web analytics

Musk’s DOGE effort could spread malware, expose US systems to threat actors – Source: www.csoonline.com

musk’s-doge-effort-could-spread-malware,-expose-us-systems-to-threat-actors-–-source:-wwwcsoonline.com
Rate this post

Source: www.csoonline.com – Author:

Given free rein by President Trump to plumb the depths of US government networks and databases, Elon Musk’s DOGE is putting the federal digital infrastructure at risk on a variety of fronts, security experts say.

Over the past 10 days, an astonishing series of actions by Elon Musk via his Department of Government Efficiency (DOGE) project has elevated the cybersecurity risk of some of the most sensitive computing systems in the US government.  

Musk and his team of young, inexperienced engineers — at least one of whom is not a US citizen — have taken a number of publicly known steps that raise serious concerns among cybersecurity and privacy professionals.

These actions violate several fundamental security principles, experts contend, potentially exposing highly sensitive US government systems to malware while opening new possible avenues of attacks by cybercriminals and even nation-state adversaries.

What DOGE has done

On Friday of last week, the Treasury Department’s top civil servant, David Lebryk, left unexpectedly after Trump-affiliated officials expressed interest in stopping certain payments made by the federal government. In the wake of Lebryk’s departure, the Treasury Department ultimately gave Musk’s associates full access to the federal payment system at the US Treasury Department responsible for handling trillions of dollars in government expenditures.

Also on Friday, Musk aides locked out career civil servants at the Office of Personnel Management (OPM) from computer systems that contain the personal data of millions of federal employees, giving DOGE workers access to a system called Enterprise Human Resources Integration. This system contains dates of birth, Social Security numbers, appraisals, home addresses, pay grades, and length of service of government workers.

Concerns at the agency are high, with some officials saying the situation “creates real cybersecurity and hacking implications.”

Previously, during earlier OPM incidents, Musk and his team set up an email address, HR.gov, to make it look like a Musk-linked email system was emanating from OPM. The Musk team then sent an email asking federal employees who wished to resign to reply with the word “resign,” causing some employees to fear that malicious actors could spoof their responses and inadvertently resign them from federal service. Responses to the email were sent not to the federal government but to a Musk employee, Amanda Scales, who at the time was working at Musk’s AI company xAI but later became Chief of Staff at OPM.

This incident forced career public servant and OPM CIO Melvin Brown to resign.

On Saturday, the US Agency for International Development’s (USAID) director of security and his deputy were placed on administrative leave after they tried to prevent DOGE workers from accessing secure USAID systems. Sources say the DOGE team tried to access personnel files and security systems, including classified systems beyond the security level of at least some of the DOGE employees. The systems also included security clearance information for agency employees.

A DOGE spokesperson contends, “No classified material was accessed without proper security clearances.” Musk posted on X calling for USAID “to die” and accusing the independent agency, without  evidence, of being a “criminal organization.” Later, he said that he and Trump were shutting down USAID and instructed agency employees not to show up for work.

In addition, over the past week, workers at the Technology Transformation Services (TTS), housed within the General Services Administration (GSA), were summoned into meetings to discuss their code and projects with Musk’s team members. TTS helps develop the platforms and tools that underpin many government services, including analytics tools and API plugins that agencies can use to deploy tech faster. Thomas Shedd, who used to work for Musk’s Tesla, is now the head of TTS. Some DOGE workers had yet to receive a GSA laptop, indicating that some connected to government systems using their own devices.

Musk’s authority to do this

Although many of Musk’s actions or intended actions, such as shutting down Treasury payments or eliminating USAID, might be questionable legally, his authority to gain access to unclassified information appears unlimited under an executive order Trump signed to implement DOGE’s agenda.

Security engineer Matthew Garrett, who has not worked for the federal government but has been in touch with those who do, said he understands that the executive order obviates any technical protections federal agencies put on their systems.

“It doesn’t matter how secure a system you built is if the orders you are getting are to give someone access to that system; then your choices are either give them access or potentially be suspended, fired, whatever, and then the next in line will do it in any case,” Garrett tells CSO.

Michael Daniel, president and CEO of the Cyber Threat Alliance, says the unprecedented nature of Musk’s actions makes it difficult to call, but he thinks there could be serious legal consequences for Musk, his workers, and compliant government officials. “You’ve got the potential for all sorts of legal violations, privacy act violations,” he tells CSO.

“Before you even get to the [more technical] cybersecurity issues, you’ve got a whole bunch of just basic governance issues that are completely unclear,” Daniel says. “It’s a principle of good cybersecurity that you know who logs into your network and what role they have. And the potential for privacy violations, data misuse, monetary gain, and political retaliation, I mean, is just legion here.”

