Is DOGE Flouting Cybersecurity for US Data?

Elon Musk and his band of programmers have been granted access to data from US government systems to aid their stated efforts to slash the size of government, leaving cybersecurity experts deeply concerned over how all of this sensitive data is being secured.

So far, Musk and his Department of Government Efficiency (DOGE) have accessed the computer systems of the Department of Treasury, as well as classified data from the US Agency for International Development (USAID) and the Office of Personnel Management (OPM), which holds sensitive data on millions of federal workers — including, notably, security clearances — and has subsequently blocked key government officials from further accessing those personnel systems, according to a bombshell from Reuters.

The DOGE team reportedly also sent only partially redacted names of CIA personnel through a nonclassified email account, according to The New York Times, and Forbes reported that the team is feeding Department of Education data and Department of Energy data into an artificial intelligence model to identify inefficiencies, with an unknown level of information security protections in place. Moving forward, there are more plans to use AI to run the government. Reportedly, DOGE is also creating its own chatbot to run the federal government’s General Services Administration, called GSAi.

Related:How Public & Private Sectors Can Better Align Cyber Defense

DOGE has not yet replied to a request for comment from Dark Reading, but this reporter did ask cybersecurity experts for their thoughts on the unraveling of cybersecurity protections around federal government data. The comments below were gathered from cybersecurity law and policy expert Stewart Baker; Evan Dornbush, former NSA cybersecurity expert; and Willy Leichter, chief marketing officer with AppSOC.

Question 1: Do the activities of DOGE cause you concern regarding the cybersecurity of the data they are accessing?

Stewart Baker: Of course DOGE’s rapid-fire smartest-guy-in-the-room approach to government reform raises security risks, especially if DOGE is coding changes into government systems. The rule for software design is “fast, secure, and cheap — pick any two.” Elon Musk has achieved enormous success in business by eliminating procedures and organizations and parts that the experts said were essential.

He’s running Twitter/X with one-fifth the employees it had before he took over. He has dramatically simplified rocket design, enabling faster manufacturing and turnaround. So it’s no surprise he’d want to challenge and ignore a lot of government rules, including those that protect information security. But the security rules protect against active adversaries. Taking shortcuts that seem sensible to smart guys in a hurry could lead to serious problems down the road, and it may take us a while to realize the damage. 

Related:President Trump to Nominate Former RNC Official as National Cyber Director

Musk’s impatience is understandable, though. I’m sure that there are employees using the security rules to slow him down or thwart him entirely. It’s important that DOGE take security seriously, but also that its critics be very specific about the security risks they see, rather than using cybersecurity as an all-purpose tool for delay.

Evan Dornbush: It’s quite reasonable for people to be concerned, even alarmed, at how DOGE is currently operating. For any organization, the process of securing data is often developed over years, taking in myriad perspectives to ensure confidential data is minimally accessible, and that logging can recreate a picture of accessed data, or data in transit, when required.

Willy Leichter: The actions of DOGE, in just its first couple of weeks, is the largest, deliberate trampling of government security protocols in cyber history. The arrogance, deliberate ignorance, malevolence, and sheer stupidity of this gang of untrained and unaccountable hackers roaming sensitive government networks is staggering. If this type of activity happened in the private sector, with this level of highly sensitive and regulated information, we would be talking about massive fines and personal criminal liability for all the actors involved.

Related:Content Credentials Technology Verifies Image, Video Authenticity

This could not be happening at a more precarious time for government cybersecurity. China and other countries have been ramping up attacks, already targeting many of the same networks, stealing data and planting the tools to cripple our critical infrastructure. Putting this data in inexperienced and reckless hands, while dismantling defense systems, demoralizing our most experienced experts, disbanding public-private advisory groups, and defunding critical cyber initiatives will inevitably have disastrous consequences. The only questions are whether this will cost us billions versus trillions in losses, and whether it will take years versus decades to recover.

Question 2: What has DOGE done specifically that causes you concern?

Baker: Sending the names of CIA employees in unclassified channels is very risky, even if the names are only first name, final initial. Given all the other sources of information about individuals, reconstructing full names is something a hostile foreign service would seek to do, so they’ll be trying to intercept the list of names. My question is why DOGE thinks that’s a risk worth taking? Will the list of names do DOGE any good? I assume the request was tied to possible layoffs at the CIA, but did DOGE really need the names to decide who to lay off? If not, this was an unnecessary risk and irresponsible.

Dornbush: Lack of transparency. Right now, it seems like questions are being asked to DOGE about how it is securing the data it accessed from government sites. It is unclear if anyone from DOGE is even replying. Minimizing risk of unauthorized access requires whole teams of specialists, augmented by purpose-built hardware and software. Even if it is ultimately determined that DOGE does have authorization to access this data, [if] it has physically removed the data from these hardened and professionally monitored networks, how is DOGE ensuring the data is responsibly protected from its own compromise or disclosure? How is it able to certify that the data is destroyed once it is no longer required?

Leichter: The DOGE team has disregarded nearly every foundational security principle taught in the first week of a cybersecurity course — assuming they ever took one.

These include forcing entry to restricted and classified systems without proper authorization. Officials doing their sworn duty to prevent this were put on administrative leave. DOGE members were also given excessive access to sensitive systems that went far beyond what was necessary for their advisory roles. Also, DOGE personnel with controversial backgrounds, blatant lack of qualifications, and obvious conflicts of interest went through no legitimate vetting by qualified government agencies.

Displaying a disregard for security protocols, DOGE operatives bypassed standard security measures, accessing systems without authorization and ignoring protocols meant to protect sensitive data, [and were provided] unauthorized access to personal data of federal employees and US citizens, which violates multiple privacy laws, even if the data is not leaked.

Question 3: What do you think needs to happen to secure the data in DOGE custody?

Baker: DOGE should acknowledge its responsibility to maintain the security of data it handles, and its security procedures should be subject to audit. Judicial rulings that try to protect the data by denying DOGE access should be lifted.

Dornbush: DOGE securing the data is an impossibility. DOGE is newly formed. The data it is looking at sat behind years of accumulated people, products, and policy that specialize only in the security of that data set. Removing the data from these sites evaporates that progress, and ironically, is extremely inefficient and wasteful. If you want to see this data, fine. Work from the office.

Leichter: It’s probably impossible to undo this type of damage. The data needs to be destroyed, all inappropriate access revoked, and the highly trained government custodians need to be allowed to return to work and do their jobs. All of this seems highly unlikely, as the administration is deliberately disabling as much of the federal government as possible and replacing highly trained experts with incompetent political hires.

Question 4: What are you paying attention to most regarding DOGE and its information security strategy?

Baker:  I’m still waiting to hear what DOGE’s infosec strategy and commitments are.

Dornbush: What DOGE is purportedly doing is important and has merit. I’d love to know what the infosec strategy is. Right now, it seems like sharing the security steps they are taking with the public is not a priority.

Leichter: If DOGE has a strategy, it has kept it secret. Any legitimate government agency would have a well-documented strategy, public input, and defined objectives that align with larger goals. The only discernable strategy of DOGE and the administration is to dismantle as much of the government as quickly as possible, purging experience, which they seem to view as a liability.

The only question is how quickly judicial intervention can kick in and whether it will be ignored. The one thing that might influence this administration is widespread public condemnation after the next major security incident, which is probably lurking right around the corner. That’s a terrible security strategy.

Would you like to weigh in on any of the above four questions? If so, please send a note to [email protected] to be included in a follow-up story with reader reactions.