Slowdown in government adoption of internet security standards
Legal requirements on the cards
After several years of growth, the implementation of internet security standards by government bodies in the Netherlands has slowed significantly, despite the existence of adoption requirements and agreements. The interior ministry therefore wants to enforce implementation of some standards by using its powers under the Digital Government Act to issue a general administrative order. Where other standards are concerned, organisations and major suppliers will be approached individually. The situation was highlighted by the latest six-monthly Information Security Standards Survey carried out by the Forum for Standardisation.
The survey involved testing the 563 most important governmental domain names to check on their support for the following standards:
TLS/HTTPS for the web
SPF, DKIM and DMARC (for protection against phishing, spam, viruses and other e-mail distributed malware)
TLS/HTTPS and HSTS conforming to the stricter NCSC requirements on the use of particular cryptographic algorithms
STARTTLS and DANE (for the encryption of mail transmissions)
The tests were carried out using the bulk test functionality of the Internet.nl portal.
Viewed together, the test results show that growth in the use of the standards has levelled off markedly over the last six months. Adoption of the web-related standards is barely increasing at all, while use of the mail-related standards is growing, but still lags well behind use of the web-related standards.
Bart Knubben, Coordinating Consultant at the Forum for Standardisation, is inclined to see the glass as half full, but acknowledges that much remains to be done. "Many government bodies have achieved tremendous progress. That's reflected in the high adoption rates for various standards, and in the strong growth in the use of other standards that haven't yet been as widely adopted." "Ultimately, we want to see 100 per cent adoption of the relevant standards. We regard adoption of 90 per cent or more as positive, but obviously short of that ultimate goal. Achieving 100 per cent adoption of the web standards will require the last few non-compliant organisations to be approached and supported individually. We are seeing clear growth with the two mail standards: DMARC (with the policy defined as 'quarantine' or 'reject') and DANE. DMARC is up from 28 to 37 per cent and DANE from 25 to 41 per cent, in the space of six months. That's good progress, even if the adoption levels in both cases leave ample room for improvement."
One would expect the rate of growth to reduce as adoption of a standard approaches 100 per cent on an asymptotic path. However, in recent years, a number of aspiration agreements were concluded within the Pan-governmental Digital Government Policy Liaison Forum (OBDO), with the specific intention of accelerating adoption by backing up requirements arising out of the 'use-or-explain' list. Under the aspiration agreements, all government domains should have been using TLS/HTTPS, DNSSEC and SPF/DKIM/DMARC by the end of 2017. And, by the end of 2018, all governmental websites should have had TLS/HTTPS and HSTS implementations that complied with NCSC guidelines. Finally, all mail systems should support STARTTLS/DANE and the strict SPF and DMARC policy settings by the end of this year. From the diagrams above, it will be apparent that the agreements' ultimate goals have not been realised.
"The internet standards whose use we monitor contribute to an agreed basic level of security for websites and e-mail," says Knubben. "If you don't use the standards, it's relatively easy for wrongdoers to take advantage of the inherent weaknesses in the protocols underpinning the domain name system, websites and e-mail. Every governmental organisation has a responsibility to get the basics right. Because citizens, businesses and public bodies have a right to expect that electronic communications with and between governmental organisations are secure." "The results of our survey have been distributed to umbrella groups and security officers in the various tiers of government, since responsibility for implementing the information security standards lies with the individual governmental organisations. We are also seeking to help relevant organisations tell their service providers exactly what their requirements are. At the moment, we're focusing mainly on the e-mail standards DANE and DMARC (policy), because adoption rates for those standards are significantly below the rates for other standards, and by the end of this year the aspiration is to achieve 100 per cent implementation of STARTTLS/DANE and strict-policy SPF and DMARC."
However, on the basis of the survey findings, the Forum for Standardisation believes that full adoption of the internet security standards will not be possible without additional action. First, the intention is to approach governmental organisations and major service providers individually. In addition, non-compliant entities may have to be legally obliged to implement appropriate standards. Where TLS/HTTPS and HSTS conforming to NCSC guidelines are concerned, the interior ministry wants to enforce implementation by using its powers under the Digital Government Act to issue a general administrative order. Whether a similar approach is needed for the other standards will be decided early next year. "There will always be laggards," says Knubben. "It's important that software suppliers and service providers make the standards easy to implement, or -- even better -- make support for the standards the default position. The inclusion of DANE in the SIDN's incentive programme would certainly help. If we're going to make further progress on adoption -- including adoption outside the state sector and beyond our borders -- it's vital to have cooperation along the lines of the Platform for Internet Standards and the Secure E-mail Coalition. We'll continue doing our bit to bring that about."