Government website encryption needs help from DHS, Sen. Wyden says

Despite significant improvements to government website encryption, some metadata is still transmitted insecurely, the Oregon Democrat said.
Ron Wyden
Ron Wyden during a hearing.

The Department of Homeland Security should push federal agencies to implement stronger encryption practices for government websites visited by federal workers and everyday citizens alike, Sen. Ron Wyden says.

Despite significant improvements to government website encryption, some metadata is still transmitted insecurely, revealing the domain names of sites visited by users, Wyden, D-Ore., wrote to DHS Undersecretary Chris Krebs.

“Hackers can intercept or hijack the unprotected metadata, tricking users into visiting a malicious site or spying on their activities,” the Oct. 24 letter states.

When possible, DHS should require federal agencies to encrypt the online queries employees make to domain name system (DNS) servers, Wyden suggested. He also asked DHS to work with General Services Administration to make using an encrypted protocol extension a condition of selling web content delivery services to the government. The government can usher in broad industry adoption of that encrypted extension, known as ESNI, according to Wyden.


When cybersecurity vendor Cloudflare rolled out ESNI last month, the Electronic Frontier Foundation, a digital privacy advocacy, said the tool “will give a huge boost to the goal of reducing what other people know about what you do online.”

As an example of DHS’s ability to prod agencies toward strong cybersecurity policies, Wyden cited a directive the department issued last year for agencies to encrypt website data. “Requiring agencies to protect metadata with encrypted DNS and ESNI is the next logical step,” he wrote.

The letter also highlights the possibility of agencies addressing encryption issues in-house or contracting a solution out. “Federal agencies should protect DNS data either by operating their own encrypted DNS servers, or using private encrypted DNS services, provided that they meet rigorous cybersecurity and privacy standards,” Wyden wrote.

Wyden asked for an “affirmative response” from Krebs within 60 days.

Gizmodo was first to report on the letter.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts