As DOGE teams plug into federal networks, cybersecurity risks could be huge, experts say

The unbridled access that Elon Musk and his Department of Government Efficiency (DOGE) workers reportedly have to federal networks poses grave cybersecurity risks, several experts told Recorded Future News on Monday.

Allowing employees to plug computers with unknown security controls into the Office of Personnel Management (OPM) network could give a foreign adversary a fresh way to breach the system and obtain sensitive data, including information from federal employees’ background checks and security clearance records, they said.

DOGE workers' access to the Department of Treasury’s payments system also threatens national security, the experts said, because it includes details of payments to intelligence contractors or highly personal data about national security officials. 

“This has the potential to be the largest breach [of government systems] ever by orders of magnitude and could have consequences for decades,” Jason Kikta, a former U.S. Cyber Command official, said in an interview with Recorded Future News. 

DOGE workers also reportedly accessed U.S. Agency for International Development (USAID) systems over the weekend. Another team has access to sensitive systems at the Department of Education, the Washington Post reported Monday afternoon.

The prominent figures at DOGE — an ad-hoc White House agency led by Musk with the blessing of President Donald Trump — include at least six young men with little to no government experience, Wired reported Sunday.

It’s unclear exactly which DOGE personnel have worked in Treasury and OPM systems, and how deeply. But it appears that the work is being done in an “unauthorized way, on unauthorized systems, with unauthorized personnel and unknown spread,” Kikta said. “Time will tell exactly how bad it ends up being.”

Other cybersecurity experts emphasized that the federal government has instituted carefully thought-out cybersecurity controls that DOGE could be flouting.

“The government has spent years establishing proper controls and governance for access to federal government networks,” said Mark Montgomery, the former executive director at the Cyberspace Solarium Commission who is now a leader at the Foundation for Defense of Democracies. “This is unacceptable behavior, no matter how important the tasking is.”

The experts also warned against assuming that Musk can guarantee DOGE is as secure as his companies might be. 

“Working for Elon Musk does not give you some special shield of cyber invulnerability, so rules need to be followed,” Montgomery said.

The potential attack surface is massive, whether the potential intruders are nation-state actors or even criminal syndicates, said Kikta, who served as deputy director for defensive cyber operations at the Cyber National Mission Force and later as the chief of private sector partnerships at U.S. Cyber Command. The Treasury system carries out trillions of dollars of payments on behalf of federal agencies each year.

The DOGE workers potentially are “creating security holes that they don't fully understand that could be exploited,” he said, adding that it is possible they could “break” the payments system and jeopardize some of the most critical intelligence operations in the world by suddenly cutting off funds by mistake.

The White House did not respond to a request for comment. The New York Times reported on Monday night that Musk aides also had requested access to Centers for Medicare and Medicaid Services systems that control contracts and payments.

Many unknowns

In some cases there are rules governing hardware configurations. Vendors might be required to remove, before delivery, the physical chips for wireless communications such as Bluetooth and WiFi in any systems that can access sensitive data, Kikta said. No one knows if “even these fundamental precautions were taken,” he said. 

“Are [their computers] something they picked up at Best Buy?” Kitka asked about the DOGE workers. “Do they have WiFi? Are they leaving the building and then touching Starbucks WiFi?”

OPM was hacked by China in 2015, demonstrating the interest adversaries have in the agency’s materials, Kikta said. And it would not be difficult, he said, for China to infiltrate an improperly prepared computer.

Other cybersecurity threats could emerge if DOGE workers are copying data onto computers not configured to store it properly, said Marc Rogers, a cybersecurity expert and white-hat hacker. It would mean they have "leapfrogged over cybersecurity controls developed over decades of adversity in direct response to past security incidents,” Rogers said. 

The National Institute of Standards and Technology has established thorough cybersecurity controls known as the NIST 800-series that are intended to protect federal networks and sensitive data, he said. The controls are also used throughout industry, Rogers said.

“Non-federally controlled computers with access to this data, potentially storing this data, creates an unknown and unmonitored attack surface that is almost certainly going to be much weaker than attacking the federal government’s infrastructure directly, and that's a major problem,” Rogers said.

Anything that's plugged into the federal network must be under the control of the department that is responsible for issuing equipment, Rogers said. Systems must adhere to official security policies, have the right software, antivirus protections and correct patch levels. They also should not have unnecessary software installed. 

“Otherwise it can lead to access and compromise of all other systems on that network,” he said. 

The fact that OPM stores background-check information makes the situation even more alarming, Rogers said, since prospective government employees disclose highly sensitive information that could be used to blackmail them.

“Looking for that kind of information is the entire point of a background check,” he said.

Foreign adversaries are watching closely, said Jim Lewis, director of the strategic technologies program at the Center for Strategic and International Studies. China and others will always “want to update their library.”

Approximately 22.1 million records were affected in the 2015 OPM breach, including records related to background checks.

“The Chinese are particularly skillful, so they're probably trying to figure out how to exploit this,” Lewis said. “You could think of a scenario where you've got one of these DOGE employees, and they are using a personal device that may not be secure and the Chinese are looking now to see if they can access that personal device as a way into federal networks. That's pretty standard stuff.”

The bottom line, he said, is that “random strangers should not be able to walk in and demand access.”