Since I published my article at 6 am yesterday morning, a number of current and former Bureau of the Fiscal Service officials have reached out and unfortunately confirmed the accuracy of my reporting. Both in my understanding of the technical situation and the extreme dangers that the access which had been reported up to that point. All thought read only access was extraordinarily dangerous to the country.
I can exclusively report that while there was initial hesitation from “IT Leadership” to give [DOGE] access, they relented. However, they still believed this was extremely risky with one member of leadership saying “I’ve never done anything like this before”, according to a source familiar with the situation. A current IT employee of the Bureau of the Fiscal Service told me “This level of unchecked access is critically dangerous to the economy and the government”. When I replied “this is terrifying” to being informed that they have “write access” this source replied “Yeah it’s not good. Read privileges on its own still would have left room for catastrophe, but read and write is apocalyptic.”
It is as of yet unclear whether anyone on the Payment Automation Manager (PAM) system or the “Secured Payment System” (SPS) have been put on “paid administrative leave”, coerced into resigning or quit in protest. All that is known is that Marko can “access and query” SPS and that there was someone who gave Marko a “tour” of the facilities. We do not know where they are in operationalizing any control. One senior IT source can see Mark retrieving “close to a thousand rows of data” but they can’t see the content because the system is “top secret” even to them. No source I have has knowledge of what DOGE is doing with the data they are retrieving.
One source states that IT is “mostly intact” but expects that to change as the return to work mandate comes into effect and/or DOGE starts doing even worse things. To be clear, IT is separate from the COBOL programmers who work specifically on these legacy systems. There have certainly been some number of “less than voluntary” resignations similar to Fiscal Assistant Secretary Lebryk. The only outright firings were of the Economic Equality and Opportunity team…
One source explicitly said that they were only reporting to me because there was no one left in the Federal Government to report security breaches to…
I would also like to clarify some confusion on social media. The issue with understanding and grasping a COBOL system is not knowing COBOL, as a programming language, in the abstract. Nor is it, god help me, something that AI can “do” because you fired one of these chatbots up and got some code that could compile when you asked “write me some COBOL code”. The issue is understanding the specific physical limitations of the system, the way that it interacts with the “Business Logic” of the code and a million other contextual factors.
The entire issue with COBOL and why it has been such a struggle to maintain it is that COBOL systems (both private and public) developed for decades with very little documentation, have a million different path dependent coding choices. Mar Hicks 2020 article in Logic Magazine “Built to Last” is worth a read on this topic.
This is what I meant yesterday when I referenced that 30 different COBOL systems at Treasury had developed their own “dialects” and they launched Payment Application Modernization (PAM), which among other things, unified them. What they unified was the business logic of those systems (as well as likely other factors, most notably the physical architecture of the systems they ran on). Part of me wishes they didn’t modernize with PAM because those 30 different and distinct systems would have been more secure from their infiltration. PAM processed 4.7 trillion dollars of payments in 2024.
Add new comment