Cybersecurity, government experts are aghast at security failures in DOGE takeover
As the world’s richest man and his team from the Department of Government Efficiency continue their quest to dismantle federal agencies, cybersecurity experts, good government experts and Democrats are increasingly expressing outrage and alarm, in some cases likening the actions to an ongoing data breach.
Elon Musk and employees from DOGE — which is, legally, an external advisory board — have reportedly taken a number of steps since Jan. 20 that could be exposing the personal data of millions of federal employees, violating federal laws against sharing classified or sensitive information with uncleared individuals and creating new cybersecurity vulnerabilities for malicious hackers to exploit, these experts say.
Chief among these concerns are efforts by Musk’s team to access the Department of the Treasury’s payment system housed in the Bureau of Fiscal Service. This system controls much of the spending by the federal government, including congressionally-mandated spending programs like Social Security.
Federal employees at the Office of Personnel Management are also suing the government, claiming that Musk had a private server installed that has not been vetted or approved for security. OPM’s systems contain sensitive employee records for tens of millions of current and former federal workers, and the hack and theft of OPM records by Chinese hackers in 2015 is considered among the worst federal security breaches of all time. The use of a private email server by then-Secretary of State Hillary Clinton was the subject of a criminal investigation by the FBI during the 2016 election and was bitterly criticized by Trump and Republicans at the time as a massive security lapse.
The White House claimed Monday that DOGE employees’ access to these systems were restricted to “read-only,” meaning they could not alter files or make larger changes, but according to reporting from Wired, a 25-year-old former employee of Musk’s has been granted administrative access to the system.
Sen. Elizabeth Warren, D-Mass., wrote to Treasury Secretary Scott Bessant this week seeking answers about this “security and management failure.”
“The public depends on the integrity of those systems, which control the flow of over $6 trillion in payments to American families, businesses, and other recipients each year — with millions relying on them for Social Security checks and Medicare benefits, federal salaries, government contract payments, grants, and tax refunds this filing season,” Warren wrote.
According to one former federal worker with a decade of cybersecurity experience across multiple agencies — including the U.S. Digital Service that was absorbed into DOGE — the actions of Musk and his allies run afoul of “the spirit and letter of the law” for federal cybersecurity statutes, including the Federal Information Security Management Act (FISMA) and security controls established by the National Institute of Standards and Technology for securing federal systems.
Access to highly sensitive federal systems is often subject to strict access and logging requirements. Individuals that do not possess a clearance in which they are allowed to access OPM and Treasury systems would, in any other situation, be viewed as a straightforward security breach with lasting ramifications.
“These systems have now become untrusted, so once this is done and over, to have those systems back to the level of assurances they had on Jan. 20 will require a lot of work and a lot of resources,” said the former federal government employee, who now works in the private sector and was granted anonymity due to fear of reprisal.
The risks include DOGE employees potentially downloading and taking protected federal data to creating weak points for attackers through unvetted IT infrastructure like the newly launched private server at OPM. The office’s systems also connect to other agencies, like the Defense Counterintelligence and Security Agency, which handles Congressional background checks. Lacking independent oversight and activity logging, there’s no way to confirm what information was accessed or changes that were made.
“The biggest issue right now is … the secure connection from OPM to DCSA, to either enter in or request security clearance information,” the former federal employee said.
Reps. Gerry Connolly, D-Va., ranking member for the House Oversight Committee, and Shontel Brown, D-Ohio, ranking member on the Cybersecurity, Information Technology and Government Innovation Subcommittee, wrote this week to OPM acting Director Charles Ezell saying that the lack of security and oversight associated with the new email system “threatens to expose federal workers to personalized social engineering or ‘spear phishing’ attacks.”
“At best, the Trump Administration’s actions at OPM to date demonstrate gross negligence, severe incompetence, and a chaotic disregard for the security of our government data and the countless services it enables our agencies to provide to the public,” Connolly and Brown wrote. “At worst, we fear that Trump Administration officials know full well that their actions threaten to break our government and put our citizens at risk of foreign adversaries like China and Russia gaining access to our sensitive data.”
According to legal experts, Musk and Trump’s actions are putting federal employees in a lose-lose situation. Trump’s executive order creating DOGE only gave Musk access to unclassified federal systems. Under Title V of the E-Government Act of 2002, it is a Class E felony carrying a maximum penalty of five years in prison and a $250,000 fine for federal employees who have taken the oath of office to “willfully” disclose such information to any person or agency not entitled to receive it.
Bradley Moss, an attorney who specializes in national security, federal employment and security clearance law, was unequivocal when CyberScoop asked about the legal constraints federal employees face in this situation.
“No federal employee should be granting access to anyone — no matter what special ‘DOGE’ badge they have — absent specific written authorization to do so,” Moss said. “The president’s [executive order] does not suffice, and federal employees appear to be trying to hold the line on protocols so far. Unfortunately, those who are doing that are being punished for it, as many are being put on administrative leave or outright fired.”
Beneath the classified level, many federal systems also contain what’s known as Controlled Unclassified Information (CUI), which can include financial, law enforcement and privacy-related data on Americans. That data is less sensitive, but still must be legally protected by federal employees and contractors.
“There are well-established procedures, beginning with federal employment screening, to determine whether individuals are ‘trustworthy,’ such that they should be afforded access to these CUI categories,” said Robert Metzger, an attorney and federal cybersecurity contracting expert. “Higher standards and controls apply to persons who would have rights of ‘use’ of that information.”
The potential for unintended consequences on federal IT and administrative operations is also real. Researcher Danah Boyd compared the structure of the U.S. administrative state to a game of Jenga. As politicians add or remove different blocks from the system, civil servants have usually played the role of repairman, fixing holes and propping up the byzantine American system.
The dismissal of many federal employees overseeing these systems has made that job more difficult. Boyd believes that Musk’s team interfering with vital Treasury financial systems could lead to a “normal accident,” causing significant parts of the system to collapse.
“It has been a hard two weeks for [civil servants], but, regardless of the legal dynamics, turning over access to the core systems at the heart of an administrative state to a wrecking ball is really, really bad,” Boyd wrote.
This story was updated Feb. 4, 2025, with details from a letter sent to OPM by Reps. Connolly and Brown.
