In order to assist in their reported efforts to reduce the size of government, Elon Musk and his team of engineers have been granted access to data from US authorities systems, which is deeply concerning for security experts.
According to a bombshell from Reuters, Musk and his Department of Government Efficiency ( DOGE ) have of the Department of Treasury, as well as classified data from the US Agency for International Development ( USAID), and the Office of Personnel Management ( OPM), which holds sensitive information on millions of federal employees, including, notably, security clearances.
According to The New York Times, the ly sent CIA personnel’s names through a nonclassified email address with only half edited details, and according to Forbes, the team is using an unspecified level of information security to analyze inefficiencies. Moving forward, there are more ideas to use AI to run the government. Apparently, DOGE is also creating its own robot to move the federal government’s General Services Administration, called GSAi.
Dark Reading contacted DOGE for comment, but this writer did request comments from cybersecurity experts regarding the deterioration of cybersecurity safeguards for federal government data. The responses below were gathered from security law and policy expert Stewart Baker, Evan Dornbush, past NSA security professional, and Willy Leichter, chief marketing officer with AppSOC.
Question 1: Accomplish your concerns about the security of the data they are accessing stem from DOGE’s actions?
Stewart Baker: Of course DOGE’s rapid-fire smartest-guy-in-the-room approach to government reform raises safety risks, especially if DOGE is coding changes into government systems. The guideline for application design is “fast, safe, and inexpensive — pick any two”. Elon Musk has had a lot of success in his company because he has eliminated the steps, structures, and components that experts consider to be crucial.
He’s running Twitter/X with one-fifth the people it had before he took over. He has significantly reduced jet design, enabling faster manufacturing and return. Therefore, it should come as no surprise that he would contest and disregard numerous laws of the state, including those that regulate data security. But the safety guidelines protect against engaged enemies. It may take us a while to understand the harm that is being done in a hurry and to take shortcuts that seem reasonable to intelligent men could cause major issues in the future.  ,
Musk’s frustration is apparent, though. I’m sure there are employees who will use the safety measures to prevent or slow him down completely. It’s crucial that DOGE take security seriously,  , but that its critics also be very particular about the security risks they see, as opposed to acting as an all-purpose delay tool.
Evan Dornbush: It’s very reasonable for people to be concerned, also alarmed, at how DOGE is already operating.  , For any organization, the process of securing data is usually developed over years, taking in various perspectives to ensure personal data is less visible, and that logging you recreate a picture of accessed data, or data in transit, when required.
Willy Leichter: The deeds of DOGE, in just its first couple of days, is the largest, intentional trampling of state security practices in computer history. The arrogance, intentional misunderstanding, malevolence, and sheer idiocy of this group of unskilled and inexplicable hackers roaming delicate government networks is staggering. We would be talking about large fines and individual legal liability for all the actors involved if this kind of activity took place in the private sector, with this level of very delicate and regulated information.
This could not possibly occur at a more risky time for state cybercrime. and various nations have been launching more attacks, now strewn at many of the same networks, stealing data, and installing tools to ruin our vital equipment. Putting this information in inexperienced and foolish hands, while dismantling security systems, demoralizing our most experienced experts, disbanding public-private advisory groups, and defunding critical cyber initiatives will certainly have disastrous consequences. The only ones left to wonder about is whether this will result in billions or trillions in losses and whether recovery will take years or decades.
Question 2: What specifically has DOGE done that makes you concerned?
Baker: Sending the names of CIA employees in unclassified channels is very risky, even if the names are only first name, final initial. Reconstructing full names is something a hostile foreign service would try to do because they are trying to intercept the list of names because of all the other sources of information about people. My question is why DOGE thinks that’s a risk worth taking? Will the list of names make a good DOGE? I assume the request was related to potential CIA layoffs, but did DOGE really need to know the names of the people who should be laid off? If not, this was an unnecessary risk and irresponsible.
Dornbush: Lack of transparency. Currently, it seems like DOGE is being questioned about how it is protecting the information it accessed from government websites.  , It is unclear if anyone from DOGE is even replying.  , Minimizing risk of unauthorized access requires whole teams of specialists, augmented by purpose-built hardware and software. How does DOGE make sure the data is responsibly protected from its own compromise or disclosure, even if it is ultimately determined that DOGE does have authorization to access this data? [If ] it physically removed the data from these professionally monitored and hardened networks? How can it confirm that the data is destroyed when it is no longer required?
Leichter: Considering they ever took one, the DOGE team has disregarded nearly every fundamental security idea taught in a cybersecurity course.
These include requiring the entry of secret and restricted systems without proper authorization. Officials who were ostensibly deserving of preventing this were given administrative leave. Additionally, DOGE members received a lot of access to sensitive systems that went beyond what their advisory roles required. Also, DOGE personnel with controversial backgrounds, blatant lack of qualifications, and obvious conflicts of interest went through no legitimate vetting by qualified government agencies.
DOGE operatives bypassed standard security measures, accessing systems without authorization, and ignoring protocols intended to safeguard sensitive data, [and were given ] unauthorized access to personal data of US citizens and federal employees, which is against numerous privacy laws, even if the data is not leaked.
Question 3: What do you believe needs to be done to safeguard the data in DOGE custody?
Baker: DOGE should acknowledge its responsibility to maintain the security of data it handles, and its security procedures should be subject , to audit. Should be lifted all judicial decisions that attempt to protect the data by preventing DOGE access.
Dornbush: DOGE securing the data is an impossibility.  , DOGE is newly formed. Years of accumulated people, goods, and policies that are solely concerned with the security of that data set sat behind the data it is looking at.  , Removing the data from these sites evaporates that progress, and ironically, is extremely inefficient and wasteful.  , If you want to see this data, fine. Work from the office.
Leichter: It’s probably impossible to undo this type of damage. The highly trained government custodians must be permitted to return to work and carry out their duties, and the data needs to be destroyed. All improper access must be revoked. All of this seems highly unlikely because the administration is purposefully removing as much of the federal government as possible and replacing highly trained experts with incompetent political hires.
Question 4: What do you find most interesting about DOGE and its approach to information security?
Baker:  , I’m still waiting to hear what DOGE’s infosec strategy and commitments are.
Dornbush: What DOGE is purportedly doing is important and has merit.  , I’d love to know what the infosec strategy is. It seems that making the public aware of the security measures they are implementing is not a priority at the moment.
Leichter: If DOGE has a strategy, it has kept it secret. Any legitimate government agency would have a well-documented strategy, public input, and defined objectives that align with larger goals. The only real-world strategy used by DOGE and the administration is to remove as much of the government as quickly as possible while removing experience, which they appear to be a liability.
The only thing left to wonder is how quickly judicial intervention can start and whether it will be ignored. The one thing that might affect this administration is widespread public outcry following the most recent significant security incident, which is likely to be in the works. That’s a terrible security strategy.
Would you like to contribute to any of the questions posed above? If so, please send a note to]email , protected ] to be included in a follow-up story with reader reactions.