Multiple cybersecurity experts have sounded the alarm about the ability of the Department of Government Efficiency, or DOGE, to access federal agencies’ systems.

A new set of concerns was flagged on Tuesday in a highly publicized Foreign Policy op-ed. The piece was penned by prominent cryptography researcher Bruce Schneier and Davi Ottenheimer, the vice president of trust and digital ethics at data infrastructure startup Inrupt Inc. The company was co-founded in 2018 by Tim Berners-Lee.

DOGE is a government advisory board led by Elon Musk. It operates under the wing of the U.S. DOGE Service, which was until recently known as the U.S. Digital Service. The latter office originally focused on helping federal agencies improve their websites.

Over the past few weeks, DOGE employees have been given access to multiple federal agencies’ systems. In addition to reading the information in those systems, the staffers can reportedly modify some of it. 

In this week’s Foreign Policy op-ed, Schneier and Ottenheimer raise concerns about DOGE staffers’ access to government infrastructure. They go on to write that there are two additional issues with even more serious cybersecurity ramifications. 

The first issue highlighted by the op-ed is that DOGE staffers are not only accessing but also modifying federal systems. In some cases, they’re deploying artificial intelligence models to analyze federal agencies’ internal data. Additionally, a DOGE employee has reportedly connected an unauthorized server to infrastructure operated by the U.S. Office of Personnel Management, or OPM.

“This is much more critical than the initial unauthorized access,” Schneier and Ottenheimer wrote. The reason, they explained, is that the configuration and features of the systems that DOGE staffers have connected to federal infrastructure are unknown. Additionally, there’s no evidence that the code on the systems in question has undergone “any rigorous security testing.”

Schneier and Ottenheimer also highlight a second risk that they argue is more severe: the dismissal of career officials in charge of managing federal agencies’ cybersecurity processes. The op-ed argues that the push to replace those officials with inexperienced DOGE staffers is “dismantling” the government’s breach prevention workflows.

The pair goes on to write that three steps must be taken to address those risks. They argue that federal agencies should first revoke unauthorized access to their infrastructure, then restore system monitoring and change management workflows. The third step recommended by the op-ed is to carry out audits of affected infrastructure. 

DOGE’s access to federal systems has drawn criticism from not only outside cybersecurity experts but also former federal officials. Last Tuesday, a onetime employee of the U.S. Digital Service raised concerns about the server that DOGE has connected to OPM. The former official told CyberScoop that the main issue is the secure connection linking OPM to the U.S. Defense Counterintelligence and Security Agency, which manages Congressional background checks.

The former insider added that DOGE staffers are not complying with “the spirit and letter” of federal cybersecurity laws. It’s believed they also ran afoul of certain cybersecurity controls established by the National Institute of Standards and Technology.

Image: Pixabay