Mark Montgomery, senior director of the Center on Cyber and Technology Innovation at the Foundation for the Defense of Democracies, tells CSO that “there are strict governance controls for accessing federal systems. To the degree these governance controls were waived or ignored, that introduces risk. That is just unacceptable. And the speed at which these accesses were made make me concerned that those governance controls may not have been followed.”

Malware and authentication exploitation are top concerns

One of Garrett’s biggest cybersecurity concerns is that some of Musk’s workers appear to be connecting their own devices to sensitive government systems.

“The easiest way to think about that is if there’s malware running on your computer, any files you download, whoever’s operating that malware could send those files elsewhere,” he says.

Ideally, government policies would stipulate that only trusted devices can connect to the network.

“But, if you have enough power over the technical leadership of that agency, you’re going to be in a position to just turn that off and then give access to anything,” Garrett says. “And we’ve seen numerous claims that people have just been bringing in their computers from outside and plugging those into department networks. And that means we don’t know whether they have any reasonable security policies.”

If Musk’s workers and the government agencies are not following reasonable security policies, “we should assume anything they download is going to be potentially exfiltrated,” Garrett says.

Moreover, malicious actors could use any authentication that the Musk team used. “They’re going to be able to wait for someone to log in to a system and then potentially bounce through one of those machines, log in against that system themselves, and gain access to all data that user has access to rather than just the material that was looked at and downloaded,” says Garrett.

“All of those seem valid concerns to me, but I also think there’s a first-order question: Would any company on earth just let people walk in and plug devices into their network?” Daniel asks. “Who are these people? Are they actually federal employees? Are they contractors? Nobody knows. Their status is unknown. Their authority to do any of this is unknown.”

Moreover, “What company on Earth would hire people without any background investigation or looking at their resume?” Daniel asks. “Even if you just apply a private sector lens to it, the idea is ludicrous that you would just simply turn over all your data. No general counsel on Earth would say that that’s a good idea for your company.”

Government cybersecurity workers need to build a CYA paper trail

Another primary concern Garrett raises is that Musk could not only expose government data to criminals and state-sponsored adversaries, “but we also need to consider what would be the impact of a successful ransomware infection of a government department,” he says.

“Do we trust that this material is still being backed up in the appropriate way? Is the normal kind of technical side of things still operating as normal? We also need to consider if people with sufficiently elevated privileges read this data, how many of them have access to rights to it, and what would the outcomes of a state-level adversary deliberately modifying some of this data look like?”

Given this potential infosec house of cards, those cybersecurity workers in the federal government who are watching what the DOGE team does should be scrupulously documenting all these goings on, if for no other reason than to protect themselves.

“I would assume that anybody in that situation would be doing everything they can to ensure that their paper trail exists demonstrating that this was someone else’s fault,” Garrett says.

SUBSCRIBE TO OUR NEWSLETTER

From our editors straight to your inbox

Get started by entering your email address below.

Original Post url: https://www.csoonline.com/article/3815925/musks-doge-effort-could-spread-malware-expose-us-systems-to-threat-actors.html

Category & Tags: Government IT, Security, Security Practices – Government IT, Security, Security Practices

Views: 2

LinkedIn
Twitter
Facebook
WhatsApp
Email

advisor pick´S post

Codrut Andrei
Secure Software Development Lifecycle Fundamentals by Codrut Andrei
Secure Software Development Lifecycle Fundamentals...
BUTTERWORTH-HEINEMANN
Security Operations Center Guidebook – A Practical Guide for a Successful SOC
Security Operations Center Guidebook –...
CISO Forum
CISO’s – First 100 Days Roadmap – Your success as a security leader is determined largely by your first 100 days in the role.
CISO’s – First 100 Days...
RedHat
State of Kubernetes Security Report 2022 by RedHat
State of Kubernetes Security Report...
National Cyber Security
Cyber Security Toolkit for Boards – Helping board members to get to grips with cyber security by NCSC
Cyber Security Toolkit for Boards...
Harvard Business Review
Boards Are Having the Wrong Conversations About Cybersecurity – Board interactions with the CISO are lacking – by Lucia Millica and Keri Pearlson – Harvard Business Review
Boards Are Having the Wrong...
Vendict
The 2024 CISO Burnout Report by Vendict
The 2024 CISO Burnout Report...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Marcos Jaimovich
The Silent Spectre Haunting Your Network: QPhishing, the CISO’s Unspoken Nightmare.
The Silent Spectre Haunting Your...
Marcos Jaimovich
Goodbye to Traditional: Why Conventional Cybersecurity Tools are No Longer Sufficient for the Future of Digital Threats ?
Goodbye to Traditional: Why Conventional...
Marcos Jaimovich
Why do we compare a SOC (Security Operations Center) with the cockpit of a commercial airplane? by Marcos Jaimovich
Why do we compare a...
Joas Antonio
Security Operations Center (SOC) – Tools for Operations Development by Joas Antonio
Security Operations Center (SOC) –...

