A question was posed on Full Disclosure: “How many .gov sites did the USA government DDoSed/nearly defaced?” My intentions were to answer that, but after a couple days of working on it, I practically have a migraine. For starters, how many .gov sites are there?
Back in 2011, the White House Blog said there were thousands too many, “nearly 2,000 top-level federal .gov domains” and “under many of these domains are smaller sub-sites and microsites resulting in an estimated 24,000 websites of varying purpose, design, navigation, usability, and accessibility.” Although it stated plans to “stop the bleeding” and put “a freeze on all .gov URL’s,” the list of outdated sites is maintained by General Services Administration on data.gov . . . which is down for the count during the government shutdown; users are told to visit USA.gov.
According to USA.gov’s A –Z index of U.S. Government departments and agencies, there are 511 websites listed in alphabetical order; yes, I counted them: A has 33, B has 22, C has 46, D has 38, E has 23, F has 52, G has 8, H has 11, I has 22, J has 17, K has zero, L has 5, M has 19, N has 59, O has 27, P has 18, Q has zero, R has 14, S has 25, T has 11, U has 44, V has 7, W has 10, and there are zero listed under X, Y and Z. (Pssst, it's also nowhere close to a complete list.)
Sadly (and grrr), when you click on any of the agencies listed, it takes you to yet another informational page on USA.gov, which then has a direct link to the specific government website. So I started my list with all the agency names and site URLs, but after tackling 200 or so websites, not only did I want to slit my wrist, but I also found numerous errors where a single agency is duplicated under another letter in the alphabetical list.
Alcohol and Tobacco Tax and Trade Bureau is also listed under “B” as Bureau of Alcohol and Tobacco Tax and Trade. Little FYI: This TTB agency is tasked with approving new beers that are sold across state lines, new beer recipes using non-traditional ingredients as well as the beer label. The website states: “Due to the government shutdown, information on this website is available, but may not be up to date.”
Other oddities on the A-Z index of government agencies and departments include Agricultural Marketing Service, Agricultural Research Service, Agriculture Department that all go to the USDA: “Due to the lapse in federal government funding, this website is not available. After funding has been restored, please allow some time for this website to become available again.” Yet another listing issue example is: Citizenship and Immigration Services, Bureau of Citizenship and Immigration Services (USCIS) and Citizenship and Immigration Services (USCIS). Yes, they all go to the same site; yes, there are many instances of these types of errors. For example, Office of Compliance is also listed on USA.gov as Compliance, Office of.
Argh! USA.gov also lists some websites that are .org and .mil. Some obscure websites are still up with no government shutdown notice and some huge .gov sites are down for the count (NASA, NPS, NIST), so the rhyme or reason is confusing as to what sites are shutdown even though the White House issued "guidance."
According to a White House memorandum [pdf], government websites were to be flicked off during shutdown unless the site was connected with excepted activities, but even those sites should be “maintained at the lowest possible level.” The guidance states, “The mere benefit of continued access by the public to information about the agency's activities would not warrant the retention of personnel or the obligation of funds to maintain (or update) the agency's website.” In fact, the non-essential websites that were not connected with excepted activities were to be switched off even if “the cost of shutting down a website exceeds the cost of maintaining services.” Even if it costs more? That makes a lot of sense. But since when does the government always make a lot of sense?
These government websites were directed that “if an agency's website is shut down, users should be directed to a standard notice that the website is unavailable during the period of government shutdown.” Yet some sites have no message and others are completely unavailable as in the server can’t be found.
At one point, I spent several hours trying to limit the list of websites affected by the government shutdown to those dealing with cybersecurity or computer security. But that was also headache-inducing. For example, National Institute of Standards and Technology (NIST) states, “NIST Closed, NIST and Affiliated Web Sites Not Available.” Thank you Google cache for the list of NIST government security links, but many on the list are outdated, website moved, or non-existent.
Here's one such example: The NIST link to “Critical Infrastructure Assurance Office (CIAO)” first leads to “Oops! Google Chrome could not find www.ciao.gov. Did you mean: www.cia.gov?” Umm, no, so “let me Google for you,” shows “critical infrastructure” is hosted on DHS, but “Due to the lapse in federal funding, this website will not be actively managed.”
Somewhat frustrated about the massive amount of work hours going into this, and nowhere close to being able to answer how many .gov sites did the USA government DDoS or nearly deface, I found some related humor on GitHub that other geeks and coders might enjoy.
There is a repository of open source code released by the White House about a year ago for the functionality of WhiteHouse.gov and We The People. For confused non-coders, the White House blog previously stated, “one of the great things about open-source software is that anyone who wants to build something similar, or improve an existing application, can make a copy for themselves (known as ‘forking’) and even send us their improvements (called a ‘pull request’). And we really hope you’ll take advantage of that.”
And people definitely are. The open issues for WhiteHouse / fortyfour (President Obama is the 44th United States President) are hilarious. Most especially the comments regarding this Bug: Government occasionally shuts down submitted by davatron5000.
A few of my favorite comments include:
Zachleat: Looks like someone may have inserted some malicious congresspeople, can we issue a Pull Request to remove?”
Waldoj: Note that @JeffersonDavis actually forked this project before. A lot of people contributed, but @WhiteHouse had IP concerns and shut that down.
Huntwelch: Looks like we've been patching the original source for 200+ years. Maybe rewrite to take advantage of modern off-the-shelf solutions?
Sorry I couldn’t answer your question Full Disclosure, but I did give it more hours than I’m willing to admit and one heck of a try. From my sampling of over 200, there are more .gov sites down, or not being maintained, than are fully functioning.
If anyone is interested in following up on this, for all sites listed under A, B, C, D, some of M and N and O, about 200 websites, I have a list of the agency name, URL, and message posted on that government website, or noted if it was completely down and unavailable. I also have colored-coded the list if the website was still functioning, or color-coded if it the website is duplicated elsewhere under another name. There is a different color-code if the site prompted the message: “This site’s security certificate is not trusted!” Warning, there are websites that appear to be up and running, with no notification about government shutdown, but if you do a little digging, like click around on their social media accounts, then you see notifications that social media teams are not tweeting or replying during shutdown. It’s a lot of clicking, a lot of time, a lot of issues, basically one giant clusterflub.
In conclusion, here are a couple of the ironic screenshot captures from USA.gov’s department and agency list:
Defense Acquisition University: Not .gov but .mil and no notification of government shutdown on website. Taking the “bait” as if it were phished, I clicked on Cyber Security Hot Topic Forum Presentation Available… it leads to “The site’s security certificate is not trusted!”
It’s clear that many .gov sites won’t be patching that nasty IE hole currently being exploited even though Microsoft released a patch this week and that’s troubling. But hey, happy 10th National Cybersecurity Awareness month anyway!