Introduction
Technology has revolutionized every aspect of humanity; politics, economy, family, education, and other socio-economic facets have all been transformed in unprecedented ways. The digital government refers to the effort by governments around the world to embrace this change and avail government services online. With digital government, citizens can access government services on the Internet and even monitor their governments’ performance. Examples f services that citizens can access online include registration, health, benefits, insurance, research, school, and volunteer services. The USA being a global leader in technology and open government has spearheaded this initiative.
Digital Government
On May 23, 2012, the US government introduced a comprehensive plan to deliver better digital service. This initiative was built on top of other efforts such as the executive order 13571- Streamlining Service Delivery and Improving Customer Service (US Department of State, n.d.). It was also an extension of Executive Order 13576- Delivering an Efficient, Effective, and Accountable Government (US Department of State, n.d.). The US government requires that its agencies and departments build a modern digital government to deliver services to the citizens efficiently.
Open data is also a component of the US government’s digital strategy bolstered through Memorandum M-13-13- Open Data Policy-Managing Information as an Asset. This policy’s goal was to enhance operational efficiency, reduce expenses, improve services, protect personal information, support mission requirements, and increase government information access (Digital.gov, 2021). The other component of the digital initiative is to achieve efficiency, innovation, and transparency.
Digital.gov is a website under the Federal General Services Administration. Their mission statement talks about transforming the learning, building, and delivery of government digital services for the 21st century; their job is to offer people in the government with methods, tools, practices, and policies to offer accessible and effective digital service (Digital.gov, 2021). The agency provides a checklist for government agencies offering websites to access their services. The websites are supposed to be accessible for physically challenged people such as auditory, motor, cognitive and neurological problems.
Requirements for Government Websites
The sites are also supposed to have analytics to understand user needs, performance standards, collect and respond to user feedback and use data to improve their services. Moreover, the sites are supposed to coordinate during nationally significant events; this is supposed to be achieved through coordination with the DHS (Digital.gov, 2021). Another requirement for government websites is copyright, where they are supposed to be explicit to the users about digital rights, trademarks, and IP (Digital.gov, 2021). In terms of customer experience, web services should always collect customer data to improve their experience.
In terms of design, government agencies’ websites are supposed to follow the US Web Design System (USWDS) to offer a great experience by incorporating the design guidelines. Federal and government agencies must use consistent domains, which in this case are the.gov base URL. The use of.gov had been suspended in 2011 but has since been lifted (Digital.gov, 2021). The agencies are also supposed to establish a governance framework for accountability and policy purpose in line with the Connected Government Act of 2018.
On information quality, agencies are supposed to offer accurate, easy-to-use content conveyed in plain language. Under the freedom of Information Act (FIOA) of 2017, every webpage is supposed to provide a link back to the homepage; this is under the mandatory content principle. Under the Connected Government Act, the websites should have priority content for mobile services. Another requirement for agency websites is the paperwork reduction clause that requires the agencies to obtain an OMB approval before conducting surveys in public and having the OMB approval number on the forms (Digital.gov, 2021). For privacy management, it is forbidden to disclose sensitive information, and services are to be offered through a secure connection and a link to privacy settings on every page (Digital.gov, 2021). Federal websites are also prohibited from advertising and direct lobbying. On security, it is a requirement that the websites implement controls to protect sensitive information (Digital.gov, 2021). Robust security features are supposed to be provided to protect against tampering, guard confidentiality, and are available for the users as the agency intended.
Sample Government Websites
Types of Services Offered
The first website assessed is the medicare.gov website; it is the digital portal for the US’s national health insurance program. Medicare was established in 1966 under Social Security Administration SSA but is currently administered by the Centers for Medicare and Medicaid Services (CMS) (Medicare.gov, n.d.). Primarily the service provides health insurance for US citizens above 65 years but also caters to people with disabilities. The site offers the service to register as a user through a form and manage their plans as they would through a physical office.
The second portal looked at is healthcare.gov; it is famous for being one of the most expensive websites ever created. It is the online portal for management of Obamacare established under the affordable care act of 2010 (Lee & Brumer, 2017). The site serves as the clearinghouse that allows US citizens to compare health insurance prices in their states. People are also supposed to enroll on a chosen plan and determine if they qualify for healthcare subsidies from the government (Lee & Brumer, 2017). Users are supposed to visit the site, create an account by giving personal information, after which they can receive information available in their locality.
