When a federal agency’s official website starts redirecting visitors to a dubious third-party page hawking discount travel deals or worse, something has gone profoundly wrong. Not with the internet. With the institution itself.
That’s exactly what’s been happening across a growing number of U.S. government web properties, according to a detailed investigation published by PPB1701, a technology and cybersecurity blog that has been tracking the phenomenon of abandoned and hijacked .gov domains. The findings paint a picture of institutional neglect that stretches across multiple agencies, administrations, and years — a slow-motion failure with real consequences for public trust and national security.
The core problem is deceptively simple. Government agencies acquire domain names for projects, initiatives, campaigns, and offices. Administrations change. Budgets shift. Personnel rotate. And those domains? They linger. Unmonitored. Unrenewed. Vulnerable.
Abandoned Domains, Open Doors
The .gov top-level domain is supposed to carry weight. It signals authority. Legitimacy. When Americans see a .gov URL, they’re conditioned to trust it — and for good reason. The General Services Administration (GSA) manages the .gov registry and has historically maintained strict requirements for registration. Only verified government entities at the federal, state, local, and tribal levels can obtain one.
But registration is only the beginning. Maintaining a domain — keeping its DNS records accurate, its hosting active, its content current — requires ongoing attention. And that’s where things break down. As PPB1701 documented, numerous government domains have been allowed to lapse or have had their DNS configurations left in states that make them ripe for takeover. Some have been subject to what security researchers call “subdomain hijacking” or “dangling DNS” attacks, where an attacker claims control of a cloud resource that a government domain still points to, effectively putting malicious content on a .gov address.
This isn’t theoretical. It’s been happening.
The blog’s research identified cases where government domains were resolving to pages that had nothing to do with their original purpose — commercial content, parked pages, and in some instances, potentially malicious sites. The implications are severe. A .gov domain serving malware or phishing content inherits the trust that the entire .gov brand has built over decades. Email sent from a compromised .gov domain could bypass spam filters. Links shared on social media from a .gov address get clicked without hesitation.
And the agencies responsible? Often unaware.
This pattern reflects a broader institutional weakness in how the federal government manages its digital assets. There is no single, comprehensive, publicly available inventory of all active .gov domains and their current status. The GSA publishes a list of registered .gov domains, but that list doesn’t tell you whether a domain is actively maintained, whether its DNS is properly configured, or whether anyone is actually watching it. The gap between registration and operational security is vast.
The problem has drawn some attention in cybersecurity circles. The Cybersecurity and Infrastructure Security Agency (CISA), which operates under the Department of Homeland Security, has issued directives related to federal domain security, including Binding Operational Directive 18-01, which required agencies to implement email authentication protocols like DMARC and to enforce HTTPS across their web properties. But those directives focus on active, maintained domains. They don’t adequately address the zombie domains — the ones that have been forgotten but still resolve, still carry the imprimatur of the United States government.
CISA has also worked to improve the .gov registration process, making it easier for legitimate government entities to obtain domains while tightening verification. In 2021, the agency took over management of the .gov TLD from the GSA, a move intended to strengthen security oversight. But the inherited backlog of poorly managed domains remains a stubborn problem.
A Symptom of a Deeper Institutional Failure
The abandoned domain issue doesn’t exist in isolation. It’s a symptom of how the federal government has historically treated IT infrastructure: as a series of one-off projects rather than ongoing operational responsibilities. A new administration launches a website for a policy initiative. The initiative ends or gets renamed. The website goes dark. But the domain registration persists, and the DNS records keep pointing somewhere — even if that somewhere is no longer under government control.
This is compounded by the sheer scale of the federal web presence. There are thousands of .gov domains. Some belong to tiny municipal water districts. Others belong to Cabinet-level departments. The resources available to manage them vary enormously. A small-town government that registered a .gov domain for a community project five years ago may not have a single IT staffer, let alone someone monitoring DNS configurations.
But the federal agencies have no excuse. They have budgets, they have staff, and they have explicit mandates from CISA to maintain their digital security posture. The fact that federal domains are still falling through the cracks suggests either a lack of enforcement, a lack of accountability, or both.
Recent reporting has underscored the broader fragility of government IT. ProPublica and other outlets have documented how federal technology systems remain riddled with legacy infrastructure, underfunded maintenance, and workforce shortages. The domain management problem is just one more facet of a government technology apparatus that has been chronically underinvested in and poorly governed.
So what should be done? PPB1701 argues for more aggressive monitoring and automatic decommissioning of domains that show signs of abandonment. Security researchers have long advocated for a centralized, real-time dashboard that tracks the health and status of all .gov domains — not just whether they’re registered, but whether they’re actively maintained, properly configured, and free of unauthorized content.
Some of this is already technically feasible. Automated scanning tools can detect dangling DNS records, expired certificates, and unauthorized content changes. The question is whether the political will exists to fund and enforce such monitoring at scale.
There’s also a cultural dimension. Government agencies need to treat domain names the way they treat physical property — as assets that require lifecycle management. You wouldn’t abandon a government building and leave the doors unlocked with the agency seal still on the front. But that’s essentially what’s happening in the digital world every time a .gov domain is left to rot with its DNS still active.
The private sector has grappled with similar challenges. Large corporations routinely audit their domain portfolios, decommission unused properties, and monitor for unauthorized use of their brands. The tools and practices exist. The government just hasn’t adopted them with the urgency the situation demands.
And the urgency is real. Nation-state adversaries and criminal organizations actively scan for vulnerable government infrastructure. A hijacked .gov domain isn’t just an embarrassment — it’s a potential attack vector. It could be used to distribute malware to government employees, to conduct spear-phishing campaigns with an air of legitimacy, or to spread disinformation under the cover of an official government source. The trust premium that .gov carries makes it an extraordinarily valuable target.
The Clock Is Ticking
The current moment makes this problem more acute, not less. Government web properties are under increased scrutiny as agencies undergo reorganizations, budget cuts, and personnel changes. Every restructuring creates new opportunities for domains to fall through the cracks — old office websites that no one remembers to shut down, project pages that lose their designated maintainer, campaign sites that outlive the campaign.
CISA’s takeover of the .gov registry was a step in the right direction. But managing the registry and actively policing the security of every domain on it are two very different things. The former is an administrative function. The latter requires sustained operational investment and interagency coordination that the federal government has historically struggled to deliver.
The PPB1701 investigation serves as a pointed reminder that cybersecurity isn’t just about firewalls and endpoint detection. Sometimes it’s about the basics. Like making sure the front door is actually yours.
For an institution that asks its citizens to trust .gov as a marker of authenticity and authority, the failure to maintain that trust at the most fundamental level — the domain name — is more than a technical oversight. It’s a breach of the social contract between government and governed. And until agencies treat their digital properties with the same seriousness they apply to their physical ones, that contract will keep eroding, one abandoned domain at a time.
Pingback: The Government Can’t Even Protect Its Own Domains — And That Should Terrify Everyone - AWNews
Pingback: The Government Can’t Even Protect Its Own Domains — And That Should Terrify Everyone - AWNews