The importance (and hard work) of "getting to yes" for executive priority projects with the right level of privacy protections and cyber controls has been a common theme of this blog, ever since I almost lost my CISO job for opposing a Wi-Fi project in Michigan in 2004.
Most successful cyber pros have learned to fight their gut instinct to attempt to stop CxO priorities by using their positional authority. Experienced security leaders can tell stories about how they have grown to become enablers by implementing new technology and business priorities in secure ways from cloud computing to bring-your-own-device initiatives and from the Internet of Things devices to generative AI projects.
At the same time, nonpartisanship has been one of the top positive aspects of working in government cybersecurity, formerly called information security, information assurance and other names. Over the past three decades working on state, federal and even international government projects, one central premise that global experts all agreed on has been that “nobody wants to be hacked” — whether you are a Democrat, Republican or independent. Indeed, cybersecurity has been one of the rare areas that has received bipartisan support.
But over the past few weeks, there has been a flood of media stories trying to slow down — or even shut down — the new federal Department of Government Efficiency (DOGE) by offering cybersecurity and privacy concerns as the justification. My fear is that old security pro instincts to stop executive priorities has now crossed over that partisan line based upon personal agendas.
However, before I list some relevant headline examples, let me be clear that I am not asking whether one supports or opposes federal government budget cuts. Nor am I addressing whether the political decisions made, or choices made on org charts and appointed positions, match one’s personal preferences.
Opinions are all over the map as to whether the U.S. Agency for International Development should cut dollars given to foreign nations, federal employees should go back to the office, the Department of Education should be eliminated, the IRS should reduce staff, President Trump is doing the right things on Ukraine, or a long list of other hot political topics surfacing under Trump 2.0.
Nevertheless, these legal decisions are being made by the democratically elected leader of our country and his executive team, and courts have allowed DOGE’s work to continue.
Consider these headlines:
Forbes: DOGE Is A Cybersecurity Crisis Unfolding In Real-Time
“The shock factor is that DOGE is helmed by Elon Musk — the richest man in the world with a net worth approaching nearly double that of the second richest man in the world, and currently head of Tesla, SpaceX, X (formerly Twitter), Neuralink, The Boring Company and xAI. The top operatives of DOGE are reported to be young, tech-savvy 'hackers' with unprecedented access to systems holding everything from personnel records to highly sensitive financial data.”
Yahoo: Cybersecurity group sues DOGE over data access
“The Electronic Privacy Information Center (or EPIC) filed a lawsuit against the Department of Government Efficiency (or, sigh, DOGE) on Monday, per the privacy-focused non-profit's website. According to the lawsuit, DOGE and its leader Elon Musk have 'illegally forced' the Office of Personnel Management and Treasury Department to disclose huge swaths of digital information about U.S. citizens to 'unauthorized, untrained personnel.' The lawsuit calls Musk's actions 'the largest data breach in American history.'"
CNBC TV18: Musk's DOGE team raises major cyber security concerns
“Never before has a group of unvetted and inexperienced outsiders gained such access to the nerve center of the U.S. government, according to security experts. The campaign, led by Musk's DOGE team, began at the Treasury Department when they took control of the U.S. government's payment system — a move justified as monitoring public spending. From there, it expanded into an unprecedented cost-cutting initiative, with software engineers spreading across federal agencies, taking control of computer systems.
“They have disrupted and in some cases effectively shuttered organizations such as the United States Agency for International Development (USAID), the Department of Education, and the General Services Administration (GSA), which manages much of the government's infrastructure and building portfolio.
“'In the span of just weeks, the U.S. government has experienced what may be the most consequential security breach in its history,' wrote Bruce Schneier, a security technologist at the Harvard Kennedy School, and Davi Ottenheimer of Inrupt, a data infrastructure company, in Foreign Policy.”
WHO AUTHORIZED WHO TO ACCESS WHAT FEDERAL SYSTEMS AND DATA?
My view is that everyone needs to calm down and start at the top by working our way through a few of these bold claims of a cybersecurity crisis, the largest data breach in history and much more. Do these claims hold any water or are they hyperbole?
First, what did the president say regarding access and authority?
According to NPR, “On Monday, Trump said Musk has 'got access only to letting people go that he thinks are no good, if we agree with him.'
“'Elon can't do and won't do anything without our approval. And we'll give him the approval where appropriate, where not appropriate we won't,' Trump said. 'Where we think there's a conflict or a problem, we won't let him go near it.'”
Second, watch this Bloomberg interview with respected Treasury Secretary Scott Bessent, which starts with the DOGE team’s access to sensitive payment systems.
