Trump pushes for sleeker government sites, but 73% have security issues

73% of US state government pages are at high cybersecurity risk, suggesting that changes should focus on security rather than design.

As President Donald Trump pushes for sleeker and more user-friendly government websites through a new executive order, the Business Digital Index (BDI) team looked into how well the main government website of each U.S. state is actually protected, revealing that increasing cybersecurity, not improved design, should be the focus.

Results show 42 out of 50 states received a D or F grade for cybersecurity in August 2025. Democratic states have an average score of 63 out of 100, compared to Republican states' average score of 59.

These findings are concerning since there have been multiple cyberattacks on the US government in recent times:

• In August 2025, A cyberattack caused Nevada's state offices to close for two days.
• In July 2025, a state of emergency was declared due to the cyberattack on a city government in Minnesota. The same month, Wyoming, North Carolina, Ohio, and Oklahoma City suffered a cyberattack.
• In August 2024, US government officials blamed Iranian hackers for breaking into Donald Trump’s presidential campaign.
• In December 2024, Chinese hackers breached a third-party vendor for the US Treasury Department to gain access to over 3,000 unclassified files.
• In June 2023, a worldwide cyber attack targeted several agencies within the US federal government, including the Department of Energy.

According to Check Point, the government sector saw over 2,700 attacks weekly in the first quarter of 2025,​​ making it the second most targeted sector globally.

To assess the potential vulnerabilities of US government websites, we analyzed the cybersecurity posture of each primary state government website.

Below is a summary of how the Business Digital Index evaluates a website's cybersecurity posture:

• Full technical methodology is available here.
• BDI carries out passive scans of publicly visible systems, and no internal access is required.
• Grading scale: 0–100 scores mapped to A–F grades.

Best-performing states

In August 2025, the highest scores from Blue (Democratic-leaning) states were from:

• Connecticut: Score 96, Grade A
• Colorado: Score 87, Grade C
• Hawaii: Score 83, Grade C

While the best scores from Red (Republican-leaning) states were from:

• Arkansas: Score 96, Grade A
• Kansas: Score 81, Grade C
• Oklahoma: Score 80, Grade C

States that showed the most improvement since February 2025 up to August 2025:

• District of Columbia: Grew by 28 points, from 38 to 66
• Nevada: Grew by 27 points, from 60 to 87
• Texas: Grew by 27 points, from 49 to 72

Worst-performing states

In August 2025, the worst scores from Blue (Democratic-leaning) states were from:

• Delaware: Score 37, Grade F
• Minnesota: Score 42, Grade F
• Maine: Score 49, Grade F

In 2025, the worst scores from Red (Republican-leaning) states were from:

• Indiana: Score 27, Grade F
• Wyoming: Score 28, Grade F
• Iowa: Score 35, Grade F

States that had the most significant decline since February 2025 up to August 2025:

• North Dakota: Fell by 18 points, from 68 to 50
• Louisiana: Fell by 13 points, from 64 to 51
• Tennessee: Fell by 13 points, from 65 to 52

Changes in cybersecurity scores

Based on the cybersecurity index, Democratic-leaning states scored higher on average than Republican-voting states: blue states showed an average improvement of 8% from February 2025 to August 2025 compared to Red states (4%).

• Blue state score in February 2025: 59
• Blue state score in August 2025: 63

• Red state score in February 2025: 57
• Red state score in August 2025: 59

Indiana, Wyoming, and Iowa ranked as the three worst states in August 2025. All three are considered Republican-voting states. Indiana ranked as the worst-rated state, with a cybersecurity score of 27 out of 100.

Cybersecurity should be the next step for improvement.

According to Secureframe, attacks on government frequently aim to gather intelligence, disrupt operations, or influence political outcomes. Recent examples include campaigns targeting public sector organizations and coordinated disinformation efforts to destabilize nations.

Most common issues involve SSL configuration problems, which can cause encryption failures. These failures undermine the security of data transmitted between citizens and government websites, making it vulnerable to interception.

High or critical-risk vulnerabilities highlight failures in patch management and security updates, making systems easy targets for attackers. Alarmingly, exploiting many of these vulnerabilities now requires almost no technical expertise, with increasing automation and streamlined hacker toolkits.

Human impact

Attacks on public administration, including national and local government institutions, affect civilians by disrupting access to essential public services like healthcare, social services, immigration, education, and timely, reliable information.

In February 2023, the City of Oakland suffered a ransomware attack that forced it to declare an emergency and impacted many non-emergency city services, including permitting, payment collections, and more. The fallout of the attack included publishing 600 GB of data on the dark web.

In 2021, hackers obtained Pottawatomie County (Kansas) data, and officials paid a ransom of $71,606.25. The attack persisted for two weeks and impacted the county’s driver’s license system and tax department.

In 2018, a cyber attack hit the City of Atlanta, bringing down government services. The attack took nearly a third of the city’s software offline, infecting 3,789 computers. It affected critical police services and the court system, including the loss of police dash-cam recordings tied to active prosecutions.

AI could aid criminals in causing global disruptions

According to the IOT Security Institute, disrupting critical infrastructure can erode public trust in government and destabilize political systems. Adversaries can use AI-powered attacks as cyber warfare tools to reach strategic goals without traditional military conflict. These attacks can also increase geopolitical tensions, as countries may see them as acts of war, leading to retaliatory steps and possibly all-out conflicts.

Even with AI-driven attacks on electrical grids, extended blackouts could impact industries, hospitals, and homes, ultimately crippling a nation’s economy.

Advancements in AI are allowing attackers to develop more sophisticated malware that can evade detection. Malware that can choose the best time to strike, adapt to defense measures, and even learn the system's environment independently.

Rewriting policy

According to the White House, on June 6th, 2025, President Donald J. Trump signed an Executive Order to improve the nation’s cybersecurity by focusing on key protections against foreign cyber threats and advancing secure technology practices.

Trump's action aims to establish a technical agenda centered on safeguarding infrastructure, reforming federal procedures, and tackling next-generation threats.

The Executive Order states that by August 1, the Secretary of Commerce, through the director of the National Institute of Standards and Technology (NIST), must form a consortium with industry at the National Cybersecurity Center of Excellence (NCCoE) to develop guidance on how to implement secure software development, security, and operations practices based on NIST Special Publication 800–218 (Secure Software Development Framework (SSDF)).

Conclusion

Our scan revealed that improving the design of government online pages should not be a priority. With most state domains earning an F grade, these sites face extreme breach risk that threatens millions of citizens' personal data.

Republican-voting states have a worse cybersecurity rating than Democratic-voting states, with Indiana, Wyoming, and Iowa at the bottom. Breaches of government pages could impact every state, potentially compromising federal databases and creating a nationwide security crisis.

Research Methodology

The BDI research team analyzed the domains of the 50 US states' main government pages. Detailed data collected from multiple sources, including IOT search engines, IP and Domain name reputation databases, and custom scanners, shows the digital security posture of government domains.

The report evaluates risk across seven key areas: software patching, web application security, email security, system reputation, SSL Configuration, system hosting, and data breach history. The detailed report’s Methodology is here.