Government // Cybersecurity
News
3/2/2009
04:55 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Government Keeping Its .Gov Domain Names Secret

Despite a presidential promise of openness in government, GSA officials decline to release the full list for fear of cyberattack.

President Obama in January promised "an unprecedented level of openness in government." But the government has yet to get the memo.

Asked in a Freedom of Information Act (FOIA) request to provide a list of the .gov domains, including the agency registering the domain, the General Services Administration declined, citing 2007 Department of Justice FOIA guidelines.

The GSA claims that "release of the requested sensitive but unclassified information presents a security risk to the top level Internet domain enterprise."

The decision comes despite an explicit directive by the president to agency heads in January that FOIA requests should be decided in favor of openness.

"All agencies should adopt a presumption in favor of disclosure, in order to renew their commitment to the principles embodied in FOIA, and to usher in a new era of open government," the president's memo states. "The presumption of disclosure should be applied to all decisions involving FOIA."

In January, there were 4,657 .gov domains, a number that, according to the GSA, has been growing at a rate of about 10% annually for the past few years. Some 1,724 of the domains are associated with federal agencies and 2,424 are associated with cities and counties. Native American tribes have about 107.

A list of .gov domains from 2002 contains 1,491 domain names.

Karl Auerbach, CTO of at InterWorking Labs, an attorney, and former member of the board of directors of ICANN, characterized the government's claim that it needs to withhold the list of .gov names to protect them from cyberattack as utter nonsense.

"That's the same logic that would withhold the government manual containing all the governmental people, their jobs, and phone numbers on the grounds that they might be subjected to phone calls or postal letters that contain dangerous contents," he said in an e-mail. "The proper answer is that the government should armor itself against attacks and not to try to hide from its citizens."

Auerbach added that if the government believes public awareness of domain names represents a security risk, it also should be concerned about attacks on private domain names. Yet, he said, the government requires everyone in the United States who buys an Internet domain to have his or her name, address, phone number, and e-mail published in the Whois database, which is accessible to people all over the world.

"It's a puzzling argument, and maybe also an insulting one," said Steven Aftergood, director of the Federation of American Scientists' Project on Government Secrecy, in an e-mail. "Withholding a list of .gov domains does nothing to diminish the threat of cyberattacks. Instead, it tends to concentrate that threat on domains that are publicly known."

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - August 27, 2014
Who wins in cloud price wars? Short answer: not IT. Enterprises don't want bare-bones IaaS. Providers must focus on support, not undercutting rivals.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.