Musk Poses Cybersecurity Risks

Over the past few weeks, stories have been emerging about several (very) young employees and associates of Elon Musk—operating under Musk’s controversial Department of Government Efficiency (DOGE)—being given access to federal government data systems. These systems contain highly sensitive information or are critical to the day-to-day funding and operation of the complex machine that is the United States. There are many legal and ethical concerns arising from these reports, but one area in particular deserves special attention: cybersecurity. Some sources claim that the access granted to several DOGE associates—none of whom appear to be government employees or possess appropriate security clearances—includes “administrator-level privileges.” This level of access gives the holder the ability to read, modify, or delete anything on that computer system. To grant these kinds of system privileges to unqualified, unauthorized personnel is a significant cybersecurity risk to U.S. critical information infrastructure.

The full extent of DOGE associates’ access to government systems remains to be seen. So far, there have been reports of access to systems at the Office of Personnel Management, the General Services Administration, the U.S. Agency for International Development, the Department of Veterans Affairs, the Small Business Administration, and perhaps most worrying, the Treasury Department. In particular, two Treasury systems that lie at the core of nearly all U.S. government payments, the Payment Automation Manager and the Secure Payment System, have reportedly been accessed with administrative privileges by at least one Musk associate. The damage that could either intentionally or inadvertently be inflicted through this unauthorized access is easy (if frightening) to imagine. Highly sensitive information could be accessed, file systems corrupted, fraudulent payments made, and security back doors installed. Musk has a documented history of taking chaotic and impetuous actions, which he shows no signs of abandoning in his DOGE-related activities. This methodology is antithetical to well-established cybersecurity principles and puts our nation’s systems at significant risk.

Cybersecurity Fundamental: Access Control

One of the most fundamental tenets of cybersecurity is the concept of access control. Information systems’ administrators are careful to limit access to IT resources for two broad reasons. First, having access to system resources such as files or databases means one has access to the information that can be taken from those resources. This is often the case in data breaches, where someone who does not ordinarily have access to a system or network somehow gains access to steal information. This risk also comes from insider threats, such as an employee filching data for their own illegitimate purposes. Second, any changes to these complex systems can have unexpected consequences, leading to irreparable damage. This is especially the case in older systems that have grown through years of accretion, like many government networks, which often maintain aging technologies in order to preserve backward compatibility. These aging systems bring significant technical debt, along with poorly understood dependencies, demanding caution when considering system changes. Limiting the scope of access to these critical networks is of paramount importance to their management teams.

The risks associated with these kinds of access privilege escalations have long been understood. Some of the earliest examples of computer hacking were due, at least in part, to poor control of access privileges in the multiuser operating systems that were popular at the time. In 1988, for example, a “computer worm”—a program that automatically replicated itself across multiple computers—shut down thousands of workstations and powerful minicomputers across the United States. The Morris worm, as it came to be known, was able to rapidly propagate because the Berkeley UNIX operating system was very often configured to run with open access permissions, allowing remote execution of commands and the remote sharing of files with no additional password requirements. The author of the worm, Cornell graduate student Robert Morris—the son of National Security Agency cryptographer Robert Morris—was the first person to receive a felony conviction in the United States under new “anti-hacking” federal legislation.

Thus, not only does unauthorized access pose national security concerns, it also raises legal considerations. Federal laws meant to prevent and punish such unwarranted access to government information systems have existed for decades. The Computer Fraud and Abuse Act of 1986 (CFAA), for example, amended an existing computer fraud statute that had itself been around since 1984. Originally drafted to prevent the unauthorized use of government computers, the CFAA’s authors saw the problem of access to government computers as critical, observing that “[t]he bill makes it clear that unauthorized access to a Government computer is a trespass offense, as surely as if the offender had entered a restricted Government compound without proper authorization.”

The CFAA is deployed most often as an anti-hacking criminal statute addressing unauthorized access by outside parties. But it also applies to those who exceed their authorized access to computer systems. Some relevant elements of the CFAA include § 1030(a)(2)(B), which criminally prohibits “intentionally access[ing] a computer without authorization or exceed[ing] authorized access,” to obtain “information from any department or agency of the United States.” Similarly, § 1030(a)(3) prohibits unauthorized access to computers that are either exclusively for the use of the U.S. government or where such access “affects that use by or for the Government of the United States.” Criminal violations of the CFAA are felonies, indicating the seriousness with which legislators treated these activities.

It is not difficult to characterize DOGE associates’ activities as unauthorized, but more details are needed in order to judge whether they might have acted in excess of prior authorization. A fair amount of CFAA jurisprudence revolves around what “without authorization” and “exceeding authorized access” actually mean. The Supreme Court finally addressed a circuit split on the topic in 2021 with Van Buren v. United States, but many were left unsatisfied by the Court’s circumspect approach. In Van Buren, a police officer used his government credentials to access a license plate database. This access was obviously not unauthorized, but because he was using his access privileges for unofficial purposes, the question was if he was exceeding his authorization. The Court held that the CFAA “does not cover those who, like Van Buren, have improper motives for obtaining information that is otherwise available to them.” Section 1030(e)(6) defines “exceeds authorized access” as “to access a computer with authorization and to use such access to obtain or alter information in the computer that the accesser is not entitled to so obtain or alter.”

