Two popular government news websites were hit by a cyber attack last week. The attack was so severe that FedNewsRadio.com and WTOP.com were disabled on the Internet Explorer (IE) browser for several days.
Here’s the notice the websites provided to users:
FederalNewsRadio.com is currently dealing with a malicious cyber attack, which attempts to use our site to infect computers with malware when using the Internet Explorer (IE) browser. To help protect our website visitors and prevent any further damage, we have blocked access to FederalNewsRadio.com from Internet Explorer. We believe Chrome, Firefox and Safari are safe alternatives, and suggest you use one of these browsers to access the Federal News Radio website. You will need to use one of these alternate browsers to access the links in this email alert. We are working diligently to fix the issue and will keep you updated as we learn more
Most websites today – including this one – are optimized for a more ‘modern’ browser, such as Chrome or Firefox. With rare exception all government computers – the work stations of the kinds of individuals who would frequent FedNewsRadio and WTOP – are enabled with only IE. Accessing the web through another browser is not an option.
It begs the question, will the government ever give up on its IE love? I asked a friend in government information security to weigh in, and he gave me the following response. Like most infosec professionals I know and love, he preferred to remain anonymous. But I’m labeling it an open love letter for IE. Check it out and let us know if you agree.
Internet Explorer will continue to be the primary choice of information security specialists in the federal government because of the ability to control the application via enterprise tools. Policy authors may set rules about how the browser is used per group of users and the history may be logged with easy integration into established systems -specifically speaking of group policy objects in active directory, which dominates the federal government.
Although IE is unpopular with the general public, the browser is often the only choice for federal agencies. The reasons that they are unpopular with civilians are the very same reasons why this software is perfect for the federal government. Because this browser provides a gateway into the operating system, it is easier for the application to provide a platform for attackers. But because this application is tied into Windows, it can be configured and updated with ease in an enterprise. Sure, this browser (before version 10) didn’t have a lot of the pretty icons or ease of use/integration into web service providers that Chrome and Firefox have. But this is yet another plus for the federal government. IA (information assurance) guys don’t want users to be able to store a gigabyte of cookies or store credentials to certain sites, or make ads from one site show up on the next one.
In this particular case (the FedNewsRadio/WTOP breach), the fault can be placed only on those IA officers who did not follow best practices when authoring their policies. The vast majority of the federal government is full of sticklers for these kinds of policies. People who sit in coffee shops don’t necessarily have to worry about threats to their computers because it’s safe to assume that their personal information has already been compromised, but this only affects themselves and their identity issues. They can update Firefox whenever they want to or ignore the update for a couple of days or weeks. And since their browsing is becoming increasingly social in nature, the data an attacker may be targeting is of very low value.
Sure, these applications load faster, but only because they configure themselves in their own little frame within the operating system. If IE doesn’t work well, people often switch to other browsers. But by doing this they are correctly assuming that something is wrong with their computer. Switching to another browser is only prolonging the unresolved issue of which a slow IE is a symptom.
Now imagine this same person in a coffee shop, but their computers contain data that is of high value to attackers. And their activity online is easily flagged as government related. AND if there were to be a breach of their system, it would affect an entire government agency. Now it’s easy to see why the federal government will always prefer a single browser environment.
Take it one step further: Let’s say you’re one of those people who have read that IE is not the most popular browser on the internet. These figures may be correct about the internet that is accessible by the company doing the polling. But the totals for all the browsers on all the private networks in all the agencies in all of the federal government would certainly dwarf any claim for superiority by any other browser. Individual users may continue to prefer others because they suit their needs. The government will continue to prefer IE because it suits theirs.
Now it’s your turn to weigh in – is the use of IE a hindrance to government efficiency and security, or do the enterprise benefits outweigh the risk of an attack?