Introduction
The US government tries to meet the needs of the US citizens in the most cost-efficient manner. Digital Government is a strategy developed by the Executive Office of the President of the United States (2012) aimed at ensuring that the US population receives reliable information and top-quality government services through the Web. The Digital Government Strategy aims at achieving three distinct purposes, including enabling the US citizens to access high-quality digital government information and services at any place and time, seizing the opportunity to procure and manage devices, applications, and data in smart, secure and affordable ways, and unlocking powerful government information to encourage innovation in the US (Executive Office, 2012). The strategy set government agencies with a roadmap to increase the use of modern technology to serve the public effectively and efficiently (Donovan et al., 2016).
The strategy was formulated in a series of initiatives in 2012 that require federal agencies to provide information and services via the Web. These initiatives include (Executive Office, 2012):
- Executive Order 13571 (Streamlining Service Delivery and Improving Customer Service);
- Executive Order 13576 (Delivering an Efficient, Effective, and Accountable Government);
- President’s Memorandum on Transparency and Open Government;
- OMB Memorandum M-10-06 (Open Government Directive); the National Strategy for Trusted Identities in Cyberspace (NSTIC);
- 25-Point Implementation Plan to Reform Federal Information Technology Management (IT Reform).
In addition to the initiatives provided above, 21st Century Integrated Digital Experience Act and Memorandum M-17-06 on the policies for federal agency public websites and digital services regulate the quality and the type of information to be provided by the government agencies.
Government Websites Overview
The Digital Government Strategy resulted in the emergence of a wide variety of government websites that provide reliable information on different matters. The present section discusses three government websites, including CANCER.GOV, FOODSAFETY.GOV, and GRANTS.GOV. The overview of these websites focuses on the type of information they provide and the population they serve. Additionally, the review uses Federal Information Processing Standard (FIPS) 199 criteria for defining the sensitivity level and outlines possible problems with security.
CANCER.GOV is an official website of the National Cancer Institute (NCI), which is the principal government agency for cancer research. The website provides free, credible, and comprehensive information about cancer research that focuses on the latest advancements and recommendations concerning screening, prevention, and treatment of various forms of cancer (NCI, n.d.). All the information provided on the website is reviewed by medical experts, cancer researchers, and editors, and all the recommendations provided are evidence-based (NCI, n.d.). The website was created for several target audiences, including healthcare workers, researchers, people that have cancer, their friends and family, and any other citizens interested in receiving the latest information about advancements in the war against cancer. The website falls under the following security category as defined by FIPS 199 (US Department of Commerce, 2004):
SCpublic information = {(confidentiality, n/a); (integrity, low); (availability; low)}
The website does not gather any sensitive information, which makes the confidentiality issues not applicable. If the website is unavailable of the integrity of information is breached for a short period, it will have a limited adverse effect on organizational operations, organizational assets, or individuals. The review of the website did not reveal any security issues.
FOODSAFETY.GOV is a government website that aims at providing food safety information from several agencies. While the agency responsible for running the website is the US Department of Health and Human Services (DHHS, n.d.a), important contributors to the website are the Food Safety and Inspection Service (FSIS) of the US Department of Agriculture, the US Food and Drug Administration (FDA), and the Centers for Disease Control and Prevention (CDC). The website provides timely information on recent food recalls or outbreaks of food-related illnesses, food safety charts, and food poisoning (DHHS, n.d.a). The website is intended for US citizens concerned about the safety of the food they consume. The following is the website’s security category as per FIPS 199 (US Department of Commerce, 2004):
SCpublic information = {(confidentiality, n/a); (integrity, moderate); (availability; moderate)}
The website does not collect any personal data, which makes confidentiality problems inapplicable. However, since the website provides the latest updates on recalls of food and outbreaks of food-related disease, the unavailability of the information may lead to an increased chance of food poisoning or infection. Thus, the integrity and availability disruptions may lead to serious adverse effects on organizational operations, organizational assets, or individuals. However, after a review of the website, no security issues were revealed.
GRANTS.GOV is a government platform that allows individuals and organizations to apply for grants and communicate with grant-providing agencies in a convenient manner. The website is under the jurisdiction of DHHS. The purpose of the website is to provide a “centralized location for grant seekers to find and apply for federal funding opportunities” (DHHS, n.d.b, para. 2). The website helps to facilitate communication with the federal government, increase awareness about grant opportunities, support easy application to grants, and make the application process secure and reliable (DHHS, n.d.b). The website is intended for grant seekers in a wide variety of categories, the most popular among which are education, healthcare, science and technology, natural resources, and income security and social services. According to FIPS 199, the security category of the website is the following (US Department of Commerce, 2004):
SCpublic information = {(confidentiality, high); (integrity, high); (availability; moderate)}
The website collects detailed personal data, which, if disclosed, can lead to significant harm for the applicants and grant providers. Additionally, if the information on the website is inaccurate, it may lead to severe adverse effects on organizational operations, organizational assets, or individuals. However, short-term unavailability will have an only serious adverse effect on organizational operations, organizational assets, or individuals. One of the major problems with website security is the lack of contact security information.
