The Department of Government Efficiency (DOGE) has been on a mission to reduce government waste, fraud, and abuse since its inception, and per its website has saved approximately USD $115 billion via a combination of workforce reduction, grant cancellation, fraud deletion, and contract cancellations/renegotiations, among other initiatives. DOGE’s aggressive scrutiny of a bloated government bureaucracy has been championed and condemned, particularly with its efforts to identify positions that could be cut in a government workforce that has grown to little more than three million people, according to the Bureau of Labor Statistics.  Such action has naturally generated concern about losing experts and those with deep rooted institutional knowledge about their respective fields and mission areas, prioritizing efficiency and cost savings over key government mandates like national security.

One area that has raised alarm bells is the potential loss of experienced cybersecurity professionals, and that departments and agencies may look to cut cyber personnel in an effort to fulfil its mission. Part of this process has been to freeze hirings and even let go probationary employees as part of this process. This has led some agencies, like the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency (CISA) to fire its 130 probationary cybersecurity hires. In fact, one online tech news source stated that DOGE’s activities cut CISA’s red team pentesters as part of the purge.  This has caused many to condemn DOGE, citing the nation’s cybersecurity being put at risk for these irresponsible actions.  A former National Security Agency cybersecurity director stated that these cuts would have a devastating impact on the country’s cybersecurity apparatus to include future government recruiting efforts of IT specialists and cyber personnel.

A second area of concern is DOGE’s administrator level technical access to some federal systems, to include federal payments, as well as Social Security and Medicare, to name a few, calling into question their need to access the personal identifiable information of citizens. It should be noted that although the fear is that this information can be stolen and used for other nefarious purposes, there have not been any reported instances of malfeasance.  Additionally, another worry is that DOGE is quickly deploying major software changes in departments without having proper planning and testing prior to deployment, potentially creating opportunities for malware insertion or access points to sensitive data.  Others think that despite being technically capable, the DOGE staff is too young and inexperienced with how the government operates and therefore will not be effective.  In essence, the message behind their criticism is quite clear: DOGE’s efforts are creating more vulnerabilities in the government’s cybersecurity posture rather than strengthening it.

Removing political antagonism from the equation, many of these concerns are worthy of question, if only to get a better understanding of what’s going on and how things are being done.  And while it’s always good to make certain that organizations are not straying from their roles, it is reassuring to see that in the case of DOGE, there are already mechanisms in place to provide oversight and ensure that its activities do not impact critical responsibilities like national security.  For example, a judge weighed in to deliver a check to counterbalance some DOGE activities by restricting staff to “read only access” until its needs to gain visibility into IT systems could be better adjudicated.  Dovetailing with this, the Office of Personnel Management is currently engaged in an intensive review to see if DOGE’s activities are creating major cybersecurity vulnerabilities, and make sure that its efforts haven’t overstepped its boundaries, which would ostensibly include federal employee retainment.  In fact, the president reaffirmed to his Cabinet members that they are the ones with the power to make their own staffing decisions, not DOGE, and made a special point to tell federal agencies that they should avoid firing cybersecurity personnel.

Still, the country’s polarization is no doubt fueling some of the more aggressive news articles looking to incriminate DOGE’s mission, calling into question whether the motives for writing them are rooted in trying to create more fear and uncertainty than remediating a potential problem of over-reach.  After all, DOGE has a mission many people support though are critical of the manner in which how DOGE goes about its business.  And that is the part that can be easily fixed.  Identifying and replacing outdated IT equipment in itself is not only a financial savings, but a necessary one especially in a national security context.  A 2023 Government Accountability Office (GAO) report expressed the same sentiment, revealing that outdated and slow IT systems impacted government operations and put taxpayers at risk.  Furthermore, the GAO report acknowledged that Congress had long recognized that this was a vulnerability for the federal government and though funding was made, the replacement and updating of these systems always seemed to face obstacles.  Therefore, any means to expedite a process traditionally mired in bureaucratic inertia should be considered a positive outcome.  The personnel issue is trickier and one that deserved its own check.  And it got one when federal judge ordered those 130 probationary employees fired to be reinstated, and the Administration complied, giving more time to reexamine how such cuts are to be made and if there so many are fundamentally needed. 

Ultimately, the question remains: is DOGE a threat to cybersecurity?  I suggest that it is not and is more of a threat to bureaucracy that seeks to expand itself for the sake of securing larger budgets.  There is a saying in government when it comes to budget time: use it or lose it.  And cybersecurity has benefitted from increasing budgets year after year.  This is not to say that budget increases have not been needed because they have, but it does raise the question if the increased amounts have been used effectively and efficiently, and more importantly, what metric might prove a true measurement of that success.  On that point, it is more difficult to say.  New equipment or more bodies do not necessarily translate into an immediate reduction of cyber incidents occurring within an organization.  When reviewed by the GAO, government agencies have historically fared poorly when reviewed for cybersecurity preparedness in the past, though there has been a marked improvement over the past years in following the recommendations of organizations such as the Cyberspace Solarium and even by GAO’s 2022 report.  But incremental changes are not on pace with a fast-moving, constantly changing cyber domain or the myriads of threat actors operating in it.

Musk is the person whose unorthodox style of doing business was once championed by the other side of the political aisle but now falls squarely in their crosshairs.  And though his methods are now being questioned, he certainly has demonstrated an innovator’s acumen for other areas where had no extensive background like space travel, and on which the primary government agency involved in that very mission relies heavily.  To think he has no understanding of cybersecurity would be silly given that he has leading companies in electric vehicle production, social media, and space travel, and is aware of the need to protect the cutting-edge intellectual property/technology driving them from prying cyber eyes.

There is no question that DOGE needs to take security seriously, but it’s equally important for detractors to be very specific about where it is going awry.  There is an opportunity to set DOGE right, ensure that it uses the established channels, and to keep rigorous oversight of its activities, bringing it to the table when it’s warranted, and helping to correct its path when it steers off course.  Perhaps instead of combatting DOGE’s work, it would be more advantageous for organizations to become more active stakeholders collaborating with it.  Each department knows itself best, and while cost-cutting is easily done by anyone in charge of cutting fat without knowing the inner workings of an agency, the context of the cuts and their impacts on that agency would greatly inform DOGE how to do its job better.  And that extends to cybersecurity as well.