The Department of Government Efficiency (DOGE), President Donald Trump’s special commission tasked with slashing federal spending, continues to disrupt Washington and the federal bureaucracy. According to published reports, its teams are dropping into federal agencies with a practically unlimited mandate to reform the federal government in accordance with recent executive orders.
As a 30-year cybersecurity veteran, I find the activities of DOGE thus far concerning. Its broad mandate across government, seemingly nonexistent oversight, and the apparent lack of operational competence of its employees have demonstrated that DOGE could create conditions that are ideal for cybersecurity or data privacy incidents that affect the entire nation.
Traditionally, the purpose of cybersecurity is to ensure the confidentiality and integrity of information and information systems while helping keep those systems available to those who need them. But in DOGE’s first few weeks of existence, reports indicate that its staff appears to be ignoring those principles and potentially making the federal government more vulnerable to cyber incidents.
Technical competence
Cybersecurity and information technology, like any other business function, depend on employees trained specifically for their jobs. Just as you wouldn’t let someone only qualified in first aid to perform open heart surgery, technology professionals require a baseline set of credentialed education, training and experience to ensure that the most qualified people are on the job.
Currently, the general public, federal agencies and Congress have little idea who is tinkering with the government’s critical systems. DOGE’s hiring process, including how it screens applicants for technical, operational or cybersecurity competency, as well as experience in government, is opaque. And journalists investigating the backgrounds of DOGE employees have been intimidated by the acting U.S. attorney in Washington.
DOGE has hired young people fresh out of – or still in – college or with little or no experience in government, but who reportedly have strong technical prowess. But some have questionable backgrounds for such sensitive work. And one leading DOGE staffer working at the Treasury Department has since resigned over a series of racist social media posts.
According to reports, these DOGE staffers have been granted administrator-level technical access to a variety of federal systems. These include systems that process all federal payments, including Social Security, Medicare and the congressionally appropriated funds that run the government and its contracting operations.
DOGE operatives are quickly developing and deploying major software changes to very complex old systems and databases, according to reports. But given the speed of change, it’s likely that there is little formal planning or quality control involved to ensure such changes don’t break the system. Such actions run contrary to cybersecurity principles and best practices for technology management.
As a result, there’s probably no way of knowing if these changes make it easier for malware to be introduced into government systems, if sensitive data can be accessed without authorization, or if DOGE’s work is making government systems otherwise more unstable and more vulnerable.
If you don’t know what you’re doing in IT, really bad things can happen. A notable example is the failed launch of the healthcare.gov website in 2013. In the case of the Treasury Department’s systems, that’s fairly important to remember as the nation careens toward another debt-ceiling crisis and citizens look for their Social Security payments.
On Feb 6, a federal judge ordered that DOGE staff be restricted to read-only access to the Treasury Department’s payment systems, but the legal proceedings challenging the legality of their access to government IT systems are ongoing.
DOGE email servers
DOGE’s apparent lack of cybersecurity competence is reflected in some of its first actions. DOGE installed its own email servers across the federal government to facilitate direct communication with rank-and-file employees outside official channels, disregarding time-tested best practices for cybersecurity and IT administration. A lawsuit by federal employees alleges that these systems did not undergo a security review as required by current federal cybersecurity standards.
There is an established process in the federal government to configure and deploy new systems to ensure they are stable, secure and unlikely to create cybersecurity problems. But DOGE ignored those practices, with predictable results.
For example, a journalist was able to send invitations to his newsletter to over 13,000 National Oceanic and Atmospheric Administration employees through one of these servers. In another case, the way in which employee responses to DOGE’s Fork in the Road buyout offer to federal employees are collected could easily be manipulated by someone with malicious intent – a simple social engineering attack could wrongly end a worker’s employment. And DOGE staff members reportedly are connecting their own untrusted devices to government networks, which potentially introduces new ways for cyberattackers to penetrate sensitive systems.
However, DOGE appears to be embracing creative cybersecurity practices in shielding itself. It’s reorganizing its internal communications in order to dodge Freedom of Information Act requests into its work, and it’s using cybersecurity techniques for tracking insider threats to prevent and investigate leaks of its activities.
