A few weeks ago, word started to come out that the newly minted United States Department of Government Efficiency (DOGE) had acquired unprecedented access to multiple US government computer systems .
Authors
- Frank den Hartog
Professor of Information Systems, Research Chair in Critical Infrastructure, University of Canberra
- Abu Barkat ullah
Associate Professor of Cyber Security, University of Canberra
DOGE employees - tech billionaire Elon Musk and his affiliates - have been granted access to sensitive personal and financial data, as well as other data critical for national security . This has created a national and international outcry , and serious concerns have been raised about data security, privacy and potential influence.
A group of 14 state attorneys-general attempted to have DOGE's access to certain federal systems restricted, but a judge has denied the request.
Questions of trust
What are the deeper reasons behind this outcry? After all, Musk is far from the first businessman to gain political power.
There is, of course, US President Donald Trump himself, alongside many more on both sides of politics. Most of them kept running their businesses at arm's length and went back to them after a stint in Washington.
So why are so many people alarmed now, but not before? The key word here is trust. Surveys suggest many people don't trust Musk with this kind of access.
Does that mean we trusted the others? The foundation of modern cyber security is not to trust anything or anybody in the first place.
So while a lack of trust in Musk is one reason for disquiet, another is a lack of trust in the current state of cyber security in US government systems and procedures. And for good reason.
An insider threat
The situation in the US raises the spectre of what cyber experts call an "insider threat". These concern cyber security incidents caused by people who have authorised access to systems and data.
Cyber security relies on controlling the so-called " CIA triad " of confidentiality, integrity and availability. Insider threats can compromise all three.
Authentication and subsequent authorisation of access has traditionally been an important measure to prevent cyber incidents from occurring. But apparently, that is not sufficient any more.
Perhaps the most famous insider incident in history is Edward Snowden's leak of classified documents from the US National Security Agency in 2013. Australia too has had its share of insider breaches - the 2000 Maroochy Shire attack is still a textbook example.
Musk and his DOGE colleagues have now become insiders.
How to reduce the risk of insider threat
There are plenty of strategies organisations can follow to reduce the risk of insider threats:
more rigorous vetting of employees
giving users only the bare minimum access and privileges they need
continuously auditing who has access to what, and restricting access immediately when needed
authenticating and authorising users every time they access a different system or file (this is part of what is called a " zero trust architecture ")
monitoring for unusual behaviour regarding insiders accessing systems and files
developing and nurturing a cyber-aware culture in the organisation.
In government systems, the public should be able to trust these procedures are being rigorously applied. However, when it comes to Musk and DOGE, it seems they are not. And that's where the core of the problem lies.
Clearances and a lack of care
DOGE employees without security clearance reportedly have access to classified systems which would normally be considered quite sensitive.
However, even security clearances offer no iron-clad guarantees.
Security clearances assume someone can be trusted based on their past. But past performance can never guarantee the future.
In the US, obtaining and holding a security clearance has become a status symbol . A clearance may also be a golden ticket to high-paying jobs and power, and hence subject to politics rather than independent judgement.
And it seems little care has been taken to keep users' access and privileges to a minimum.
You might think DOGE's employees, tasked with seeking out inefficiency, would only need read-only access to the US government IT systems. However, at least one of them temporarily had "write" access to the systems of the treasury, according to reports, enabling him to alter code controlling trillions in federal spending .
It all comes down to trust
Even if all possible access control and vetting procedures are in place and working perfectly, there will always be the problem of how to declassify information.
Or to put it another way: how do you make somebody forget everything they knew when their clearance or access is revoked or downgraded?
What Musk has seen, he can never unsee. And there is only so much that can be done to prevent this knowledge from leaking.
Even if all procedures to protect against insider threats are followed perfectly (and they aren't), nothing is 100% secure.
We would still need a certain level of public trust that the obtained data and information would be dealt with responsibly. Has trust in Musk and his affiliates reached that level?
According to recent polling , public opinion is still divided.
Frank den Hartog is the Cisco Research Chair in Critical Infrastructure at the University of Canberra. He is an Adjunct Fellow at the University of New South Wales.
Abu Barkat Ullah is a steering committee member for the Canberra Cyber Hub and has received several research grants from Australian government and private organisations.
