Elon Musk and employees from DOGE — which is, legally, an external advisory board — have reportedly taken a number of steps since Jan. 20 that could be exposing the personal data of millions of federal employees, violating federal laws against sharing classified or sensitive information with uncleared individuals and creating new cybersecurity vulnerabilities for malicious hackers to exploit, these experts say.
Federal employees at the Office of Personnel Management are also suing the government, claiming that Musk had a private server installed that has not been vetted or approved for security. OPM’s systems contain sensitive employee records for tens of millions of current and former federal workers, and the hack and theft of OPM records by Chinese hackers in 2015 is considered among the worst federal security breaches of all time. The use of a private email server by then-Secretary of State Hillary Clinton was the subject of a criminal investigation by the FBI during the 2016 election and was bitterly criticized by Trump and Republicans at the time as a massive security lapse.
The White House claimed Monday that DOGE employees’ access to these systems were restricted to “read-only,” meaning they could not alter files or make larger changes, but according to reporting from Wired, a 25-year-old former employee of Musk’s has been granted administrative access to the system.
According to legal experts, Musk and Trump’s actions are putting federal employees in a lose-lose situation. Trump’s executive order creating DOGE only gave Musk access to unclassified federal systems. Under the E-Government Act of 2002, it is a Class E felony carrying a maximum penalty of five years in prison and a $250,000 fine for federal employees who have taken the oath of office to “willfully” disclose such information to any person or agency not entitled to receive it.
“No federal employee should be granting access to anyone — no matter what special ‘DOGE’ badge they have — absent specific written authorization to do so,” Moss said. “The president’s [executive order] does not suffice, and federal employees appear to be trying to hold the line on protocols so far. Unfortunately, those who are doing that are being punished for it, as many are being put on administrative leave or outright fired.”
Beneath the classified level, many federal systems also contain what’s known as Controlled Unclassified Information (CUI), which can include financial, law enforcement and privacy-related data on Americans. That data is less sensitive, but still must be legally protected by federal employees and contractors.
“There are well-established procedures, beginning with federal employment screening, to determine whether individuals are ‘trustworthy,’ such that they should be afforded access to these CUI categories,” said Robert Metzger, an attorney and federal cybersecurity contracting expert. “Higher standards and controls apply to persons who would have rights of ‘use’ of that information.”
Kit the Coyote
Article URL : https://cyberscoop.com/musk-doge-opm-treasury-breach/