{"id":1760,"date":"2025-02-04T07:30:00","date_gmt":"2025-02-04T07:30:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=1760"},"modified":"2025-02-04T07:30:00","modified_gmt":"2025-02-04T07:30:00","slug":"musks-doge-effort-could-spread-malware-expose-us-systems-to-threat-actors","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=1760","title":{"rendered":"Musk\u2019s DOGE effort could spread malware, expose US systems to threat actors"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

Over the past 10 days, an astonishing series of actions by Elon Musk via his Department of Government Efficiency (DOGE) project has elevated the cybersecurity risk of some of the most sensitive computing systems in the US government. \u00a0<\/p>\n

Musk and his team of young, inexperienced engineers<\/a> \u2014 at least one of whom is not a US citizen \u2014 have taken a number of publicly known steps that raise serious concerns among cybersecurity and privacy professionals.<\/p>\n

These actions violate several fundamental security principles, experts contend, potentially exposing highly sensitive US government systems to malware while opening new possible avenues of attacks by cybercriminals and even nation-state adversaries.<\/p>\n

What DOGE has done<\/h2>\n

On Friday of last week, the Treasury Department\u2019s top civil servant, David Lebryk, left unexpectedly<\/a> after Trump-affiliated officials expressed interest in stopping certain payments made by the federal government. In the wake of Lebryk\u2019s departure, the Treasury Department ultimately gave Musk\u2019s associates full access to the federal payment system at the US Treasury Department responsible for handling trillions of dollars in government expenditures.<\/p>\n

Also on Friday, Musk aides locked out career civil servants<\/a> at the Office of Personnel Management (OPM) from computer systems that contain the personal data of millions of federal employees, giving DOGE workers access to a system called Enterprise Human Resources Integration. This system contains dates of birth, Social Security numbers, appraisals, home addresses, pay grades, and length of service of government workers.<\/p>\n

Concerns at the agency are high, with some officials saying the situation \u201ccreates real cybersecurity and hacking implications.\u201d<\/p>\n

Previously, during earlier OPM incidents, Musk and his team set up an email address<\/a>, HR.gov, to make it look like a Musk-linked email system was emanating from OPM. The Musk team then sent an email asking federal employees who wished to resign to reply with the word \u201cresign,\u201d causing some employees to fear that malicious actors could spoof their responses and inadvertently resign them from federal service. Responses to the email were sent not to the federal government but to a Musk employee, Amanda Scales, who at the time was working at Musk\u2019s AI company xAI but later became Chief of Staff at OPM.<\/p>\n

This incident forced career public servant and OPM CIO Melvin Brown to resign.<\/p>\n

On Saturday, the US Agency for International Development\u2019s (USAID) director of security and his deputy were placed on administrative leave<\/a> after they tried to prevent DOGE workers from accessing secure USAID systems. Sources say the DOGE team tried to access personnel files and security systems, including classified systems beyond the security level of at least some of the DOGE employees. The systems also included security clearance information for agency employees.<\/p>\n

A DOGE spokesperson contends, \u201cNo classified material was accessed without proper security clearances.\u201d Musk posted on X calling for USAID \u201cto die\u201d and accusing the independent agency, without\u00a0 evidence, of being a \u201ccriminal organization.\u201d Later, he said<\/a> that he and Trump were shutting down USAID and instructed agency employees not to show up for work.<\/p>\n

In addition, over the past week, workers at the Technology Transformation Services (TTS), housed within the General Services Administration (GSA), were summoned into meetings<\/a> to discuss their code and projects with Musk\u2019s team members. TTS helps develop the platforms and tools that underpin many government services, including analytics tools and API plugins that agencies can use to deploy tech faster. Thomas Shedd, who used to work for Musk\u2019s Tesla, is now the head of TTS. Some DOGE workers had yet to receive a GSA laptop, indicating that some connected to government systems using their own devices.<\/p>\n

Musk\u2019s authority to do this<\/h2>\n

Although many of Musk\u2019s actions or intended actions, such as shutting down Treasury payments or eliminating USAID, might be questionable legally, his authority to gain access to unclassified information appears unlimited under an executive order<\/a> Trump signed to implement DOGE\u2019s agenda.<\/p>\n

Security engineer Matthew Garrett, who has not worked for the federal government but has been in touch with those who do, said he understands that the executive order obviates any technical protections federal agencies put on their systems.<\/p>\n

\u201cIt doesn\u2019t matter how secure a system you built is if the orders you are getting are to give someone access to that system; then your choices are either give them access or potentially be suspended, fired, whatever, and then the next in line will do it in any case,\u201d Garrett tells CSO.<\/p>\n

