Elon Musk and his team of programmers have been granted access to the data from US government systems as part of their efforts to reduce the government’s size, raising concerns about the security of sensitive data.
So far, Musk and his Department of Government Efficiency (DOGE) team have accessed computer systems of the Department of Treasury, classified data from the US Agency for International Development (USAID) and the Office of Personnel Management (OPM), holding sensitive information on millions of federal workers — including security clearances — and has subsequently blocked key government officials from accessing those personnel systems, according to a bombshell from Reuters.
DOGE has also sent only partially redacted names of CIA employees through a nonclassified email account, according to The New York Times, and Forbes reported that the team is feeding Department of Education data and Department of Energy data into an artificial intelligence model to identify inefficiencies, with an unknown level of information security protections in place. Moving forward, there are plans to use AI to run the government. Reportedly, DOGE is also creating its own chatbot to run the federal government’s General Services Administration, called GSAi.
DOGE has not yet replied to a request for comment from Dark Reading, but cybersecurity experts have weighed in on the concern over the potential security breaches of federal government data.
Question 1: Do the activities of DOGE cause you concern regarding the cybersecurity of the data they are accessing?
Stewart Baker: Given DOGE’s rapid-fire smartest-guy-in-the-room approach to government reform, the risks are substantial. The rule for software design is “fast, secure, and cheap — pick any two.”
Baker:
Members of DOGE have a history of simplifying processes and eliminating unnecessary employees, having made tremendous success in business by doing so. This lack of scrutinized practice in reforms could lead to significant security problems down the road, and it may not be apparent for some time.
Musk’s impatience makes sense, though.
The security rules are in place to slow him or others down, and this could lead to frustration and demotivation, which can harm the government’s efforts in cybersecurity.
Baker: DOGE needs to take security seriously, but also be specific about the security risks they pose. Otherwise, cybersecurity can become an all-purpose tool for delaying progress.
Question 2: What has DOGE done specifically that causes you concern?
Baker: Sending the names of CIA employees to a largely unmodified public email list without protecting their identities is a risk. This is because badding the CIA’s express privacy laws makes responding in full to these lists impossible.
Given all the other sources of information about the individuals involved, an adversary would reconstruct full names of the list with relative ease.
Dornbush: Lack of transparency.
Dornbush, former NSA cybersecurity expert, posed: Minimizing risk requires a large team of specialists, combined with specialized hardware and software. It is also questionable how DOGE is able to certify that, even if the data is taken off a secure location, whether the data can remain protected from unauthorized access or exposure.
Lack of transparency. DOGE has disregarded foundational principles of cybersecurity established in the first week of a cybersecurity course — perhaps they took such a course.
Leichter, chief marketing officer with AppSOC:DOGE team has forced entry to restricted and classified systems without proper authorization. DOGE members have been given excessive access to sensitive areas that go beyond their authority and are operating without thorough background checks and qualified vetting.
Displaying a disregard for security protocols. DOGE team members bypassed security rules that exist to protect the sensitive information being processed, accessing government systems without needed permission and mishandling the personal data of government employees and US citizens, violating multiple laws.
Question 3: What do you think needs to happen to secure the data in DOGE custody?
Baker: DOGE should acknowledge its responsibility to protect the data and adhere to regular audits.
Dornbush: In reality, securing data for DOGE is impossible. The data sits in systems developed by government entities who spent years to create robust security. Removing the data from the secure system cannot undo years of accumulated work, which is expensive and inefficient.
Realistically, it is impossible to undo the damage that has already happened, they need to destroy the data, revoke unauthorized access, and return the highly experienced government experts to their normal duties.
Question 4: What are you paying attention to most regarding DOGE and its information security strategy?
Baker: Statement of their strategy is missing, and they have been opaque about their data security strategy, which is an issue.
Dornbush:They have presented no transparent strategy.
Leichter:What exists is their strategy for dismantling the government and the implementation plans, which seems to focus on minimizing government distractions. If they have a strategy to signal cybersecurity intentions, it has not been made public.
The only question is when the government will react to this breach, and whether the response will be significant according to information evaluated in the few days to come.
Would you like to respond to the question and share your perspective on the events? If so, please email me at [email protected] to be included in a follow-up story with responses from readers.
Source Link
