Editor's note: This story is posted with permission from the anonymous federal employee who shared it with us. Some edits were made for length and clarity.
As someone who has worked in the federal government most of my life, both military and as a federal worker in the field of cybersecurity, I can tell you that Trump, Musk, DOGE and his DOGE workers (non-Civil Service Workers hired through loyalty) are the biggest insider threats the U.S. government has ever faced.
The following is written on behalf of and in support of all federal workers who have lost their jobs or are still working and are afraid they will soon lose their job because of OMB Director Vought's Project 2025 threats. It is my hope that by educating people on these issues, more people will contact their government representatives and force them to have the smartest people in the government (if they are still there) to investigate the below concerns. And that senior leaders will no longer be fearful of allowing those people to investigate these issues as it is their mandate to protect the U.S. against all enemies, both foreign and domestic.
Improper main server installation
When I first learned of Musk placing an on-prem (physical) mail server within OPM against the advice of IT professionals at OPM, I was shocked and thought this could not be true but it is true and it happened. I was further horrified to find out that it went through no authority-to-operate (ATO) nor was it required to comply with cybersecurity governance including a security control assessment. For those who have never worked in cybersecurity, let me explain why this is very bad and highly illegal.
When any government organization wants to add a computer to an office, there are security requirements that must be followed. While different organizations may have their own processes, most follow the standards made by the National Institute of Standards and Technology (NIST), which include some of the most knowledgable experts in the U.S. government. For example:
- Before the computer is even connected to the network, its configuration needs to be set up to prevent it from being a single point of failure.
- After the configurations are in place security control assessors verify the configurations.
- Then and only then, is the computer connected to the network.
Single point of failure
Now that you understand there is a process and DOGE did not follow it, get ready to freak out with me for a bit. DOGE's mail server has created a single-point-of-failure, a critical security risk that cybersecurity professionals work to prevent every day. Our adversaries know of this vulnerability, this server is a single point-of-failure Why does this matter? Because, the DOGE OPM mail server is connected to the government's unclassified intranet. If compromised, this could provide our adversaries with broad access into the U.S. government's internal network.
Exploiting vulnerabilities to achieve unauthorized access
If you are not freaked out by this yet, bear with me a bit. Within the U.S. government's intranet, access is restricted based on a need-to-know basis using VLANS (virtual local area networks) and other security methods. These VLANs ensure employees only access what’s necessary for their jobs. For example, an IT worker can't access budget or HR files unless explicitly required to do their job. My concern is that DOGE does have access to go into your financial data, access to your personal health information, and critical U.S. government operation details—such as continuity of operations plans, government contracts, and finances of Musk's competitors.
That’s just on the unclassified intranet. Once inside, foreign cyber actors only need to gain administrator access—either by escalating their privileges or targeting someone who already has admin rights.
If you recall, there was a recent email that went out by OPM asking employees to send 5 bullet points of what they did in the last week. This impulsive act by Musk and DOGE gives foreign cyber actors a roadmap to identifying system administrators, allowing them to steal credentials, gain admin access, and potentially infiltrate other government agencies with more sensitive data. By impersonating a system administrator, the bad actor can take full control of the network. Hackers call this Pwning.
Other concerns about this impulsive action is, foreign intelligence can start to filter out those individuals who are not of interest and focus on those that are of interest. This is what happens when you apply the haphazard, move fast and break things philosophy from silicon valley to the U.S. government.
Questions to ask
So, the questions you should be asking right now are: Where is your data? How is it being protected? Did they obtain a Privacy Act of 1974 release to take your personal data from the government? What are they doing with your data? Did Musk pay for the data? Was there a contract that allowed them to take your data? Did DOGE follow federal acquisition regulations including putting out a request for proposal to allow Musk's competitors to obtain the contract?
Okay, now onto the classified network concerns, these individuals from DOGE are likely using the same haphazard approach on our classified networks.
These impulsive actions without oversight can destroy the U.S. government's ability to continue to collect on foreign cyber actors, foreign intelligence organizations, terrorists and other threat actors who may be planning ways to attack the U.S.
In the following days, pay attention to the ongoing hunt for disloyal workers. Federal workers are loyal to the U.S. Constitution and the people, we are not loyal to a President or a wannabe King. Federal workers have worked for multiple Presidential administrations and in our work, we are apolitical, but we do have 1st Amendment rights to freedom of speech and we are allowed to discuss politics and disagree with Presidential administrations.
If the Trump administration starts firing workers for saying things that they consider to be disloyal in chat, email or at work in water cooler conversations, then be very concerned. I paraphrase Macklemore when I say, "You must stand for something or you will fall for anything." Keep educated about what this administration is doing and pay attention! We will get through this if we don't cooperate with authoritarianism, we resist fascism, and we continue speaking truth to power!
In closing, as workers, we need to build up the strength of unions everywhere, vote with our wallets, and fight for workers rights! We all have a right to life, liberty and the pursuit of happiness! Don't let them take away our freedom or our democracy!