Connecting state and local government leaders
Many local governments rely on “.com” or “.org” URLs, making it easier for cyber criminals to trick users with imposter websites.
Local governments are in line to get additional federal help shifting to web addresses that end in “.gov” under legislation that was part of the giant spending and coronavirus relief package President Trump signed into law at the end of the year.
Many local governments around the country still rely on “.com,” “.org,” or “.us.” addresses. This can make it harder for online users to tell if they’re visiting an official government website, and it creates an opportunity for “spoofing,” where bad actors create imposter sites.
"If you're on dot gov, you know you're not going to be spoofed,” said Matt Pincus, director of government affairs for the National Association of State Chief Information Officers. The group pushed for the passage of the new law, which had bipartisan support.
Spoofing websites can be a problem in areas of local government ranging from elections administration to the coronavirus response.
For instance, a fake government website might be used to point people to an incorrect polling place on election day, or it might falsely promise to register a person for a coronavirus vaccine appointment if they enter personal information, such as their Social Security number.
The .gov URL, on the other hand, is a signal to users that a site is legitimate and can be trusted.
“It is a simple thing that we should be doing,” Pincus said. “And with less than 10% of all eligible local governments registered on dot gov, it seems like a no brainer.”
"Especially in the middle of Covid, when we've had just a flood of folks going to state and local government websites,” he added.
The federal government operates the .gov domain and makes the extension available to government organizations through what’s known as the DotGov program.
Under the new law, the program will be transferred from the General Services Administration to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. Pincus said this demonstrates a recognition by policymakers of the cybersecurity issues in play.
Additionally, the law calls on CISA to develop an outreach strategy to support local governments in migrating to the .gov domain, and to provide technical information on how to make the switch.
The law would also make local government projects to move websites to .gov URLs eligible for funding through the federal Homeland Security Grant Program. And it gives the director of CISA latitude to waive fees local governments pay for .gov-related services.
The current annual fee for a .gov web address is $400. While that is not a huge cost, Pincus said it can be a barrier for some small local governments, particularly when they can register websites using other services for less money.
For localities interested in taking advantage of the new law and switching to a .gov URL, Pincus said next steps will depend in part on how CISA proceeds with its outreach strategy. He noted that the agency’s existing efforts to coordinate with states and regions could help on this front.
It’s unlikely the URL will be a huge help when it comes to shielding localities against some of the serious cyberattacks they’ve faced in recent years, such as ransomware incidents. These episodes commonly arise from phishing, in which public employees are enticed to click on malicious links.
But it would be possible for federal authorities to implement certain cybersecurity measures that would apply specifically to .gov websites, a potential benefit for local governments, especially those lacking information technology staff.
Bill Lucia is a Senior Reporter for Route Fifty and is based in Olympia, Washington.