Only 61 percent of federal government computer systems have tested contingency plans for continuing operations in the event of hardware failures, disaster or terrorist attacks. And almost 20 percent of government computer systems, and nearly one fourth of government contractors’ computer systems, haven’t even been evaluated for the simplest security weaknesses that your 14 year old brother could figure out.

The Federal Information Security Management Act of 2002, enacted as part of the E-Government Act, requires federal agencies to come up with information security programs and to review them at least once a year for any needed changes, to keep an inventory of computer systems under its control, and to have the information security program audited annually.

And while federal agencies have indeed developed such programs, actually implementing them is the hard part.

Government investigators found that during fiscal year 2005, weaknesses in federal computer systems left the government open to attack from all sides, according to the Government Accountability Office:

• Resources, such as federal payments and collections, could be lost or stolen.
• Computer resources could be used for unauthorized purposes or to launch attacks on other computer systems.
• Sensitive information, such as taxpayer data, social security records, medical records, and proprietary business information could be inappropriately disclosed, browsed, or copied for purposes of industrial espionage or other types of crime.
• Critical operations, such as those supporting national defense and emergency services, could be disrupted.
• Data could be modified or destroyed for purposes of fraud, identity theft, or disruption.
• Agency missions could be undermined by embarrassing incidents that result in diminished confidence in federal organizations’ abilities to conduct operations and fulfill their fiduciary responsibilities.

— Federal Agencies Show Mixed Progress in Implementing Statutory Requirements (PDF)

For instance, while federal agencies have baseline security configuration policies for systems, they don’t always actually use them when setting up systems.

Even so, security incident reporting within the government has gone down dramatically, which means either they’re succeeding in keeping the hackers out, or more likely, they’re covering their bureaucratic asses by simply not reporting incidents, perhaps even letting hackers roam free inside government computers.

Hackers like government computers. They like them a lot. They make an attractive target which, if they are successful in breaking in, gets them notoriety and credibility among other hackers. So don’t think for a minute that they’ve just stopped bothering the government. They haven’t. They’re roaming free inside government computer systems as we speak.

The only saving grace here is that hackers don’t care about committing real crimes, such as theft, fraud or disruption of emergency services. But the terrorists do. And when they learn to hack, we’re all in trouble.