The ever-increasing daily cybersecurity incidents and confirmed data breaches across the globe have touched every aspect of our society and negatively impacted our daily lives. Not only the Internet and its underlying network infrastructures worldwide are facing clear and present danger, but our global banking and financial systems, our ecommerce and retails systems, our medical records and insurance systems, our federal personnel management and security clearance systems, our national and local electronic voting systems, our social media platforms and online communication systems, just to name a few, are all under constant attacks by state-sponsored actors and cyber adversaries from around the world. It is an understatement that the cyber threats and attacks are dangerously challenging the very foundation of our democracy and homeland security!
Consequently, we must protect and defend our homeland security infrastructures and systems by all means necessary and we must fight against the cyber enemies with the best weapons possible. For now, one of the best weapons to protect the security and integrity of the data traversing the Internet as well as the privacy of our citizens in cyberspace is to deploy the best and strongest encryption standards whenever possible, such as adopting Hypertext Transfer Protocol Secure (HTTPS)-Only policy for all web servers in conjunction with the implementation of Domain Name System Security Extensions (DNSSEC).
HTTPS is a combination of Hypertext Transfer Protocol (HTTP) and Transport Layer Security (TLS). HTTP is an application protocol for distributed, collaborative, and hypermedia information systems. It is the foundation of our data communication using the World Wide Web (www). TLS, which replaces its predecessor Secure Sockets Layer (SSL), is cryptographic protocol that provides encrypted connection communications between their servers and the end user web browsers with authentication over an untrusted network. The latest version of TLS is TLS version 1.3, which was recently approved by the Internet Engineering Task Force (IETF).
However, federal government agencies have made slow progress in adopting and implementing the latest versions of security standards. More than three years later after the White House Office of Management and Budget (OMB) issued the HPPS-Only memorandum M-15-13 Policy to Require Secure Connections across Federal Websites and Web Services on June 8, 2015, only 66 percent of the federal agencies and their .gov domains have been in compliance with this OMB mandate as of July 22, 2018.
Almost 10 years after the OMB 2008 memorandum requesting all federal agencies to implement DNSSEC, 14 percent of the .gov domains that are monitored by NIST are still out of compliance.
In addition, most of the federal government agencies follow the technical guidance issued by the National Institute of Standards and Technology (NIST) in its Special Publication SP 800-52: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations for configuring the TLS protocol in their computer systems. The current version of the NIST guidelines for TLS, NIST SP 800-52 REV. 2, allows for the use of TLS version 1.0, 1.1, and 1.2 by all government TLS servers and clients, and it only recommends that agencies develop migration plans to support TLS 1.3 by Jan. 1, 2020. Unfortunately, all versions of the TLS protocol, except for TLS version 1.3, can be decrypted and have already been compromised in one way or another.
Consequently, it becomes vital for us to deploy the latest version of TLS immediately as the cybercriminals are attacking us right now by exploring those known weakness of the prior versions of TLS. Most importantly, why should we wait for another year or two to fully implement the latest version of the encryption standard such as TLS 1.3 and give the cybercriminals additional time to further attack our global network infrastructure, infiltrate our computer systems, invade our online privacy, and possibly ruin many people’s lives both online and offline?
It is high time to protect and safeguard our cyberspace with the highest possible security and integrity by fully implementing the latest versions of security and encryption standards now!
Disclaimer: The views presented are only personal opinions and they do not necessarily represent those of the U.S. Government.
The views expressed here are the writer’s and are not necessarily endorsed by Homeland Security Today, which welcomes a broad range of viewpoints in support of securing our homeland. To submit a piece for consideration, email [email protected]. Our editorial guidelines can be found here.
