The name of a website is the key indicator users, operators, and algorithms use to evaluate the authenticity of the owner of that website. So much so that there are frequent, sophisticated attempts to trick users into going to fake websites to steal credentials or commit fraud. Governments have special access to restricted domain names that not only signal authenticity but other security protocols as well. All eligible jurisdictions should strongly consider changing their domain name to use a .gov website address to take advantage of additional network protections, assure users of authentic website ownership, and provide a strong signal that it is an authoritative source of information.
Improving Jurisdictions’ Online Security Standards
To better understand why governments should adopt a .gov website name, it is necessary to understand how websites are named. The domain name is the simple, easy-to-remember address that people use to find a specific website. Computers translate the domain name text into a series of numbers called an IP address. For example, it is much easier for a person to remember google.com, but computers prefer to use the IP address 188.8.131.52 to access the same website. There are a limited number of desirable website addresses, so a system was developed to expand available options based on broad topic categories and geography. This system is known as the top-level domain or TLD. TLDs are the last part of a website name. The one that most people are familiar with is .com. That TLD references the commercial category. Other categories include .edu for education, .org for organization, and .gov for government. There are hundreds of categories like .art, .coffee, and even .vote—each with potentially countless website names available for purchase by the public. Purchasing website names in special categories, however, is restricted by the entities that manage those domains. The .gov domain is one such domain.
The Cybersecurity and Infrastructure Security Agency (CISA) is the gatekeeper for the .gov domain for public entities in the United States. Prior to 2021, the General Services Administration (GSA) managed the registration process that included an annual fee of $400 per website name. Today, tens of thousands of local, state, tribal, and other jurisdictions are eligible to register their own .gov website name at no-cost through CISA. In addition to reducing the operating cost of owning a website name, CISA is addressing some of the security shortcomings that exist when using commercial registration services. Entities that use .gov website names must certify authority to register the name, provide contact information in case of administrative and technical issues, and prohibit its use for commercial/political/illegal purposes. CISA also provides a list of security best practices for jurisdictions to follow to increase the resiliency of the websites by maintaining a high-level of trust in the information being communicated. These recommendations include: adding a security contact, developing a vulnerability disclosure policy (VDP), preloading the domain, using Domain-based Message Authentication, Reporting and Conformance (DMARC), signing-up for Cyber Hygiene, and joining the Multi-State Information Sharing and Analysis Center (MS-ISAC).
Across the United States there are tens of thousands of eligible state, local, tribal, and district jurisdictions that can obtain a .gov domain. The vast majority currently use a .com, .org, or .net domain. This is somewhat unusual compared to municipalities in other countries. Typically, the commercial and non-commercial entities in other countries follow a country code TLD (ccTLD) hierarchy scheme like .uk for the United Kingdom or .de for Germany. There is a similar system in the United States that includes two-letter state abbreviations on the .us domain (like id.us for Idaho or or.us for Oregon), but there are few restrictions on who can register a .us domain, and strictly following the domain hierarchy can lead to unwieldly, multi-level website addresses like https://www.stmary-wooster.cld.pvt.k12.oh.us/. The name of a website is supposed to be a simple, easy-to-remember address. More complicated domain names can be an opportunity for an adversary to trick users into visiting a compromised or fake website designed to promote false information or steal login credentials.
Providing Voters with Authoritative Sources of Information
Ensuring that users can find authoritative sources of information is particularly important in elections. Election officials have been specifically challenged by influence operations that attempt to sow doubt and confusion in voters about the integrity of the electoral process. Providing information to those voters and members of the media via the web is an important tool for those election officials. At the national level, only five states have not made the transition to a .gov domain for election information. They have maintained their stricter ccTLD hierarchy scheme of sos.state.xx.us instead. Last year, McAfee found that “80.2% of election administration websites or webpages lack the .GOV validation that confirms they are the websites they claim to be.” Transitioning all 10,000 local election offices to .gov domains is a much more daunting prospect, but a worthwhile one nonetheless.
There are examples of jurisdictions across the country making the jump to a .gov domain. In Ohio, the change came from the top. When the secretary of state issued the Election Security & Accessibility Directives in 2019 and 2020 to all 88 county boards of election, the directives required that election websites and email addresses use a .gov domain and prohibited the use of domains from email providers or internet service providers. The secretary of state allocated block grants from Help America Vote Act (HAVA) funds to each election board to assist with the transition. In Florida, county supervisors of elections are moving toward adoption of .gov domains. Hillsborough County recently completed the transition from hcsoe.org to VoteHillsborough.gov. The new domain is easy to read and remember, and it more clearly communicates what can be found on the website. The county used the rebranding opportunity in 2021 to also enhance online services for voters, candidates, and others interested in how the county administers its elections. Supervisor Craig Latimer said the move is “a clear signal to our community that our website is the official, trusted source of voting and elections information.”
Texas has the largest number of jurisdictions online using a .gov domain with a total of 354, but only four of those are election websites. The state also has a massive number of eligible jurisdictions: 254 counties, over 1,220 municipalities, and more than 3,250 special government districts. It is difficult to know whether these thousands of websites have security protocols like two-factor authentication (2FA) or domain ownership change notification enabled—as would be required if those websites used .gov domain names. This is a real opportunity for state officials in Austin to reduce opportunities for online malfeasance by requiring local jurisdictions to adopt .gov domain names.
Using Website Names to Establish Trustworthiness
Spoofing the name or even the content of a website is trivial. In fact, it is a highly effective method malicious actors use that can be difficult to detect. Indeed, malicious actors like hackers and criminals often choose names that are similar to the legitimate site with the hope that users will not be able to distinguish the minor changes to the name. These fraudulent sites can even be exact copies of the legitimate one.
.Gov domains communicate to users that a website is legitimate—and website names are not just for the benefit of human users. Domain names along with other technical protocols like DMARC and TLS enable computer systems to validate the identity of a website owner and establish secure connections to prevent an imposter from tricking users or stealing credentials. Computer operating systems, search engines, and social media platforms use these technical signals as part of the algorithms that help determine the trustworthiness of websites that users want to visit. Using a .gov domain sends a strong signal to those systems that the information presented on those websites comes from an authoritative source.
The question jurisdictional policymakers and administrators must consider is whether the benefits of a .gov domain are worth the cost and effort of rebranding and technical investments. I contend that the answer is always yes!