Security Issues
The reviewed government websites may have numerous security issues. While CANCER.GOV and FOODSAFETY.GOV do not gather sensitive information and may have a decreased risk associated with security breaches, GRANTS.GOV gathers confidential information. Below is a list of five most common security issues the overviewed websites may face:
- Database breach. Wilshusen (2015) stated that attacks of hackers is a significant source of threat to government agency websites. One of the most vivid examples is the Structured Query Language (SQL) injection, which is “an attack that involves the alteration of a database search in a web-based application” (Wilshusen, 2015, p. 5). All three websites are equally susceptible to database breaches.
- Phishing. According to Wilshusen (2015), phishing is an attack that dilutes visitors to fake websites to collect sensitive data. All three websites are equally susceptible to phishing; however, GRANTS.GOV is more likely to be affected since it collects sensitive data.
- Distributed denial-of-service (DDoS) attacks. DDoS attacks limit users from accessing the website by exhausting server resources. All three websites are equally susceptible to DDoS attacks.
- Malware. Malware is malicious code injected into the website with an intention to compromise the integrity, availability, or confidentiality of the website. The most common types of malware are logic bombs, Trojan Horses, ransomware, viruses, and worms. Although GRANTS.GOV is more likely to be impacted because it gathers sensitive data, all three websites are equally vulnerable to phishing.
- Zero-day exploits. According to Wilshusen (2015), a zero-day exploit is an “exploit that takes advantage of a security vulnerability previously unknown to the general public” (p. 5). The vulnerability is usually used by the person, who discovered it, which makes it difficult to detect. All three websites are equally susceptible to phishing.
Recommendations for Addressing the Vulnerabilities
The present section aims at providing recommendations for addressing the issues discussed in the previous section. The recommendations are numbered in correspondence with the number of issues in the previous section.
- Database breach. This vulnerability can be addressed by applying the National Institute of Standards and Technology (NIST) Cybersecurity Framework, section PR.DS-2, which touches upon the protection of data-in-transit (NIST, 2018). In order to avoid database breaches, it is recommended to encrypt data at rest, use firewalls and antivirus software, and use loss prevention technologies.
- Phishing. The vulnerability can be addressed using the NIST SP 800-53 controls (NIST, 2020). Controls CA-2, CA-7, CP-4, IR-3 of the framework can be applied to the problem. AT-2 control suggests providing “security and privacy literacy training to system users (including managers, senior executives, and contractors)” (NIST, 2020, p. 60).
- Distributed denial-of-service (DDoS) attacks. This type of attack cannot be effectively prevented; however, it can be mitigated if guided by section RS.RP-1 of NIST Cybersecurity Framework, which suggests that the response plan is executed during or after an event (NIST, 2018). Additionally, government agencies can utilize server protection systems to protect from DDoS attacks (Geerts, 2021).
- Malware. The threat can be addressed using sections PR.AT-1, PR.IP-1, and PR.IP-4. According to these sections, all users are to be informed and trained; a baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles, and backups of information are conducted, maintained, and tested (NIST, 2018).
- Zero-day exploits. Zero-day exploits are difficult to prevent; however, the chance of the emergence of new zero-day exploits can be mitigated by the continuous audit of website security structures, as suggested by controls AU-1 through AU-12 of NIST SP 800-53. Additionally, the impacts of zero-day exploits need to be mitigated timely, using the activities suggested by NIP (2018) in section RS.MI.
Conclusion
The present paper provided an overview of websites of government agencies and threats to the security of these websites. In particular, the paper focused on CANCER.GOV, FOODSAFETY.GOV, and GRANTS.GOV. The analysis revealed that websites are susceptible to database breaches, phishing, DDoS attacks, malware, and zero-date exploits. NIST framework for improving critical infrastructure cybersecurity as well as NIST SP 800-53 controls were used to recommend solutions to these problems.
References
Donovan, S., Shelanski, H, & Scott, T. (2016). Memorandum for the heads of executive departments and agencies: Policies for federal agency public websites and digital services (Report No. M-17-06). Executive Office of the President of the United States. Web.
Executive Office of the President of the United States. (2012). Digital government strategy. Web.
Geerts, T. 7 simple but effective tactics to protect your website against DDoS attacks in 2021. Cloud Security Alliance. Web.
National Cancer Institute. (n.d.). About this website. Cancer.gov.
National Institute of Standards and Technology. (2018). Framework for improving critical infrastructure cybersecurity. NIST. Web.
National Institute of Standards and Technology. (2020). Security and privacy controls for information systems and organizations. Web.
Wilshusen, G.C. (2015). Actions needed to address challenges facing Federal Systems. Web.
US Department of Commerce. (2004). Standards for Security Categorization of Federal Information and Information Systems. Web.
US Department of Health and Human Services. (n.d.a). About FoodSafety.gov. Web.
US Department of Health and Human Services. (n.d.b). About Grants.gov. Web.