Likely Normal

Nothing inspires confidence quite like watching government agencies attempt cybersecurity. In their zealous pursuit of airtight systems, many have created such absurd protocols that they’ve achieved the exact opposite – making data less secure while grinding productivity to a halt. The results would be hilarious if they weren’t so concerning.

Take the Pentagon’s former nuclear launch protocols, which until 2019 still relied on 8-inch floppy disks for critical systems. This wasn’t some backup method – this was the primary technology coordinating our nation’s most powerful weapons. Meanwhile, their secure document transfer system often required employees to print emails, walk them across buildings, fax them to another office, then scan them back into a computer. Hackers, upon learning this, reportedly abandoned cyberattacks and just started checking dumpsters for printed secrets.

The IRS took a different approach to identity protection by forcing taxpayers to verify their identities through Equifax – the same credit bureau that infamously leaked 147 million Social Security numbers in 2017. This brilliant strategy amounted to protecting your house by giving the keys to a known burglar. Similarly ironic was the State Department’s post-Clinton email scandal solution: having staff use regular Gmail accounts with no additional encryption, then simply telling them not to discuss classified information.

Across the pond, the UK government implemented password policies so draconian that they actually weakened security. With requirements to change passwords every 30 days without repeating any for two years, employees simply wrote them on sticky notes or used predictable patterns like “Password1”, “Password2”, etc. A subsequent study found 90% of government passwords were easily guessable, essentially handing hackers a master key.

Australia demonstrated another flavor of failure during its 2016 census, when its $10 million “secure” website crashed immediately – not from hacking, but because its own security systems mistook legitimate citizen traffic for a cyberattack. Officials initially blamed foreign interference, until someone pointed out most of the traffic came from within the island nation itself.

Perhaps most alarmingly, a 2020 Pentagon audit revealed $100 million worth of military “secure” devices were still using factory default passwords like “admin” and “1234”. When questioned, contractors admitted they assumed someone else would change them. That “someone” apparently never showed up.

These examples reveal a troubling pattern: security theater that prioritizes compliance checkboxes over actual protection. The resulting systems become so cumbersome that employees inevitably find workarounds, creating even more vulnerabilities. It’s cybersecurity designed to look secure rather than actually be secure – with taxpayers footing the bill for both the farce and the inevitable breaches.