Lacking management controls
But it’s not just technical security that DOGE is ignoring. On Feb 2, two security officials for the U.S. Agency for International Development resisted granting a DOGE team access to sensitive financial and personnel systems until their identities and clearances were verified, in accordance with federal requirements. Instead, the officials were threatened with arrest and placed on administrative leave, and DOGE’s team gained access.
The Trump administration also has reclassified federal chief information officers, normally senior career employees with years of specialized knowledge, to be general employees subject to dismissal for political reasons. So there may well be a brain drain of IT talent in the federal government, or a constant turnover of both senior IT leadership and other technical experts. This change will almost certainly have ramifications for cybersecurity.
DOGE operatives now have direct access to the Office of Personnel Management’s database of millions of federal employees, including those with security clearances holding sensitive positions. Without oversight, this access opens up the possibilities of privacy violations, tampering with employment records, intimidation or political retribution.
Support from all levels of management is crucial to provide accountability for cybersecurity and technology management. This is especially important in the public sector, where oversight and accountability is a critical function of good democratic governance and national security. After all, if people don’t know what you’re doing, they don’t know what you’re doing wrong.
At the moment, DOGE appears to be operating with very little oversight by anyone in position willing or able to hold it responsible for its actions.
Mitigating the damage
Career federal employees trying to follow legal or cybersecurity practices for federal systems and data are now placed in a difficult position. They either capitulate to DOGE staffers’ instructions, thereby abandoning best practices and ignoring federal standards, or resist them and run the risk of being fired or disciplined.
The federal government’s vast collections of data touch every citizen and company. While government systems may not be as trustworthy as they once were, people can still take steps to protect themselves from adverse consequences of DOGE’s activities. Two good starting points are to lock your credit bureau records in case your government data is disclosed and using different logins and passwords on federal websites to conduct business.
It’s crucial for the administration, Congress and the public to recognize the cybersecurity dangers that DOGE’s activities pose and take meaningful steps to bring the organization under reasonable control and oversight.
Richard Forno is Teaching Professor of Computer Science and Electrical Engineering, and Assistant Director, UMBC Cybersecurity Institute, University of Maryland, Baltimore County.
The Conversation is an independent and nonprofit source of news, analysis and commentary from academic experts.
© The Conversation
23 Comments
Login to comment
quercetum
All if’s. If if and can. This could happen. That could happen. Corruption does not deserve security. The privacy infringement is part of the punishment.
ArtistAtLarge
Yes.
Zaphod
For the writer of this opinion piece, "cybersecurity" seems to mean "keeping waste, fraud and abuse secure from being discovered" and shown to the public. Not the kind of "security" that I am wildly in favour of. Swamp beneficiaries see that differently of course.
Underworld
Zaphod
It may seem like that, but it is not. Musk hasn't discovered any waste, fraud or abuse.
iknowall
It may seem like that, but it is not. Musk hasn't discovered any waste, fraud or abuse.
USAID.
Thankfully, no more US taxpayer money given to Hamas-owned concrete companies that build tunnels to hide American hostages in Gaza.
itsonlyrocknroll
The Department of Government Efficiency (DOGE) has a distinct essential necessary role to focus on. How taxpayer money is allocated, most importantly how expenditure justified for actions decisions.
Bottom line who should be answerable.
The question is accountability to congress and senate.
itsonlyrocknroll
Humour me...
Richard Forno is Teaching Professor of Computer Science and Electrical Engineering, and Assistant Director, UMBC Cybersecurity Institute, University of Maryland, Baltimore County.
A respected academic. Richard Forno opinion, his conversation is none the less open to question?.
May I question his contention, a rather condescending assumption quote...
DOGE has hired young people fresh out of – or still in – college or with little or no experience in government, but who reportedly have strong technical prowess. But some have questionable backgrounds for such sensitive work. And one leading DOGE staffer working at the Treasury Department has since resigned over a series of racist social media posts.
My question is, through all Richard Forno hedging, his rather disingenuous, "lack of cybersecurity competence" etc , hides a reluctance to open critical transparency.
To deny, fully embrace direct contentious disputable argument, a refusal to fully allow audit of federal government spending.
Richard Forno is creating a straw man, to avoid scrutiny.
