[Infowarrior] - Government Keeping Its .Gov Domain Names Secret

Richard Forno rforno at infowarrior.org
Tue Mar 3 14:53:30 UTC 2009 

  Government Keeping Its .Gov Domain Names Secret

http://www.informationweek.com/news/showArticle.jhtml?articleID=215600330

Despite a presidential promise of openness in government, GSA  
officials decline to release the full list for fear of cyberattack.

By Thomas Claburn
InformationWeek
March 2, 2009 05:40 PM

President Obama in January promised "an unprecedented level of  
openness in government." But the government has yet to get the memo.

Asked in a Freedom of Information Act (FOIA) request to provide a list  
of the .gov domains, including the agency registering the domain, the  
General Services Administration declined, citing 2007 Department of  
Justice FOIA guidelines.

The GSA claims that "release of the requested sensitive but  
unclassified information presents a security risk to the top level  
Internet domain enterprise."

The decision comes despite an explicit directive by the president to  
agency heads in January that FOIA requests should be decided in favor  
of openness.

"All agencies should adopt a presumption in favor of disclosure, in  
order to renew their commitment to the principles embodied in FOIA,  
and to usher in a new era of open government," the president's memo  
states. "The presumption of disclosure should be applied to all  
decisions involving FOIA."

In January, there were 4,657 .gov domains, a number that, according to  
the GSA, has been growing at a rate of about 10% annually for the past  
few years. Some 1,724 of the domains are associated with federal  
agencies and 2,424 are associated with cities and counties. Native  
American tribes have about 107.

A list of .gov domains from 2002 contains 1,491 domain names.

Karl Auerbach, CTO of at InterWorking Labs, an attorney, and former  
member of the board of directors of ICANN, characterized the  
government's claim that it needs to withhold the list of .gov names to  
protect them from cyberattack as utter nonsense.

"That's the same logic that would withhold the government manual  
containing all the governmental people, their jobs, and phone numbers  
on the grounds that they might be subjected to phone calls or postal  
letters that contain dangerous contents," he said in an e-mail. "The  
proper answer is that the government should armor itself against  
attacks and not to try to hide from its citizens."

Auerbach added that if the government believes public awareness of  
domain names represents a security risk, it also should be concerned  
about attacks on private domain names. Yet, he said, the government  
requires everyone in the United States who buys an Internet domain to  
have his or her name, address, phone number, and e-mail published in  
the Whois database, which is accessible to people all over the world.

"It's a puzzling argument, and maybe also an insulting one," said  
Steven Aftergood, director of the Federation of American Scientists'  
Project on Government Secrecy, in an e-mail. "Withholding a list  
of .gov domains does nothing to diminish the threat of cyberattacks.  
Instead, it tends to concentrate that threat on domains that are  
publicly known."

Cricket Liu, VP of architecture at Infoblox, an Internet  
infrastructure management company, agrees that security through  
obscurity won't work. "DNS is a public, worldwide naming system," he  
said in an e-mail. "If a subdomain of .gov is used at all on the  
Internet, there's some evidence of it. Even if the subdomain isn't  
visible at all on the Internet, the fact that it's hidden doesn't  
improve the security of hosts in that subdomain."

Frank Hayes, senior VP of marketing at Nitro Security, said security  
through obscurity "is not necessarily something that we'd recommend to  
implement solely." He added, "A lot of times, it's just policy to try  
to keep those things secret." He speculated that some .gov sites might  
only allow traffic from whitelisted sites and that publication of  
those domain names might undermine that strategy.

Another possible reason for the government's reluctance to reveal the  
list of .gov domains might be that the GSA, which administers the .gov  
domain, has come under fire for allowing government domains to be  
politicized and for allowing exceptions to the naming policy for .gov  
domains.

Aftergood said he thinks there's a good chance that a court would  
overturn the GSA's decision. "But the move illustrates the temptation  
of secrecy for some government officials," he said. "It's their first  
instinct."

More information about the Infowarrior mailing list