Elon Musk promoted the Department of Government Efficiency (DOGE) as a vehicle to rapidly modernize federal IT systems and software. But as the temporary organization rolls from agency to agency demanding access to sensitive systems, cybersecurity experts worry that irreparable damage is being done.
As of Feb. 10, according to New York magazine, DOGE’s teams have gained access to IT systems at departments including Commerce, Education, and Energy, as well as one of the most sensitive federal systems that exists—the Treasury department’s payments systems—and numerous other federal agencies, such as the Office of Personnel Management and General Services Administration.
Musk also claimed to be behind the unilateral shutdown of the US foreign aid agency USAID and is trying to do the same to the Consumer Financial Protection Bureau (CFPB). He has repeatedly suggested DOGE staff are personally halting payments to US contractors.
The intrusion into these systems at Musk’s request has been controversial, to say the least. President Donald Trump has said his administration will delegate even more power to DOGE, despite a slew of lawsuits and numerous legal experts questioning its sweeping powers. Critics have pointed out Musk’s innumerable potential conflicts of interest, questioned whether several of its staffers would pass background checks, and accused DOGE of violating federal laws. The Trump administration has also tried to exclude DOGE from open records laws.
Not an IT problem. Musk has portrayed federal IT processes as antiquated, but experts who spoke to IT Brew emphasized DOGE’s apparent disregard for those processes poses a far more immediate threat.
Scott Cory, a former chief information officer in one of the Department of Health and Human Services sub-agencies, told IT Brew that government officials have to comply with a long list of regulations under federal law. With few exceptions, he added, DOGE has managed to push its way past those officials, citing White House authority. The Treasury’s Office of Inspector General announced this month it would be auditing the government’s federal payment system, seeking to uncover the “fraudulent payments” alleged by Musk.
“This is not a technology problem, this is a process problem,” Cory said.
“The CIO needs to be able to say no...If you had told me in October of 2024 that we’re going to see a group of people arrive at agencies and basically demand to have access to the systems without any other justification than they work for some poorly defined federal agency and with a poorly defined definition of what their role is, I would have said “You’re out of your mind,’’ Cory said.
In Cory’s view, DOGE staff would be hard-pressed to walk in and immediately understand the systems they’re working in, as federal networks are “orders of greater complexity” than Musk’s private firms. He also argued against the presumption that government systems are all outdated, as many are fully modernized with cloud hosting and multiple environments that would be difficult at best for outsiders to navigate.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
All new IT equipment in government generally has to “go through a process of review for security and privacy and to make sure that they’re properly patched and configured,” Richard Forno, a University of Maryland computer science and electrical engineering professor and DOGE critic, told IT Brew. He said processes and personnel are “being steamrolled, and that’s a huge concern.”
DOGE is facing numerous legal challenges to its authority from federal unions, state attorneys general, and other groups, and courts have put temporary holds on their access to sensitive data like Treasury records and student loans. Early this month, the Washington Post reported insiders have said DOGE staff are feeding Department of Education spending records into a generative AI running on Microsoft Azure to target budget cuts, and intends to “replicate this process across many departments and agencies.”
“Where was that information going? Did they have any sort of agreement with Microsoft or Oracle or whatever vendor they’re using to protect that data, like you would normally do in a government contract?” Forno said. “Or do they just, you know, pull out Elon’s credit card and say, ‘Go buy me access to a big server somewhere?’”
“I have to think it’s the latter,” he added.
Long and lasting damage. Just as serious, experts told IT Brew, is that DOGE could be opening a Pandora’s box of access vectors to US adversaries.
Marcus Hutchins, the British cybersecurity researcher known for halting the WannaCry ransomware attack in 2017, told IT Brew via email that government agencies “typically go to great lengths to silo access to sensitive information.” DOGE, on the other hand, has demanded access to multiple systems hosting sensitive data at multiple agencies, potentially representing a single point of failure. He noted the reported use of AI to analyze government data suggests it’s been uploaded to “multiple third-party systems.”
“That’s a lot of birds you could kill with a single stone,” Hutchins wrote. In a “real and serious audit,” he added, there would be protocols to vet staff and ensure the safe handling of data.
“But since DOGE is operating with no oversight, and has no legal authority to access some of these systems, it’s unlikely they could have gone through the proper channels,” Hutchins concluded.