Surely they're not actually maintaining those hosts themselves (imagine the embarassment of doing a RDNS lookup and getting "flame-cc1.nsa.gov"). They are almost certainly compromised machines owned by someone else, which makes "securing" them in the classic sense pretty much impossible.

I know it was a joke comment, but names like "Flame", "Duqu" or "Stuxnet" are not names in which those viruses were developed, but those were attributed to them later through security community

How far down the rabbit hole would you have to go before you find a connection from a .gov machine?

Or do nation-state malware programmers maintain a strict no-contact policy to keep the government's hands clean?

I suppose we'll never know the answer.

I'd imagine the folks doing this have a windowless van parked outside a Starbucks. I'm fairly certain you'd never be able to trace it back to a .gov computer without physically finding the computers themselves.

Did you ever read about Titan Rain? http://www.time.com/time/magazine/article/0,9171,1098961,00....

It talks a bit about how one person tracked attacks through multiple countries back to China.