Table of Contents
Since January, Elon Musk’s Department of Government Efficiency (DOGE) has carved up federal programs, removing positions related to hazardous waste removal, veteran support and disease control, among others. While many have already been affected, cybersecurity experts worry about the impacts not yet realized in the form of hacks, fraud, and privacy breaches.
DOGE has fired top cybersecurity officers from various agencies, gutted the Cybersecurity and Infrastructure Agency (CISA), and cancelled at least 32 cybersecurity-related contracts with the Consumer Financial Protection Bureau (CFPB). Cybersecurity experts, including those fired by DOGE, argue that the agency has demonstrated questionable practices toward safeguarding the vast amount of personal data the government holds, including in agencies such as the Social Security Administration and the Department of Veterans Affairs (VA). Last week, a court filing revealed that a DOGE staffer violated Treasury Department policy by sending an email containing unencrypted personal information.
[time-brightcove not-tgx=”true”]
“I see DOGE actively destroying cybersecurity barriers within government in a way that endangers the privacy of American citizens,” says Jonathan Kamens, who oversaw cybersecurity for VA.com until February, when he was let go. “That makes it easier for bad actors to gain access.”
DOGE’s access to some agencies’ data has been limited in response to dozens of filed lawsuits. But as those battles play out in court, DOGE continues to have access to huge amounts of sensitive data. Here’s what cybersecurity experts caution is at stake.
Personal information
As DOGE picked up steam following the inauguration, cybersecurity experts began voicing concern about the new organization’s privacy practices and digital hygiene. Reports surfaced that DOGE members connected to government networks on unauthorized servers and shared information over unsecure channels. Last month, the DOGE.gov website was altered by outside coders who found they could publish updates to the website without authorization. The same month, Treasury officials said that a 25-year-old DOGE staffer was “mistakenly” given temporary access to make changes to a federal payment system.
Cybersecurity experts find these lapses concerning because the government stores vast amounts of data to serve Americans. For instance, the Department of Veterans Affairs stores the bank accounts and credit card numbers of millions of veterans who receive benefits and services. The department also collects medical data, social security numbers, and the names of relatives and caregivers, says Kamens, who says he was the only federal employee at the agency with an engineering technical background working on cybersecurity.
Read More: Tracking DOGE’s Moves Across the Federal Government
Kamens says he was hired in 2023 to improve “several specific security issues” for the site, which he declined to name due to confidentiality reasons. Now, he says, hackers could take advantage of those unresolved issues to learn potentially compromising information about veterans, and then target them with phishing campaigns.
Peter Kasperowicz, VA’s press secretary, wrote to TIME in an email that “VA employs hundreds of cybersecurity personnel who are dedicated to keeping the department’s websites and beneficiary data safe 24/7.”
Erie Meyer, former chief technologist at the Consumer Financial Protection Bureau (CFPB), resigned in February after DOGE members showed up at the agency’s offices requesting data privileges. Her role focused on safeguarding the CFPB’s sensitive data, including transaction records from credit reporting agencies, complaints filed by citizens, and information from Big Tech companies under investigation. “There are a bunch of careful protections in place that layer on to each other to make sure that no one could exploit that information,” Meyer says.
But DOGE slashed many of those efforts, including the regular upkeep of audit and event logs which showed how and when employees were accessing that information. “The software we had in place tracking what was being done was turned off,” she says. This means that DOGE employees could now have access to financial data with no oversight as to how or why they are accessing it, Meyer says.
Meyer is also concerned about the cancellation of dozens of cybersecurity contracts, which included deals with companies who performed security equipment disposal, provided VPNs to government employees, and encrypted email servers. “People need us when the worst financial disasters are happening to their family,” she says. “It’s sloppy to open them up to fraud like this.”
A representative for the CFPB did not immediately respond to a request for comment. In an email statement to TIME, White House press secretary Karoline Leavitt, wrote: “President Trump promised the American people he would establish a Department of Government Efficiency, overseen by Elon Musk, to make the federal government more efficient and accountable to taxpayers. DOGE has fully integrated into the federal government to cut waste, fraud, and abuse. Rogue bureaucrats and activist judges attempting to undermine this effort are only subverting the will of the American people and their obstructionist efforts will fail.”
Fraud and bad actors
In addition to being worried about what DOGE is doing with citizens’ data, cybersecurity experts are concerned that their aggressive tactics could make it easier for scammers to infiltrate systems, which could have disastrous consequences. For instance, DOGE currently has access to Social Security Administration data, which includes personal information about elderly Americans. Kamens notes that scammers often use personal information, such as an individual’s bank or hospital, in order to convince them they’re a trusted person. And these tactics seem to work especially well on the elderly, who are less tech-savy: roughly $3.4 billion in fraud losses was reported by people ages 60 and up in 2023, I3C found.
These vulnerabilities also extend to matters of national security. DOGE members themselves would immediately become targets for foreign state actors, Kamens says. And earlier this month, Rob Joyce, the former leader of the NSA’s unit focusing on foreign computer systems, warned that DOGE’s mass firing of probationary federal employees would have a “devastating impact on cybersecurity and our national security.”
About 130 of those fired probationary officers were part of the Cybersecurity and Infrastructure Agency (CISA), which is tasked with detecting breaches of the nations’ power grid, pipelines and water system. “CISA was already understaffed to begin with,” says Michael Daniel, president and CEO of the Cyber Threat Alliance and a cybersecurity coordinator under President Obama. “It’s possible that a critical infrastructure owner and operator might not be able to get assistance from CISA as a result of the cuts.”
Senator Elizabeth Warren penned a letter arguing that DOGE posed a national security threat by exposing secrets about America’s defense and intelligence agencies. “We don’t know what safeguards were pulled down. Are the gates wide open now for hackers from China, from North Korea, from Iran, from Russia?” she said in a statement. “Heck, who knows what black hat hackers all around the world are finding out about each one of us and copying that information for their own criminal uses?”
Systemic risks
Cybersecurity experts are also worried about the risk of DOGE engineers inadvertently breaking parts of the government’s digital systems, which can be archaic and deeply complex, or unintentionally introducing malware to essential code.
In particular, financial experts have said that mistakes made within the Treasury Department’s delicate systems could harm the U.S. economy. Kamens warns that if DOGE interferes with the Social Security system, Medicare reimbursements or disability payments could fail to go out on time, endangering lives. “They have fired the people who know where the danger points are,” he says.
Last week, a federal judge questioned government attorneys about why DOGE needs access to Social Security Administration systems, and is still considering whether to shut off access. Another lawsuit, filed by 19 state attorneys general in an attempt to block DOGE’s access to the Treasury Department in February is ongoing.
Kamens adds that the security risks could only heighten over time, especially if roles like his remain unfilled. Nearly everyone he worked with at USDS (United States Digital Service), DOGE’s precursor, came into government from the privacy sector, he says, and he worries that top-level cybersecurity officials will not want to join the federal staff due to the instability and the risks of being fired or undermined.
This lack of staffing, he says, could prevent the government from mitigating new and evolving attacks. “The reality is that there are constantly new security holes being discovered,” he says. “If you’re not actively evolving your cyber defenses to go along with the offensive things that are happening in that landscape, you end up losing ground.”
Daniel says that just because nothing has broken yet does not mean that DOGE is doing an adequate job in stopping cybersecurity threats. “It’s not an instant feedback loop,” he says. “That’s part of the challenge here: we’re talking about an increase in risk that may play out over an extended period of time.”