On the IRS taxpayer data access: “Thanks again for asking. Over the past four years we have seen a lot of leaks out of there. … I am concerned about collections, about privacy and that the system is robust.”
I encourage readers to watch that entire interview, as well as some of the more recent interviews with Secretary Bessent on this topic.
Third, there have been quite a few accusations that the DOGE actions violate the Privacy Act of 1974. Wired magazine covers this topic in detail in this piece. Here’s an excerpt:
“The Privacy Act prohibits an agency from disclosing someone’s records — even within the agency — unless that person approves in writing or the agency meets one of the law’s 12 exceptions. …
“But there are also two broad, vague exceptions: Agencies can share records with their own employees who 'have a need for the record in the performance of their duties' or with third parties for 'a routine use' (defined as one that is 'compatible with the purpose for which [the data] was collected').
“The strength of that argument rests on how judges weigh two questions: whether the DOGE personnel accessing each agency’s data are employees of those agencies, and whether the two exceptions apply to the situations in which they accessed and shared the data.
“But he also questioned whether DOGE staffers were employees of the agencies whose data they were accessing — a crucial question for a Privacy Act case.”
Fourth, it is clear from Secretary Bessent’s interview that the people being granted access are doing so under the policies and procedures of the agencies — including being department employees (which is key to meet the requirements of the Privacy Act of 1974.)
This article from MSN.com reveals many interesting details that are helpful in this situation:
“But the media did not care who had access to that data during the Biden years.
“One report from the Treasury Inspector General for Tax Administration revealed that as of September 2023, there were as many as 919 individuals who had access to unmasked IRS data.
“The unmasked data contains personally identifiable information and 'requires executive level approval' to access. Roughly 20 of those individuals were ‘researchers and student volunteers.’”
Fifth, this article from The Conversation acknowledges that “a group of 14 state attorneys general attempted to have DOGE’s access to certain federal systems restricted, but a judge has denied the request.”
So what does the piece's authors, Frank den Hartog and Abu Barkat Ullah, claim is the reason for this outcry around government system access and cybersecurity surrounding DOGE? The answer is trust.
They go on to list ways to reduce the risk of insider threats within your organization and cover other helpful details, but they summarize their arguments as a lack of trust in Elon Musk.
Sixth, an article from Politico describes how GOP privacy hawks brush off concerns about DOGE data dives:
“Sen. Josh Hawley of Missouri, a frequent critic of Big Tech’s use of Americans' personal data, said Tuesday night that DOGE employees were required to 'follow all federal laws related to privacy and so forth' and he would be 'shocked' if they were skirting those rules.
“'I assume and expect that they are adhering to whatever the rules are for their level of clearance and their level of government employee and their designation,' Hawley said, adding that he did not know the security clearance status of DOGE’s staff. 'So long as they’re adhering to those, that’s fine.'
“Sen. Rand Paul of Kentucky, another defender of individual privacy rights and opponent of government surveillance efforts, also appeared like Hawley to be taking the administration at its word that there was nothing out of the ordinary taking place.
“'I think anybody who looks at government data is bound by rules on privacy — I don’t know how this would be any different than someone else looking at it,' said Paul in an interview. 'All the rules of privacy still apply. If they’re breaking any rules, they’ll get in trouble, but you have to look at the data to find the problems.'”
FINAL THOUGHTS
While some readers may still doubt that these recent claims of cybersecurity and privacy violations at DOGE are political in nature, any remaining doubts that I had were erased on Friday, Feb. 21.
According to CNN, Senate GOP adopts budget blueprint to advance Trump agenda, setting up clash with House Republicans: “Senate Democrats, locked out of power in Washington and limited in their ability to counter the GOP agenda, used the 'vote-a-rama' to force tough votes in a bid to put Republicans on record over contentious issues. …
“Democratic Sen. Chris Coons called up an amendment aimed at prohibiting DOGE from accessing or misusing private data and information, which was rejected by voice vote.”
For as long as I have been a government security and technology leader, data privacy and cybersecurity protections were able to stay out of the political battles. Mayors, governors, county executives, department directors and more generally support doing the right things with data and keeping cybersecurity activities out of politics.
I certainly hope that recent events with DOGE won’t change this historical cybersecurity nonpartisan agreement, and that we can even continue bipartisan support for cyber in lasting ways across all levels of government.
There is still time to course correct if cybersecurity and technology pros remember the importance of “need to know” principles and who authorizes access in your government situation or business — regardless of who wins elections or who is appointed CEO.
