Most State Government Websites Flunk Basic Cybersecurity Tests
You can’t blame users of U.S. state government websites if they’re dissatisfied with the experience. In reviews of 400 such websites to test their performance on page-load speed, mobile friendliness, security, and accessibility, 99 percent failed at least one of the four assessments, a new benchmark report said.
Evaluations of websites for some of the most popular government services, including driver’s licenses, taxes, vital records, elections, business registration, fishing and hunting licenses and traffic citations are included the 52-page, Benchmarking State Government Websites report from the Information Technology and Innovation Foundation. The primary website for each state government was also examined. Only one state website, Virginia’s website for hunting and fishing licenses, passed all the tests.
“While some states have much better sites than others, every state has room to significantly improve so that it better serves the public with easy and secure access to e-government services and information,” wrote the study’s authors Daniel Castro and Michael McLaughlin.
State Websites: Weak Cybersecurity Implementations
That’s certainly appears to be the case with cybersecurity practices. Two security criteria comprised the reviews of the state government websites — whether Hypertext Transfer Protocol Secure (HTTPS) for encryption, and Domain Name System Security (DNSSEC) for authenticity, were used.
- The results showed that only 44 percent of the state government websites had enabled and properly configured HTTPS, meaning users couldn’t privately and securely browse most of them.
- In a second test, only 13 percent of state governments websites had properly enabled DNSSEC for their domain name, meaning users couldn’t be sure if the particular website they requested was actually where they had landed.
- Overall, a mere four percent of state websites passed both the HTTPS and DNSSEC tests.
“The low percentage of state websites enabling DNSSEC is one reason why only one website passed all the tests,” Castro and McLaughlin wrote. Still, even excluding the DNSSEC test, 90 percent of state government websites failed at least one other test, they said.
The inescapable conclusion is that simply by configuring their web servers to properly enable HTTPS and DNSSEC, states can improve their security.
Some Reasons for Hope
In terms of ranking, the best states for security were Idaho, Kentucky, and Massachusetts. The states that finished at the bottom in the two tests were Alabama, Pennsylvania, and Louisiana. Kentucky (six websites), Virginia (three websites), and Idaho (two websites) were the only states that had multiple websites pass each test. In total, 43 states did not pass both security tests for any of the eight types of websites, the report said.
The report offers five recommendations to state policymakers to improve their websites, with security at the top of the list:
- Mandate government websites implement security best practices.
- Require government websites to be mobile friendly.
- Consolidate websites to create a single face of government.
- Find local partners to test accessibility of government websites.
- Adopt a web analytics program.
“While some states have much better websites than others, every state can significantly improve the web experience they provide to the public,” the report said.
Considering the sum of all the measurement criteria, Virginia ranked first, Louisiana last and South Carolina placed in the middle. In the West, California ranked 10th and in the East, New York came in at 14th. Idaho finished within a hair of overtaking Virginia for the top overall spot.