Following a catastrophic Office of Personnel Management (OPM) hack, where the data of over 4 million federal employees was stolen, as well as other private sector data breaches, the U.S. government seems to be getting more serious about defensive online security instead of simply using the "cybersecurity" rhetoric to pass more surveillance laws.
The White House Office of Management and Budget (OMB) issued today the "HTTPS-Only Standard" directive (PDF), which will require all federal websites and services to use secure HTTPS connections. All federal websites will have to use this standard by December 31, 2016, so most federal services will likely still remain unencrypted for the next one and a half years.
A public dashboard has already been created to monitor the progress of these websites in adopting HTTPS. By the looks of it, almost a third already use HTTPS, but with varying degrees of security. The creators of the dashboard have added SSL Lab's grading system, which shows that even if some sites use HTTPS, they only get the grade "F" for the strength of their security.
The fact that the dashboard and the security grading exists will hopefully mean that those in charge of upgrading certain federal websites to HTTPS will be encouraged to adopt the strongest possible security.
The OBM believes that the HTTPS-only standard will eliminate inconsistent decisions about which content should be secured and which shouldn't be. This will ultimately create a stronger standard for privacy across the government's federal services.
The Chrome and Firefox browsers will eventually deprecate the use of HTTP on the Web, too, which means it was only a matter of time before the government had to move to using only HTTPS connections. The transition will still take up to 18 months, so this seems like the right time to do it.
The HTTPS-only directive is a great step in the right direction and one that probably should have happened years ago, but as the OPM data breach showed, much of the data the government keeps in its databases isn't even encrypted.
HTTPS only encrypts data in transit, but it doesn't prevent the data from being stolen. If it is stolen, it can also be used or sold by malicious hackers if it's not encrypted. Therefore, rather than making encryption public enemy #1, it might be wiser to embrace and quickly adopt such strong encryption everywhere in the government. The FBI and other agencies should also encourage (as they once did) private companies and users to protect themselves with strong encryption and security practices against malicious hackers.