Is DOGE a threat to national security, or at the very least, Americans' PII?

I have to say, this is a very dangerous political football question for the CIN board - which can easily spiral out of control, based on various ideologies.

That being said, I'm going to attempt a neutral approach. I'm going to say that with Government agencies, which are filled with unelected people that work at the behest of the Executive branch, collect and use PII regularly, one might infer that anyone with access to use PII would represent a risk of disclosure of that PII. At some point, that PII is going to be seen by someone else.

Now, the DOGE is a de-facto government agency now and while not a cabinet-level entity, was commissioned by the executive branch, although there are a number of legal initiatives in play to decide what its scope is. Elon Musk has been designated as Special Government Employee and leads this agency. It remains to be seen if his involvement in X, SpaceX, and Tesla present a legal conflict of interest, but this would hardly be the first alleged conflict of interest situation with a government employee or elected official. One might infer that and as such, might present the view of being able to compromise PII, or do all kinds of horrific things. The one thing about the DOGE situation is that it's incredibly visible and high profile, which is not sitting well, with government bureaucrats that may be under the DOGE's microscope.

But the point I make is that although Musk may or may not have access to American PII, there are tons of bureaucrats as well as contractors that do. Remember Ed Snowden? He had a lot of access to things, information about Americans that wasn't supposed to be collected - and we know how that panned out. Remember folks like Robert Hanssen and Aldrich Ames who were FBI and CIA, passing secrets to the Russians? Yes, all of this is criminal activity, but the risk is always there. We can bring up security clearances, compartmentalization, and sanctions for disclosure - but the risk is always there.

So as we all sit back and wait to see what the courts and Congress has to say about Mr. Musk and the DOGE, let's remember that there will always be a risk - not just because someone like Musk is there, but because all that data is still visible to someone, regardless of the outcome of what a court has to say.

/r

Without full transparency, we'll never know what has been accessed and/or exposed.

@Marc Child

Gregory Childers said:

View attachment 2184

Click to expand...

Can you site the source of your image? Genuine question as I'd like to do further research on how this could relate as a Cybersecurity topic.

Angel Waymer said:

@Marc Child

Can you site the source of your image? Genuine question as I'd like to do further research on how this could relate as a Cybersecurity topic.

Click to expand...

Elon Musk’s Business Empire Scores Benefits Under Trump Shake-Up

The risk is not hypothetical; history has shown what happens when oversight fails. We have seen before the pitfalls of concentrated access to sensitive data-Snowden leaked classified NSA data, Reality Winner leaked intelligence reports, even private contractors like Booz Allen had security incidents. When one person or organisation has deep financial and political connections as well as access to a huge amount of data, it poses a legitimate problem of conflicts of interest and national security.

Outside the classroom, I would answer questions about these security and privacy issues based on my study of history, experience teaching for those organizations, technical knowledge, and political opinions.

Technical instructors are usually not allowed to discuss politics in class. A student may ask a relevant technical question about something political. If possible, I answer the technical part of the question and ignore the politics.

In this case, I am not sure how to discuss the technical issues without politics. The issues about constitutionality and legality are political, and have an impact on governance, risk, compliance, incident response, cybersecurity analysis, and forensics.

When pressed to discuss political issues in class, I usually say: “My political opinions are beyond the scope of this course.”

In this case, I am not sure how to discuss the technical issues without politics.

Click to expand...

From the point of view of the aspects of infosec which we teach.

Risk management. Threat modeling. Assumed breach. Access controls. Data destruction.

Threat modeling exercise:

• Business process: monthly social security payments
• Protected assets: PII, financial data, database with past and current transactions, credentials for authorizing payments
• Business interest: continue primary business process, maintain CIA of assets per SLA or requirements.
• Related infrastructure: office terminal, office network, database server, bank payment API
• Related personnel: office workers, customer support, database admin, server admin, bank personnel

The case:

• Threat actor: unauthorized party from outside the organisation, acting with assumed yet unverified authority.
• Threat entry: forced access to office or data center.
• Threat interests: PII, financial data, disrupting primary business process.
• Threat activities: assume control of office terminals, assume control of office worker credentials, assume control of administrator credentials, remove hardware from data center for destruction or for data retrieval.

Question to the students:

Which security controls can we put in place to disrupt the threat actor's activities and to prevent or mitigate the threat actor's interests and activities?

Angel Waymer said:

Can you site the source of your image? Genuine question as I'd like to do further research on how this could relate as a Cybersecurity topic.

Click to expand...

I'm willing to bet it's this article.


I cannot verify, because I do not have an NYTimes subscription.

As a prior Federal employee and contractor (DoD, DHS, and USDA), there is nothing DOGE is doing that other contractors are not. DOGE is built on top of the old USDS and the 18F program in GSA that extended cloud to the Fed environments. Just look at the Booz Allen Hamilton contractor that released thousands of tax returns or Snowden (another Booz Allen employee) if you're even curious what level of PII/Top secret access just contractors (DOGE/USDS/18F are fed employees) get every day. IMO, the concern here is overblown, it's business as usual when it comes to the access afforded the DOGE team whether you consider them temp Feds or gov't contractors.

@Sean Ellars , i think you're making an untenable connection. If the current DOGE members were subjected to the same background checks and standards as regular government employees or contractor. Then i would agree with you're supposition. @Greg Childers makes a very salient point, this is not a normal process. If this was in other areas (public and private), the current actions would be grounds for reprimand at minimum and incarceration at worst.

If I worked in health care or finance or education, the actions would be grounds for dismissal. To paraphrase a remark, it's never the crime, it's the cover up. In some areas running fast and breaking stuff works. In other areas, one needs to stop and smell the roses. I wonder what will be the outcome of the proverbial running with scissors. Who will wear the bandages.

With respect to the 'political' aspects, it's par for the course. As instructors and IT professionals, we deal with the 'political' aspects. We need to state and enforce the guardrails as it relates to training.

I follow Krebs on Security (excellent), and this was recently posted: https://krebsonsecurity.com/2025/02/teen-on-musks-doge-team-graduated-from-the-com/

There are too many red flags around this whole topic to mention in a single post here. It's scary to say the least.

Brandon G said:

@Sean Ellars , i think you're making an untenable connection. If the current DOGE members were subjected to the same background checks and standards as regular government employees or contractor. Then i would agree with you're supposition. @Greg Childers makes a very salient point, this is not a normal process. If this was in other areas (public and private), the current actions would be grounds for reprimand at minimum and incarceration at worst.

If I worked in health care or finance or education, the actions would be grounds for dismissal. To paraphrase a remark, it's never the crime, it's the cover up. In some areas running fast and breaking stuff works. In other areas, one needs to stop and smell the roses. I wonder what will be the outcome of the proverbial running with scissors. Who will were the bandages.

Click to expand...

DOGE members are federal employees. They have security clearances. They work for the US Digital Services. Just like other USDS projects, they are assigned to specific agencies to do the work. They do work similar to the work that USDS has done since 2014. USDS is about technical innovation. They stood up the cloud, they've built web apps and automated processes, they've helped with business intelligence/data warehouses, AI etc. They always worked outside of the Agency's processes unencumbered so they could move faster. The world is just now hearing about them.

@Sean Ellars ,I don't disagree that they're federal employees. The questionable area is the type of employee. As in other areas, all employees don't enjoy the same level of access as others. If a 'one size fits all approach' is being applied, as you imply. The current predicamen should be questioned.