Network World - Most U.S. federal agencies -- including the Department of Homeland Security -- have failed meet a Dec. 31, 2009, deadline to deploy new authentication mechanisms on their Web sites that would prevent hackers from hijacking Web traffic and redirecting it to bogus sites.
Agencies were required to roll out an extra layer of security on their .gov Web sites under an Office of Management and Budget mandate issued in August 2008, although at least one expert calls that year-end deadline "a little aggressive."
Aggressive or not, independent monitoring indicates that only 20% of agencies show signs of deploying the new security mechanism, which is called DNS Security Extensions, or DNSSEC for short.
DNSSEC is an Internet standard that prevents spoofing attacks by allowing Web sites to verify their domain names and corresponding IP addresses using digital signatures and public-key encryption.
Secure64, a DNS vendor, researched 360 federal agencies to see how many of their Web sites showed signs of digital signatures on their .gov domains.
"We found about 20% of agencies had signatures as of last week," says Mark Beckett, vice president of marketing for Secure64. "Eighty percent don't have any signatures up there. One can speculate about why that is. They may be working on it but haven't pushed the signatures into production yet. All you can tell from the outside looking in is that there's no evidence of progress on the DNSSEC mandate."
"The 20% number is completely believable," says Paul Hoffman, director of the VPN Consortium and an active participant in DNSSEC standardization efforts at the Internet Engineering Task Force. "NIST has been working on DNSSEC, but the individual agency IT departments aren't doing anything. DNSSEC is not a priority."
The Obama administration's failure to meet the cybersecurity deadline comes at a time when dozens of U.S. companies including Google, Yahoo and Adobe have reported cyberattacks by Chinese hackers.
OMB officials declined to say why the agency hasn't enforced the DNSSEC deadline for executive branch departments.
"With specific regard to the encryption of DNS databases, the government is committed to data protection and integrity. The steps taken to date by departments and agencies are being evaluated for their effectiveness," OMB spokesman Tom Gavin said in a statement.
Not everyone sees cause for concern in a missed deadline.
"The OMB deadline was a little aggressive,'' says Steve Crocker, an Internet pioneer who is CEO of Shinkuro, an R&D company engaged in DNSSEC-related work.
"I would take it as a very positive sign that there was any movement at all. What I'm hearing is that of the many, many things that all the federal CIOs are forced to pay attention to, DNSSEC is one that is likely to get attention in 2010," Crocker says.
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
