As someone who has worked in the federal government most of my life, both military and as a federal worker in the field of cybersecurity, I can tell you that Trump, Musk, DOGE and his DOGE workers (non-Civil Service Workers hired through loyalty) are the biggest insider threats the U.S. government has ever faced.
When I first learned of Musk placing an on-prem (physical) mail server within OPM against the advice of IT professionals at OPM, I was shocked and thought this could not be true but it is true and it happened. I was further horrified to find out that it went through no authority-to-operate (ATO) nor was it required to comply with cybersecurity governance including a security control assessment. For those who have never worked in cybersecurity, let me explain why this is very bad and highly illegal.
When any government organization wants to add a computer to an office, there are security requirements that must be followed. While different organizations may have their own processes, most follow the standards made by the National Institute of Standards and Technology (NIST), which include some of the most knowledgable experts in the U.S. government.
Now that you understand there is a process and DOGE did not follow it, get ready to freak out with me for a bit. DOGE’s mail server has created a single-point-of-failure, a critical security risk that cybersecurity professionals work to prevent every day. Our adversaries know of this vulnerability, this server is a single point-of-failure Why does this matter? Because, the DOGE OPM mail server is connected to the government’s unclassified intranet. If compromised, this could provide our adversaries with broad access into the U.S. government’s internal network.
If you are not freaked out by this yet, bear with me a bit. Within the U.S. government’s intranet, access is restricted based on a need-to-know basis using VLANS (virtual local area networks) and other security methods. These VLANs ensure employees only access what’s necessary for their jobs. For example, an IT worker can’t access budget or HR files unless explicitly required to do their job. My concern is that DOGE does have access to go into your financial data, access to your personal health information, and critical U.S. government operation details—such as continuity of operations plans, government contracts, and finances of Musk’s competitors.
That’s just on the unclassified intranet. Once inside, foreign cyber actors only need to gain administrator access—either by escalating their privileges or targeting someone who already has admin rights.
If you recall, there was a recent email that went out by OPM asking employees to send 5 bullet points of what they did in the last week. This impulsive act by Musk and DOGE gives foreign cyber actors a roadmap to identifying system administrators, allowing them to steal credentials, gain admin access, and potentially infiltrate other government agencies with more sensitive data. By impersonating a system administrator, the bad actor can take full control of the network. Hackers call this Pwning.
Other concerns about this impulsive action is, foreign intelligence can start to filter out those individuals who are not of interest and focus on those that are of interest. This is what happens when you apply the haphazard, move fast and break things philosophy from silicon valley to the U.S. government.