An Easy Election's Office Fix: Use .Gov

Rarely is there as an easy fix as what is described belo when it comes to cybersecurity. It is election season and likely too late for those who should make the change. So, I'm just calling it out here for future reference and hopefully remediation.

From The Washington Post:

Putting .gov domain at the end of websites could buttress election offices, but only 1 in 4 do

Just 1 in 4 local election office websites use the .gov domain, even though it improves security and makes visitors less likely to fall for fake sites that could leave them vulnerable to hackers or influence operations, according to a study out this morning.

The study, conducted by the Center for Democracy and Technology (CDT) in conjunction with researchers from Georgetown University’s Foo Law Lab and first reported by The Cybersecurity 202, found that of the 7,010 websites evaluated, only 1,747 — or 25 percent — use the Cybersecurity and Infrastructure Security Agency-sponsored .gov domain, available only to U.S.-based government entities.

Another, less-comprehensive study two years ago showed even lower use of the .gov domain. Between now and then, Congress passed legislation known as the DOTGOV Act to improve .gov adoption among government agencies, and CISA waived fees for applying for a .gov address.

But 25 percent “seemed a little low to me,” Will Adler, an election security technologist at CDT, told me — even if it “makes sense” that it would register at that level of adoption. “Government is slow to make changes. Election officials are strapped for time and money.”

The FBI in 2020 identified dozens of shady, illegitimate election websites designed to look like authentic ones that could be used to interfere in elections, according to a Department of Homeland Security bulletin. A subsequent FBI/CISA warning said foreign adversaries and cybercriminals could use spoofed election-related internet domains to spread fake information, steal personal or login information and disseminate malware.

Visitors to .gov websites can have more confidence that they’re visiting an authentic government website, rather than a fake one designed to trick voters.

The .gov websites also have security features not always found in commercially available web addresses that end in .com or .org.

“We know that one of the most impactful ways to mitigate the spread of disinformation is to empower local election officials as trusted voices on election administration,” CISA’s senior election security adviser Kim Wyman told me in a statement. “Helping election officials move to a .gov domain supports this effort. The public can easily identify an official government website or email address when it ends in .gov.”