The White House Office of Management and Budget has issued a memorandum in the wake of the data breach reported last week that hit the Office of Personnel Management that will require all public government owned websites to use Hypertext Transfer Protocol Secure (HTTPS).
Websites using the secure transmission method enable the encryption of transmissions between the client (web browser) and the web server to protect against eavesdropping and tampering with the contents of the communication. When a browser connects to a website with a secure connection, the URL will have the letters “https” at the beginning of the URL string and most browsers will indicate the connection is secure with an icon such as a padlock. HTTPS is most commonly found on websites which deal in the back-and-forth transmission of sensitive information such as e-commerce sites where credit card purchases take place or financial institutions making online transactions.
Use of HTTPS is not without drawbacks. For instance, many modern web browsers will refuse to load content that is not secure, such as images, when they are requested over a secure connection, so the OMB memo notes that government website curators need to ensure that all resources are served securely.
HTTPS only guarantees the integrity of the connection between two systems, not the systems themselves. It is not designed to protect a web server from being hacked or compromised, such as what happened with the Office of Personnel Management recently. Consequently, it doesn’t solve the ultimate problem that agencies have been experiencing on an increasingly frequent basis of having their computer systems hacked and federal employees’ data being stolen. But, it makes for good public relations that make it sound like government cybersecurity is actually being improved.
Currently, only 31% of government websites use the secure methodology according to the Pulse government website which has been set up to track the progress of implementing HTTPS. The memo says that all agencies have until December 31, 2016 to make the change on all public sites.