Despite a presidential promise of openness in government, GSA officials decline to release the full list for fear of cyberattack.
President Obama in January promised "an unprecedented level of openness in government." But the government has yet to get the memo.
Asked in a Freedom of Information Act (FOIA) request to provide a list of the .gov domains, including the agency registering the domain, the General Services Administration declined, citing 2007 Department of Justice FOIA guidelines.
The GSA claims that "release of the requested sensitive but unclassified information presents a security risk to the top level Internet domain enterprise."
The decision comes despite an explicit directive by the president to agency heads in January that FOIA requests should be decided in favor of openness.
"All agencies should adopt a presumption in favor of disclosure, in order to renew their commitment to the principles embodied in FOIA, and to usher in a new era of open government," the president's memo states. "The presumption of disclosure should be applied to all decisions involving FOIA."
In January, there were 4,657 .gov domains, a number that, according to the GSA, has been growing at a rate of about 10% annually for the past few years. Some 1,724 of the domains are associated with federal agencies and 2,424 are associated with cities and counties. Native American tribes have about 107.
Karl Auerbach, CTO of at InterWorking Labs, an attorney, and former member of the board of directors of ICANN, characterized the government's claim that it needs to withhold the list of .gov names to protect them from cyberattack as utter nonsense.
"That's the same logic that would withhold the government manual containing all the governmental people, their jobs, and phone numbers on the grounds that they might be subjected to phone calls or postal letters that contain dangerous contents," he said in an e-mail. "The proper answer is that the government should armor itself against attacks and not to try to hide from its citizens."
Auerbach added that if the government believes public awareness of domain names represents a security risk, it also should be concerned about attacks on private domain names. Yet, he said, the government requires everyone in the United States who buys an Internet domain to have his or her name, address, phone number, and e-mail published in the Whois database, which is accessible to people all over the world.
"It's a puzzling argument, and maybe also an insulting one," said Steven Aftergood, director of the Federation of American Scientists' Project on Government Secrecy, in an e-mail. "Withholding a list of .gov domains does nothing to diminish the threat of cyberattacks. Instead, it tends to concentrate that threat on domains that are publicly known."
Security Job #1 For FedsThe 2014 InformationWeek Government IT Priorities Survey shows federal IT pros care about security - itís rated as very important by 69% of respondents, 30 percentage points ahead of the No. 2 priority, disaster recovery. Will the upcoming NIST cyber-security framework help manage risk?