Insider threat: cyber security experts on giving Elon Musk and DOGE the keys to US government IT systems

A few weeks ago, word started to come out that the newly minted United States Department of Government Efficiency (DOGE) had acquired unprecedented access to multiple US government computer systems.

DOGE employees – tech billionaire Elon Musk and his affiliates – have been granted access to sensitive personal and financial data, as well as other data critical for national security. This has created a national and international outcry, and serious concerns have been raised about data security, privacy and potential influence.

A group of 14 state attorneys-general attempted to have DOGE’s access to certain federal systems restricted, but a judge has denied the request.

Questions of trust

What are the deeper reasons behind this outcry? After all, Musk is far from the first businessman to gain political power.

There is, of course, US President Donald Trump himself, alongside many more on both sides of politics. Most of them kept running their businesses at arm’s length and went back to them after a stint in Washington.

So why are so many people alarmed now, but not before? The key word here is trust. Surveys suggest many people don’t trust Musk with this kind of access.

Does that mean we trusted the others? The foundation of modern cyber security is not to trust anything or anybody in the first place.

So while a lack of trust in Musk is one reason for disquiet, another is a lack of trust in the current state of cyber security in US government systems and procedures. And for good reason.

An insider threat

The situation in the US raises the spectre of what cyber experts call an “insider threat”. These concern cyber security incidents caused by people who have authorised access to systems and data.

Cyber security relies on controlling the so-called “CIA triad” of confidentiality, integrity and availability. Insider threats can compromise all three.

Authentication and subsequent authorisation of access has traditionally been an important measure to prevent cyber incidents from occurring. But apparently, that is not sufficient any more.

Perhaps the most famous insider incident in history is Edward Snowden’s leak of classified documents from the US National Security Agency in 2013. Australia too has had its share of insider breaches – the 2000 Maroochy Shire attack is still a textbook example.

Musk and his DOGE colleagues have now become insiders.

How to reduce the risk of insider threat

There are plenty of strategies organisations can follow to reduce the risk of insider threats:

• more rigorous vetting of employees

• giving users only the bare minimum access and privileges they need

• continuously auditing who has access to what, and restricting access immediately when needed

• authenticating and authorising users every time they access a different system or file (this is part of what is called a “zero trust architecture”)

• monitoring for unusual behaviour regarding insiders accessing systems and files

• developing and nurturing a cyber-aware culture in the organisation.

In government systems, the public should be able to trust these procedures are being rigorously applied. However, when it comes to Musk and DOGE, it seems they are not. And that’s where the core of the problem lies.

Clearances and a lack of care

DOGE employees without security clearance reportedly have access to classified systems which would normally be considered quite sensitive.

However, even security clearances offer no iron-clad guarantees.

Security clearances assume someone can be trusted based on their past. But past performance can never guarantee the future.