*virusrex
There is no relationship between both things, there are countless people with valid credentials about cybersecurity that could have been included, the reason they were not is more likely because young unexperience people are more likely to simply follow orders even to criminal actions by being weak to pressure from Musk or just because complete ignorance about what is actually allowed or not.
A straw man fallacy would be for example to misrepresent Formo opinions as if they depended on transparency to have any value, when that is obviously not the case.
itsonlyrocknroll
There has to be numerous "expert" probes into every facet of how government spending is accountable to US taxpayers.
First and foremost, auditable for US taxpayers, media scrutiny.
This is the bottom line virusrex.
I question whether this.
I believe should be lead by a politically accountable congress/senate bottom line elected panel reporting to both houses intimately to the President
itsonlyrocknroll
virusrex, bureaucrats want to know the ins and oust of a duck backside, at the taxpayer's expense.
Fistfuls of paperwork, trolley loads of regulations.
We have a whole flipping team of box tickers that could win a trophy for the "paper work" premier league.
virusrex
None of which requires in any measure for the probes to be done without a proper cybersecurity process, this applies to many other things beyond government spending.
Which is still much better than the current alternative that is to do things without care or interest on safety and security, using the image of a surgery, you can either require full accreditation of the surgeon, assistant, nurses, a health and safety review of the hospital, a properly done clinical process to justify the surgery, etc. etc. (trolley loads of regulations and expenses), or you can just let a market butcher do it since he is surely good with a knife.
If someone is interested in reducing red tape and paperwork there is a process to do it safely, but if there is no interest on doing thing safely (not a but, but a feature) then acting against due process is going to do the trick, at the end the purpose is to make the system chocked full of holes to exploit later, the purpose is no more than an excuse.
bass4funk
He did, that's why the Dems are losing their minds and want him stopped, they don't want the man to uncover more of our wasted money that these people (thieves) spent.
Yrral
A Federal judge will.be the ultimate decider of DOGE
Zaphod
Yrral
DOGE was a campaign promise, and activist judges should have no business interfering with the executive branch performing an audit.
How it plays out depends on how politicized the legal branch has become under the Biden regime.
bass4funk
Nope, the Constitution will.
TaiwanIsNotChina
As interpreted by a federal judge, correct.
bass4funk
Like I said, Trump ultimately prevail in this
TaiwanIsNotChina
Trump is not a federal judge and does not interpret the constitution. Law enforcement essentially obeys judges and not bathroom missives from the White House.
bass4funk
Sorry, a federal judge cannot override the executive branch, if that were the case, no need for a President and I’m talking specifically about this case
Again, they can slow Trump down, but not stop his agenda, this will eventually get done
virusrex
Of course they can
https://en.m.wikipedia.org/wiki/Marbury_v._Madison
Marbury v. Madison, 5 U.S. (1 Cranch) 137 (1803), was a landmark decision of the U.S. Supreme Court that established the principle of judicial review, meaning that American courts have the power to strike down laws and statutes they find to violate the Constitution of the United States.
TaiwanIsNotChina
Trump is not actually a king. I know this upsets you.
On the contrary, judges always get the final say.
HopeSpringsEternal
True threat, unelected deep state that's run amuck in US. DOGE simply providing much needed transparency via this long overdue digital audit. Treasury Dept. payments systems being primary enabler of fraud, waste and abuse.
Unelected bureaucrats have tried to assume role of the 4th branch of Govt. SCOTUS made it clear in recent rulings (Chevron) that agencies are subject to will of the 3 branches and cannot create and enforce laws.
DOGE has a website up and running now, check out the REAL facts, crazy corrupt spending now being stopped.
Democrats correct to panic, the facts are these 'tricky little things', US voters Voted for Common Sense and restructuring of US GOVT = DOGE & Elon MUSK!
Zaphod
Yes, cleaning up government waste, abuse, and corruption (something that Trump campaigned on) is apparently now a "threat". The media is in panic about an uncontrolled slushfund being audited.... not really a big surprise, seeing that a portion of the USAID money went to subsidize regime-friendly outlets.
Seeing our media desperate to defend sending milions for meals on wheels to Al Nusra, to transgender clinics in India, or to Politico is a sight to behold.