DOGE Staffers Allegedly Breach Federal Cybersecurity Protocols and Data Privacy Laws
A recent whistleblower complaint has raised significant concerns regarding the cybersecurity practices within the Department of Government Efficiency (DOGE). According to the allegations, DOGE employees have reportedly circumvented essential federal cybersecurity protocols and data privacy regulations by manipulating access controls. This abuse of power enabled them to obtain extensive system access, surpassing even the privileges of the agency’s Chief Information Officer at the National Labor Relations Board (NLRB).
In the complaint, made public this week, it is asserted that DOGE operatives had unrestricted control over NLRB’s cloud infrastructure. Alarmingly, there are no records or logs to illustrate how these accounts were established. This lack of oversight raises substantial questions about the operational integrity of federal systems during an era marked by increasing digital threats. The whistleblower, Daniel Berulis, who holds a top-secret security clearance and extensive experience as a DevSecOps architect, emphasizes that these actions may have led to a "significant cybersecurity breach" exposing government operations to foreign adversaries.
The filing enumerates several alarming lapses in cybersecurity protocols, including login attempts originating from Russian IP addresses just moments after the DOGE accounts were activated. This scenario suggests that the newly created accounts may have been compromised soon after establishment, potentially indicating advanced adversary tactics at play. According to Berulis, various failures within DOGE have culminated in at least 10 gigabytes of unexplained outbound data from the agency’s systems. Such activity could imply data exfiltration or unauthorized access, a critical violation of federal security standards.
One of the principal cybersecurity failures highlighted is the provision of "tenant owner" access rights to DOGE staff members without documentation or logging of these accounts. This act violates the foundational principles of identity and access management, as it opens the door to unrestricted control of sensitive data and infrastructure. The absence of records compromises the agency’s ability to audit and respond effectively to potential security incidents.
Moreover, the complaint asserts that NLRB staff were instructed to forgo limited auditing roles to instead grant DOGE unrestricted access. This deliberate contravention of established cybersecurity guidelines undermines efforts to minimize access during evaluations of sensitive data, a strategy foundational to maintaining security best practices.
Additional critical lapses detail the use of obfuscated account identities, suggesting that DOGE staff may have utilized generic admin accounts with vague origins. This method is a known red flag for insider threats, as it complicates accountability and tracking of user actions. Such tactics align with MITRE ATT&CK techniques for establishing persistence and evasion by hiding true account identities and activities.
The complaint has also uncovered the existence of hidden Azure containers and Shared Access Signature tokens that were engineered for transient use, evoking concerns of possible concealment tactics frequently employed by cybercriminals. These elements highlight a failure to adhere to logging and visibility standards required for effective threat detection and incident response.
Additionally, it has come to light that essential logging and monitoring capabilities had been disabled within the Azure environment. Such measures render an agency virtually blind to unauthorized access attempts and potential security breaches, emphasizing the necessity for robust multi-factor authentication and continuous monitoring.
Despite notable indicators of cybersecurity vulnerabilities and breaches, there was reportedly no action taken to notify US-CERT at CISA, as required under the Federal Information Security Modernization Act. The prohibition against such a notification, driven by higher management, raises further concerns about compliance with federal cybersecurity reporting mandates.
In summary, the situation within DOGE illustrates a troubling intersection of cybersecurity failure and regulatory oversight. As these allegations unveil a narrative of systemic negligence, they underscore the pressing need for government agencies to adhere to stringent cybersecurity practices, lest they remain vulnerable to adversarial actions that threaten national security. The investigation into these claims continues, with the NLRB asserting that there has been no breach, while the White House has yet to comment on the matter.