The third website to look at is data.gov; it is a government site launched in 2009 by the Chief Information Officer. It is meant to provide the general public with quality, machine-readable datasets from the government’s executive branch ( Data.Gov, n.d.). It serves as a repository for state, federal, tribal, and local government information available to the public. The site launched with only 47 datasets, but this has since grown to over 180000 ( Data.Gov, n.d.). The platform was created under the OPEN Government Data Act ( Data.Gov, n.d.). It requires government agencies to publish their data online in machine-readable formats.
Sensitivity Levels and Security Issues
Data.gov is a repository of government data available to the public. Impact on confidentiality, integrity, and availability would seem to have a low effect at face value since the agency does not generate the data itself. However, there is a possibility of APIs built around this repository; it would be catastrophic if the information was compromised; the verdict for sensitivity is high. On the other hand, Medicare is a website where seniors can register and manage their health insurance plans. If the website was unavailable, one could still access the services from physical offices; Medicare has been operational since 1966 before the Internet; this website’s category is low. For healthcare.gov it is one of the costliest websites ever built. The core of the affordable care concept is comparing the different insurance plans in one’s locality. If the website were to be unavailable or integrity and confidentiality compromised, it would be a significant blow to the system’s very essence; for this reason, the FIPS categorization is high.
Government websites are prone to many security attacks because of the sensitive nature of information, including personally identifiable information (PII). A website such as healthcare.gov is also a politically polarizing asset that could be attacked for political reasons. An example of such an attack would be a DDoS attack to affect availability. Because of the rich treasure of personal information, criminals could also target users with fake sites with identical UIs to trick them into giving personal information (Hoffman, 2020). Other attacks could involve the use of malware sent to their servers.
Architectures and Security Issues of Websites
Government websites are as vulnerable to security issues as any other website; it is inherent in the web’s architecture. It is common knowledge among security experts that data is most at risk of attack on the move. For a non-web-based application, the program can manipulate information on the computer. If the computer is not connected to the Internet, it would be hard to compromise the material (Hoffman, 2020). This is antithetical to web applications where data is at its most dynamic state. Whether it is a government website or a start-up, or a wealthy corporation, the likes of Amazon, there is no escaping the basic architecture of web applications.
The most basic website is a CRUD application that comprises a backend server that receives requests from a client to manipulate data. This instruction could create, read, update or delete the data (Hoffman, 2020). The data is usually stored in a database on the server or another API; the database could be an SQL relational database or a different kind. The server-side metrics that power the backend of a web application comprise the server’s physical capability, computational abilities, bandwidth, performance, memory, operating systems, and network access (Hoffman, 2020). The client-side of a website is the browser; it is from here that queries are sent. The data is sent to/from the Internet through HTTP and other protocols.
Attackers could target the operations involving the transmission of data to/from the client. It is challenging to keep up with the security challenges of a web application with many users. Government websites such as healthcare.gov have users in the millions. Security risks for web applications include sensitive data exposure, SQL injection, broken authentication and session management, broken access control, and cross-site scripting (Hoffman, 2020). SQL injections are attacks aimed at databases; they occur when the client-side is supposed to collect details such as names but instead gets SQL codes that affect the database (Hoffman, 2020). Authentication and session management issues stem from a bad design that allows malicious elements to compromise keys, passwords, session tokens, and other implementation issues to take control of user accounts (Hoffman, 2020). Broken access control is inherent in programs where permissions checks are inadequate. The other issue is cross-site scripting which occurs when client-side scripts are injected into web pages being viewed by other users. They can be used to bypass same-origin controls present in most browsers.
Recommendations and Best Practices
Government websites are essential tools in the delivery of services to its citizens. Security compromise that could affect the availability of these services is equivalent to maiming the government. The E-government Act signed into law in 2002 places importance on the need to secure the information systems as a matter of national security in the United States. Under Title III of the act, called the Federal Information Security Management Act (FISMA), it gave NIST the responsibility to develop security standards for the federal government. Some of the NIST recommendations included developing a categorization for information systems maintained by federal agencies based on a range of factors. The other proposal was to provide guidelines on how to place the information systems into the different classes and the minimum information risks for each group. The classes are based on the securities parameters of confidentiality, integrity, and availability (Ross et al., 2006). The FPS 199 and the FPS 200 are the documents that set mandatory security standards.