LASTEST PUBLISHED POSTS

Cyberint
Retail Threat Landscape Report Q1-Q3 – November 2024 Summary by Cyberint a Check Point Company
Retail Threat Landscape Report Q1-Q3...
NCSC
Protecting Critical Supply Chains – A Guide to Securing your Supply Chain Ecosystem
Protecting Critical Supply Chains –...
Culture AI
Time to Adapt – The State of Human Risk Management in 2024 by Culture AI.
Time to Adapt – The...
National Cyber Security Centre
Engaging with Boards to improve the management of cyber security risk.
Engaging with Boards to improve...
Microsoft Security
2024 State of Multicloud Security Report by Microsoft Security
2024 State of Multicloud Security...
bugcrowd
Inside the Mind of a CISO 2024 The Evolving Roles of Security Leaders 2024 by bugcrowd
Inside the Mind of a...
Mohammad Alkhudari
Cybersecurity Strong Strategy step by step Guide collected by Mohammad Alkhudari 2024
Cybersecurity Strong Strategy step by...
Lacework
CISO’s Playbookto Cloud Security by Lacework
CISO’s Playbookto Cloud Security by...
MITRE - Carson Zimmerman
Ten Strategies of a World-Class Cybersecurity Operations Center by MITRE
Ten Strategies of a World-Class...
SILVERFRONT - AIG
Identity Has Become the Prime Target of Threat Actors by Silverfort AIG.
Identity Has Become the Prime...
CYZEA.IO
Enterprise Information Security
Enterprise Information Security
IGNITE Technologies
ENCRYPTED REVERSE
ENCRYPTED REVERSE

More Latest Published Posts

WORLD BANK GROUP
Global Cybersecurity Capacity Program
Global Cybersecurity Capacity Program
Gary Hinson
Getting started withsecurity metrics
Getting started withsecurity metrics
EDPS
Generative AI and the EUDPR.
Generative AI and the EUDPR.
Bright
2024 Guide to Application Security Testing Tools
2024 Guide to Application Security Testing Tools
HADESS
Hacker Culture
Hacker Culture
Quuensland Govermment
RISK ASSESSMENT PROCESS HANDBOOK
RISK ASSESSMENT PROCESS HANDBOOK
Ministry of MOS Security
HIPAA SIMPLIFIED
HIPAA SIMPLIFIED
Hacker Combat
How Are Passwords Cracked?
How Are Passwords Cracked?
CIS - Center for Internet Security
How to Plan a Cybersecurity Roadmap in Four Steps
How to Plan a Cybersecurity Roadmap in Four Steps
ACSC Australia
Information Security Manual
Information Security Manual
Kaspersky
Incident Response Playbook: Dark Web Breaches
Incident Response Playbook: Dark Web Breaches
ninjaOne
Endpoint Hardening Checklist
Endpoint Hardening Checklist
HADESS
Important Active Directory Attribute
Important Active Directory Attribute
ISA GLOBAL CYBERSECURITY ALLIANCE
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
IIoT System Implementation and Certification Based on ISA/IEC 62443 Standards
Rajneesh Gupta
IAM Security CHECKLIST
IAM Security CHECKLIST
sqrrl
Hunt Evil
Hunt Evil
Searchinform
How to protect personal data and comply with regulations
How to protect personal data and comply with regulations
Giuseppe Manco
Threat Intelligence Platforms
Threat Intelligence Platforms
CSA Cloud Security Alliance
Hardware Security Module(HSM) as a Service
Hardware Security Module(HSM) as a Service
IGNITE Technologies
CREDENTIAL DUMPING FAKE SERVICES
CREDENTIAL DUMPING FAKE SERVICES
IGNITE Technologies
A Detailed Guide on Covenant
A Detailed Guide on Covenant
NIST
Computer Security Incident Handling Guide
Computer Security Incident Handling Guide
IGNITE Technologies
DIGITAL FORENSIC FTK IMAGER
DIGITAL FORENSIC FTK IMAGER
Accedere
Cloud Security Assessment
Cloud Security Assessment
YL VENTURES
CISO Reporting Landscape 2024
CISO Reporting Landscape 2024
CISO Edition
Reporting Cyber Risk to Boards
Reporting Cyber Risk to Boards
CIOB
CIOB Artificial Intelligence (AI) Playbook 2024
CIOB Artificial Intelligence (AI) Playbook 2024
INCIBE & SPAIN GOVERNMENT
Nuevas normativas de 2024 de ciberseguridad para vehículos
Nuevas normativas de 2024 de ciberseguridad para vehículos