Michael Daniel, president and CEO of the Cyber Threat Alliance, says the unprecedented nature of Musk\u2019s actions makes it difficult to call, but he thinks there could be serious legal consequences for Musk, his workers, and compliant government officials. \u201cYou\u2019ve got the potential for all sorts of legal violations, privacy act violations,\u201d he tells CSO.<\/p>\n

\u201cBefore you even get to the [more technical] cybersecurity issues, you\u2019ve got a whole bunch of just basic governance issues that are completely unclear,\u201d Daniel says. \u201cIt\u2019s a principle of good cybersecurity that you know who logs into your network and what role they have. And the potential for privacy violations, data misuse, monetary gain, and political retaliation, I mean, is just legion here.\u201d<\/p>\n

Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for the Defense of Democracies, tells CSO that \u201cthere are strict governance controls for accessing federal systems. To the degree these governance controls were waived or ignored, that introduces risk. That is just unacceptable. And the speed at which these accesses were made make me concerned that those governance controls may not have been followed.\u201d<\/p>\n

Malware and authentication exploitation are top concerns<\/h2>\n

One of Garrett\u2019s biggest cybersecurity concerns is that some of Musk\u2019s workers appear to be connecting their own devices to sensitive government systems.<\/p>\n

\u201cThe easiest way to think about that is if there\u2019s malware running on your computer, any files you download, whoever\u2019s operating that malware could send those files elsewhere,\u201d he says.<\/p>\n

Ideally, government policies would stipulate that only trusted devices can connect to the network.<\/p>\n

\u201cBut, if you have enough power over the technical leadership of that agency, you\u2019re going to be in a position to just turn that off and then give access to anything,\u201d Garrett says. \u201cAnd we\u2019ve seen numerous claims that people have just been bringing in their computers from outside and plugging those into department networks. And that means we don\u2019t know whether they have any reasonable security policies.\u201d<\/p>\n

If Musk\u2019s workers and the government agencies are not following reasonable security policies, \u201cwe should assume anything they download is going to be potentially exfiltrated,\u201d Garrett says.<\/p>\n

Moreover, malicious actors could use any authentication that the Musk team used. \u201cThey\u2019re going to be able to wait for someone to log in to a system and then potentially bounce through one of those machines, log in against that system themselves, and gain access to all data that user has access to rather than just the material that was looked at and downloaded,\u201d says Garrett.<\/p>\n

\u201cAll of those seem valid concerns to me, but I also think there\u2019s a first-order question: Would any company on earth just let people walk in and plug devices into their network?\u201d Daniel asks. \u201cWho are these people? Are they actually federal employees? Are they contractors? Nobody knows. Their status is unknown. Their authority to do any of this is unknown.\u201d<\/p>\n

Moreover, \u201cWhat company on Earth would hire people without any background investigation or looking at their resume?\u201d Daniel asks. \u201cEven if you just apply a private sector lens to it, the idea is ludicrous that you would just simply turn over all your data. No general counsel on Earth would say that that\u2019s a good idea for your company.\u201d<\/p>\n

Government cybersecurity workers need to build a CYA paper trail<\/h2>\n

Another primary concern Garrett raises is that Musk could not only expose government data to criminals and state-sponsored adversaries, \u201cbut we also need to consider what would be the impact of a successful ransomware infection of a government department,\u201d he says.<\/p>\n

\u201cDo we trust that this material is still being backed up in the appropriate way? Is the normal kind of technical side of things still operating as normal? We also need to consider if people with sufficiently elevated privileges read this data, how many of them have access to rights to it, and what would the outcomes of a state-level adversary deliberately modifying some of this data look like?\u201d<\/p>\n

Given this potential infosec house of cards, those cybersecurity workers in the federal government who are watching what the DOGE team does should be scrupulously documenting all these goings on, if for no other reason than to protect themselves.<\/p>\n

\u201cI would assume that anybody in that situation would be doing everything they can to ensure that their paper trail exists demonstrating that this was someone else\u2019s fault,\u201d Garrett says.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

Over the past 10 days, an astonishing series of actions by Elon Musk via his Department of Government Efficiency (DOGE) project has elevated the cybersecurity risk of some of the most sensitive computing systems in the US government. \u00a0 Musk and his team of young, inexperienced engineers \u2014 at least one of whom is not […]<\/p>\n","protected":false},"author":0,"featured_media":1761,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-1760","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1760"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1760"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/1760\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/1761"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1760"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1760"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1760"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}