The Department of Government Efficiency (DOGE), President Donald Trump’s special commission tasked with slashing federal spending, continues to disrupt Washington and the federal bureaucracy. According to published reports, its teams are dropping into federal agencies with a practically unlimited mandate to reform the federal government in accordance with recent executive orders.
As a 30-year cybersecurity veteran, I find the activities of DOGE thus far concerning. Its broad mandate across government, seemingly nonexistent oversight, and the apparent lack of operational competence of its employees have demonstrated that DOGE could create conditions that are ideal for cybersecurity or data privacy incidents that affect the entire nation.
Traditionally, the purpose of cybersecurity is to ensure the confidentiality and integrity of information and information systems while helping keep those systems available to those who need them. But in DOGE’s first few weeks of existence, reports indicate that its staff appears to be ignoring those principles and potentially making the federal government more vulnerable to cyber incidents.
Cybersecurity and information technology, like any other business function, depend on employees trained specifically for their jobs. Just as you wouldn’t let someone only qualified in first aid to perform open heart surgery, technology professionals require a baseline set of credentialed education, training and experience to ensure that the most qualified people are on the job.
DOGE has hired young people fresh out of — or still in — college or with little or no experience in government, but who reportedly have strong technical prowess. But some have questionable backgrounds for such sensitive work.
According to reports, these DOGE staffers have been granted administrator-level technical access to a variety of federal systems. These include systems that process all federal payments, including Social Security, Medicare and the congressionally appropriated funds that run the government and its contracting operations.
Opening the door for malware
DOGE operatives are quickly developing and deploying major software changes to very complex old systems and databases, according to reports. But given the speed of change, it’s likely that there is little formal planning or quality control involved to ensure such changes don’t break the system. This runs contrary to cybersecurity principles and best practices for technology management.
As a result, there’s probably no way of knowing if these changes make it easier for malware to be introduced into government systems, if sensitive data can be accessed without authorization, or if DOGE’s work is making government systems otherwise more unstable and more vulnerable.
On Feb. 6, a federal judge ordered that DOGE staff be restricted to read-only access to the Treasury Department’s payment systems, but the legal proceedings challenging the legality of their access to government IT systems are ongoing.
DOGE’s apparent lack of cybersecurity competence is reflected in some of its first actions. DOGE installed its own email servers across the federal government to facilitate direct communication with rank-and-file employees outside official channels, disregarding time-tested best practices for cybersecurity and IT administration. A lawsuit by federal employees alleges that these systems did not undergo a security review as required by current federal cybersecurity standards.
There is an established process in the federal government to configure and deploy new systems to ensure they are stable, secure and unlikely to create cybersecurity problems. But DOGE ignored those practices, with predictable and dangerous results.
Bottom line, if you don’t know what you’re doing in IT, really bad things can happen.
Technical experts now subject to politics
The Trump administration also has reclassified federal chief information officers, normally senior career employees with years of specialized knowledge, to be general employees subject to dismissal for political reasons. So there may well be a brain drain of IT talent in the federal government, or a constant turnover of both senior IT leadership and other technical experts. This change will almost certainly have ramifications for cybersecurity.
DOGE operatives now have direct access to the Office of Personnel Management’s database of millions of federal employees, including those with security clearances holding sensitive positions. Without effective oversight, this access opens up the possibilities of privacy violations, tampering with employment records, intimidation or political retribution.
Informed support from all levels of management is crucial to provide accountability for cybersecurity and technology administration. This is especially important in the public sector, where oversight and accountability is a critical function of good democratic governance and national security. After all, if people don’t know what you’re doing, they don’t know what you’re doing wrong.
The federal government’s vast collections of data touch every citizen and company. While government systems may not be as trustworthy as they once were, people can still take steps to protect themselves from adverse consequences of DOGE’s activities. Two good starting points are to lock your credit bureau records in case your government data is disclosed and using different logins and passwords on federal websites to conduct business.
At the moment, DOGE appears to be operating with very little oversight by anyone in a position willing or able to hold it responsible for its actions.
It’s crucial for the administration, Congress and the public to recognize the cybersecurity dangers that DOGE’s activities pose and take meaningful steps to bring the organization under reasonable control and oversight.
Richard Forno is teaching professor of computer science and electrical engineering and assistant director of UMBC Cybersecurity Institute at the University of Maryland, Baltimore County.
The article was originally published on theconversation.com
The views and opinions expressed by contributors are their own and do not necessarily reflect those of the Chicago Sun-Times or any of its affiliates.
The Sun-Times welcomes letters to the editor and op-eds. See our guidelines.
Get Opinions content delivered to your inbox.