If the Trump administration can somehow claim that the DOGE associates’ access to these systems has been authorized to further DOGE-related policies, it is possible that under Van Buren, this would not exceed their authorized access. This would be a difficult argument to make, however, as the authorization detail would need to be very broad indeed. Even director-level access authorization does not necessarily include full administrative access to all systems, and most prudent directors would recognize that their expertise does not extend to all areas. It is more likely that any initial access authorization was quite limited, and the reports of read/write/delete access to these sensitive systems would be far out of scope. But given the cavalier actions of the Trump administration in its first two weeks, it is not out of the question that the White House could make sweeping authorizations, even if it puts the nation’s most sensitive computer systems at great risk.

Cybersecurity Fundamental: Compartmentalization 

A complementary information security concept closely related to access control is the principle of compartmentalization, which intentionally limits information access to only those who need to know that information. This concept is probably most familiar in the context of the classification of information types by government agencies, for example, “confidential,” “secret,” and “top secret” data. A common misconception about compartmentalization is that those with “top secret” clearances automatically have access to all information classified as “top secret” or lower. This is not the case. Rather, compartmentalization requires that a person both have sufficient clearance as well as a specific need to know the information they wish to access. To apply this to the DOGE access issue, even if agency associates could argue that they are authorized generally to access government systems, legitimate concerns about compartmentalization would raise questions about whether those people should have access to a particular system containing particular information.

There are federal statutes on the books to address compartmentalization issues. For example, 18 U.S.C. § 793 pertains to the “Gathering, transmitting or losing defense information” and prohibits the “unauthorized possession of, access to, or control over any” government information relating to the national defense. Given some of the government systems that DOGE associates have reportedly accessed, it is probable that the information is relevant to the nation’s security. Further, because information security and data privacy are closely related concepts, there are compartmentalization laws outside of the national security context. For example, the Privacy Act of 1974 (5 U.S.C. § 552a), which states that “[n]o [government] agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains[.]” The Privacy Act is largely a civil statute, and also allows for a private right of action, meaning that individuals can bring suit under a Privacy Act claim. The jurisprudence surrounding the Privacy Act is somewhat complicated, and the act itself contains a number of exceptions for things like ordinary business uses. But the government systems the DOGE associates have been reportedly accessing are filled with the kind of information the Privacy Act was enacted to protect.

Cybersecurity Fundamental: Competence

Finally, an unwritten rule of cybersecurity is the requirement of competence. Computer systems and networks are highly complex, and in order for them to be useful, information systems managers constantly need to walk the tightrope between user access and system security. This, in turn, requires that the system managers remain vigilant regarding not only access controls but also what, if any, changes are made to the system itself. Anyone given permission to make such changes needs a combination of experience, education, and prudence—qualities the DOGE team members do not appear to demonstrate. Further, any important modifications to critical systems usually involve teams of these individuals, backed by other teams of reviewers, to minimize the risk of human error. When applied to critical government networks, where lives could potentially be at risk, the requirement of competence is especially critical.

Musk’s shoot-from-the-hip approach is unacceptable in the context of such systems. Recently, for example, Musk has claimed that his DOGE team will “make rapid safety upgrades to the [FAA]’s air traffic control system.” Further, shoddy or otherwise incompetent modifications to sensitive systems significantly increases the probability that some kind of security vulnerability will be created, expanding the holes through which hostile actors can enter these systems.

 The point of these laws, rules, and policy choices is to limit who has access to government systems and the information they contain in order to prevent sensitive information from being illegally or improperly transmitted, used, or modified. The concern does not end, however, with the protection of data repositories, but also with the electronic mechanisms through which the bulk of our federal government operates, not the least of which is the accounting for and disbursement of government funds. Putting aside the legal questions regarding impoundment, it defies every basic security standard to allow unauthorized and untrained people administrative access to Treasury funds. Even if, for the sake of argument, Musk and his associates qualify as “special government employees,” that does not and should not grant them automatic system privileges for some of the most sensitive parts of our federal networks.The economic fallout that could arise out of mishap within these systems could be catastrophic. 

Musk has repeatedly demonstrated his proclivity for breaking systems in order to later decide which parts should then be repaired. Not long after his takeover of Twitter, Musk became fixated on removing servers from data centers. At midnight on Christmas Eve 2022, he showed up unannounced at Twitter’s Sacramento data center, walking around the racks, unplugging servers at random, and even using a pocket knife at one point. Only when a major subsystem of the social media network failed did he stop, leaving the mess for then-Twitter employees to clean up. Since his odd presence as a fixture of the Trump campaign and White House was established, Musk has expanded his “move fast and break things” philosophy to government, claiming on his X account that his “DOGE team is rapidly shutting down [] payments” to Lutheran Social Services and other U.S. contractors.

Musk has also been generally dismissive of regulations, frequently telling his employees to ignore any government regulation they consider “dumb.” This has become something of a mantra within Silicon Valley and is widely adopted as a “disruptive” strategy to flout laws in the pursuit of the higher goal of innovation. Technology industry leaders like Peter Thiel have expanded this philosophy to national governance, with Thiel writing that he “no longer believe[s] that freedom and democracy are compatible.” If we take this worldview seriously, it is not much of a leap to assume that the DOGE associates may be characterized as potentially hostile threats to our nation’s critical systems.

***

While a “disruptive” methodology such as Musk’s might have limited repercussions as applied to a social media company, taking such a cavalier attitude toward our federal computer infrastructure is dangerous, foolish, and highly irresponsible. Administrators take extra measures to protect government computers and data for good reasons—they contain mountains of sensitive data whose disclosure could harm both the country and its citizens, and their continued operation is critical to the day-to-day healthy functioning of the business of the nation. The reported ad hoc access granted to unauthorized, untrained, and uncleared people is a problem not only with Musk and his associates but also with the elected and appointed members of this administration, who have sworn oaths to protect the country and its people.