So far, Musk and his Department of Government Efficiency (DOGE) have accessed the computer systems of the Department of Treasury, as well as classified data from the US Agency for International Development (USAID) and the Office of Personnel Management (OPM), which holds sensitive data on millions of federal workers — including, notably, security clearances — and has subsequently blocked key government officials from further accessing those personnel systems, according to a bombshell from Reuters. Displaying a disregard for security protocols, DOGE operatives bypassed standard security measures, accessing systems without authorization and ignoring protocols meant to protect sensitive data, [and were provided] unauthorized access to personal data of federal employees and US citizens, which violates multiple privacy laws, even if the data is not leaked. The DOGE team reportedly also sent only partially redacted names of CIA personnel through a nonclassified email account, according to The New York Times, and Forbes reported that the team is feeding Department of Education data and Department of Energy data into an artificial intelligence model to identify inefficiencies, with an unknown level of information security protections in place. Cybersecurity experts weigh in on the red flags flying around the new Department of Government Efficiency's handling of the mountains of US data it now has access to, potentially without basic information security protections in place. DOGE has not yet replied to a request for comment from Dark Reading, but this reporter did ask cybersecurity experts for their thoughts on the unraveling of cybersecurity protections around federal government data. Elon Musk and his band of programmers have been granted access to data from US government systems to aid their stated efforts to slash the size of government, leaving cybersecurity experts deeply concerned over how all of this sensitive data is being secured. Stewart Baker: Of course DOGE's rapid-fire smartest-guy-in-the-room approach to government reform raises security risks, especially if DOGE is coding changes into government systems. Right now, it seems like questions are being asked to DOGE about how it is securing the data it accessed from government sites. Willy Leichter: The actions of DOGE, in just its first couple of weeks, is the largest, deliberate trampling of government security protocols in cyber history. Baker: DOGE should acknowledge its responsibility to maintain the security of data it handles, and its security procedures should be subject to audit. Leichter: The DOGE team has disregarded nearly every foundational security principle taught in the first week of a cybersecurity course — assuming they ever took one. It's important that DOGE take security seriously, but also that its critics be very specific about the security risks they see, rather than using cybersecurity as an all-purpose tool for delay. The data needs to be destroyed, all inappropriate access revoked, and the highly trained government custodians need to be allowed to return to work and do their jobs. Judicial rulings that try to protect the data by denying DOGE access should be lifted.
This Cyber News was published on www.darkreading.com. Publication date: Thu, 13 Feb 2025 22:25:12 +0000