They should get fired.
You could start to collect cookies (i.e. you bypass authentication that way)
[it's dead easy: just load an image off of any URL and make it a get request that contains the cookie]
You could subtly alter a page. E.g. insert a NOT inn a strategic place and oops...
You could even be selective about when and who you do evil things with. E.g. once you know the IP address of let's say the whitehouse you start to do funny things, but not to others so no anti virus vendor never sees your malware.
Really: contact the government agency and tell them that have a security breach.