience, a .gov extension brings an air of authority that other TLDs do not.
“Moving more entities to .gov will help citizens know they are looking at the legitimate address,” DeRusha said.
But Pincus added that the $400 annual fee that the General Services Administration charges to register a .gov site is prohibitively expensive for many local governments already strapped for technology resources.
“If you’re a local county and you don’t have a full-time IT staff and you can go to GoDaddy for $9 a year, why would you bother with the $400?” he said, referring to the popular web host and domain registrar, where sites ending in .com can be purchased for as little as $12 a year.
The registration statistics for the .gov domain bear that out. Although the U.S. Census counts nearly 39,000 local governments — including counties, cities, towns and other conurbations — the most recent available registry for the .gov domain includes just 4,759 non-federal sites.
Moving to the .gov space is also a growing concern for election security, especially as secretaries of state and local clerks seek to safeguard their voter registration systems and results-reporting tools ahead of the 2020 cycle. The Cybersecurity and Infrastructure Security Agency, the DHS branch responsible for protecting the nation’s internet landscape, has been urging election officials to migrate their sites.
While .gov offers security benefits that other TLDs do not, it is not an inoculation against cyberattacks like ransomware, which has victimized several local governments running on it, like Atlanta and Baltimore. But it can be a preventative measure against attacks that seek to defraud victims through co-opting a government’s identity, North Carolina CIO and NASCIO President Eric Boyette said in a press release.
“As local governments continue to be targets of a constant barrage of sophisticated cybersecurity and spoofing attacks, the .gov domain sends a message to the user that the domain is legitimate and secure,” he said.
The DOTGOV bill would also make several structural changes to how the .gov domain is run, including transferring management of it from the GSA to CISA. To address the registration costs, the DOTGOV bill would also allow local governments to use DHS grant money to migrate web domains, which Pincus said should entice more of them to make the switch.
“If you can make yourself a little more secure, why wouldn’t you do it?” he said.