The minimum security requirements are outlined as follows (Ross et al., 2006) (1) Access control: organizations are supposed to allow information only to authorized users. (2) Awareness and training: organizations should ensure that their leaders are aware of security risks and all personnel is trained to carry out information security duties. (3) Audit and accountability: in this requirement, institutions are supposed to create, retain and protect information audit systems, and trace user actions. (4) Certification, accreditation, and security assessments: in this measure, organizations should assess their systems periodically, develop plans to correct deficiencies, allow operation of institutional information systems, and monitor the systems regularly to check the controls.
5. Configuration management: in this requirement, organizations should maintain basic configurations and inventories of their information systems and enforce configuration settings for their information systems. (6) Contingency planning: institutions are supposed to establish and maintain emergency protocols and recovery measures. (7) Identification and authentication: Organizations must have user authorization mechanisms before they can allow them access to their information systems. (8) Incident response: Institutions should have proper incident handling and reporting procedures. (9) Maintenance: institutions should perform regular maintenance of their information systems and have the resources to do so. (10) Media protection: in this rule, an organization must protect information media and destroy them before disposal. (11) Physical environment protection: institutions must protect their systems from unauthorized physical access, protect the physical plants of their systems from hazards, and have environmental control of their information systems. (12) Planning: in this requirement, organizations should develop plans for their information systems with descriptions for every individual handling them.
Another measure is personnel, where an organization should ensure that the personnel handling their information systems are trustworthy individuals. During terminations there should be procedures to personnel to comply with security measures. In risk assessment measures, institutions should regularly assess the risks posed to their information systems. Finally, under system and services acquisition, an organization should allocate adequate resources to protect their information systems. The NIST recommendations are the holy grail of security measures for their exhaustiveness, covering almost every aspect of vulnerability to information systems. The measures range from preparedness, planning, information backup, maintenance, mitigation, recovery, personnel, and protection against harmful environments.
Conclusion
This paper focused on digital governments; technology is a crucial tool with immense potential. Governments have made a great effort to adopt this vital innovation, and as a result, they have been able to deliver services to citizens more efficiently. Various government acts declared digitization of services mandatory, such as the open data act. This paper looked at the three examples of government websites that provide essential services to the public. They were medicare.gov, healthcare.gov, and data.gov; these are vital sites that are indispensable to government operations. Data.gov is the implementation of the open-data initiative to provide data to citizens. Medicare.gov is a digital arm of the government health insurance initiative; even though Medicaid has existed for a long time, the Internet certainly makes the rendering of services more accessible. Healthcare.gov is a very vital part of the affordable care act; without a digital platform, a very crucial component of it would be rendered impractical.
Government websites are essential assets for national security and should be protected. Federal agencies have been tasked to follow specific recommendations that protect against security attacks. Still, despite the vigilance, the attacks happen, underscoring the need for more caution. For web applications, it has been established that the vulnerability is in the web architecture because of moving data and so many connected systems. The paper has looked at security problems that affect websites, such as SQL injection, cross-site scripting, sensitive data exposure, broken authentication, and broken access control. Recommendations for government agencies have been drawn from FIPS 199 ad 200 proposals that range from planning, resources, maintenance, backup, personnel, and physical environment. Government websites are vital information systems vulnerable to attacks from a wide range of persons, including terrorists. It is crucial to protect these essential services for the benefit of both the government and the public.
References
Data.gov. (n.d). About. Web.
Digital.gov. (2021). Checklist of requirements for federal websites and digital services. Web.
Hoffman, A. (2020) Web application security: Exploitation and countermeasures for modern web applications. (1st ed.). O’Reilly Media.
Lee, G., & Brumer, J. (2017). Managing mission-critical government software projects: Lessons learned from the HealthCare.gov project. IBM Center for The Business of Government, 69–75. Web.
Medicare.gov(n.d.). About us. Web.
Ross, R., Katzke, S., & Johnson, L. (2006). Minimum security requirements for federal information and information systems. National Institute of Standards and Technology. Web.
US Department of State. (n.d.). Digital government strategy. Web.