Forum Standaardisatie surveys the use of secure standards for websites and e-mail among government organizations every six months. The application of standards is not a one-time action, but requires continuous attention, as the most recent measurement shows. There are organizations that have made significant steps after the previous measurement, such as the Justice Information Service and the Scheldestromen Water Board. Their primary Internet domains are now fully compliant with essential Internet security standards. Municipalities, such as Elburg and Lopik have also made progress, but at the same time still have open ends.
Although the use of most information security standards among government websites and e-mail systems has grown over the past six months, there are still serious areas of concern. For example, the percentage of Web sites that apply the TLS standard solidly configured, for secure Web site connections, dropped 15%-point to 78%. The number of e-mail systems that properly apply the STARTTLS standard, for secure e-mail connections, fell 45%-point to 42%.
These concerns arose as a result of a tightening of the National Cyber Security Center's (NCSC) ICT security guidelines for Transport Layer Security (TLS). These guidelines were first established in 2014, and were updated in 2019. The update was necessary because digital threats continue to increase. "However, the development of attack techniques did not stand still. Several institutions are known to be fragile with a view to future development," the NCSC said. A secure TLS configuration is important for securing connections on the Internet. With a vulnerable connection, organizations run the risk that Internet traffic can be eavesdropped on or manipulated. The NCSC's guidelines help create future-proof TLS configurations so organizations can focus on threats that deserve daily attention.
Another major concern is insecure configurations of standards that can prevent e-mail phishing. Indeed, e-mail is susceptible to "spoofing," a trick whereby someone can send an e-mail with any e-mail address as the sender. This allows cybercriminals to send emails on behalf of organizations unaware of them, often for phishing purposes. Modern Internet standards can prevent spoofing, however, far from all government organizations use these standards. On behalf of 34% of major government email domains, criminals can still send forged emails today. This may be because the Internet standard DMARC has not been implemented strictly enough everywhere.
The consequence of insufficiently strict DMARC configuration is that phishing emails on behalf of lagging government organizations (including those of government officials) can therefore still reach citizens and businesses. DMARC has been on the list of mandatory standards for government organizations since 2015. The standard should have been strictly implemented at all government organizations by the end of 2019. Leading research firm Gartner recently put DMARC in their top 10 information security projects for 2020-2021. Government organizations that do not yet have their DMARC configuration in order can now speak of overdue maintenance and are therefore at unnecessary risk.
For its measurements, Forum Standaardisatie semi-annually tests a stable set of about 550 primary government Internet domains. However, the government's Internet domain portfolio is subject to constant growth. Whereas the Rijksoverheid had registered about 3,500 domain names in 2013, there are now nearly 9,000 domain names in view. Government organizations also do not always appear to have visibility into the Internet domains they own or are responsible for. The measurement shows that, on average, mandatory standards are less well applied in secondary Internet domains than in primary Internet domains. The proliferation of Internet domains calls for more direction and thus control of the government's presence on the Internet. Poorly configured Internet domains come with all sorts of risks. There is a challenge for the digitale overheid to work on better control of Internet domains. This control also includes being able to manage compliance with mandatory frameworks and guidelines, such as open standards from the 'comply or explain' list.
Our society suffers greatly from online fraud. The government must protect the data it has on its citizens and businesses, and itself, from cybercrime by applying information security standards, among other things. Government-wide agreements have been made to accelerate the adoption of internet security standards. Forum Standaardisatie conducts a measurement every six months on the implementation of these information security standards in government organizations. The most recent measurement dates from September 2020.
Download the report Measuring Government Information Security Standards October 2020 here
