DOGE is putting the country’s data and computing infrastructure at risk, HKS expert argues

Before the Trump administration took office, what has become known as DOGE, or the Department of Government Efficiency, was touted as a tool for injecting private sector efficiencies into the federal workforce. Under the leadership of Elon Musk, DOGE has taken an unexpectedly radical tack—it has initiated mass layoffs and the wholesale shuttering of federal offices and agencies, such as the U.S. Agency for International Development. Perhaps less visible are the effects of DOGE’s unprecedent access to many highly sensitive federal databases and payment tools. Bruce Schneier, a security technologist and lecturer at the Kennedy School, wrote about this for The Atlantic and Foreign Policy. We spoke with him to learn more about the risks to federal data.
 

Q: Staffers with DOGE have accessed the internal computer systems and other databases of numerous federal agencies and offices to look for evidence of what they claim is waste, fraud, and abuse, as well as to identify areas for greater efficiency. On the surface, why does this pose a problem?

Bruce Schneier: My concern is less with their goals and more with their tactics.

There are many actors, foreign and domestic, government and criminal, that want access to, and control of, both our data and computing infrastructure. So, as a nation, we spent a lot of time and effort and money on cybersecurity. And what DOGE is doing is bypassing that security. They are accessing data through insecure means. They’re copying data onto unprotected servers. They’re using it to train AIs. In some cases, they’re modifying government systems in ways that have not been tested. And all of this provides opportunities to our enemies.

If you are the governments of China, Russia, North Korea, and Iran (or elsewhere), this is an avenue for your own access—to piggyback on DOGE’s actions for your own benefit. You might get it by trying to break into the newly modified government computers. You might get it by going after the copies that DOGE has made. You might find your access has been made easier because government security personnel have been relieved of their duties.
 

Q: If we aren’t talking about highly classified information like military secrets, how does DOGE’s access to data that is not explicitly tied to national security pose a threat?

Schneier: We think that military computers have been spared so far, but we don’t know. But even if information is not classified as a military secret, much of the information in these systems is highly sensitive. The Treasury Department data of who the government pays is sensitive. So is the Office of Personnel Management’s data, which includes the detailed security clearance forms of everyone with a clearance. USAID data includes the names of foreign individuals we work with, some of them already at risk of arrest and worse in their home countries. All of this data is sensitive in its own way, and for all of it there are those who want it for their own purposes.

In 2024, China hacked the Office of Personal Management (OPM) and took copies of some of that data. They wanted to be able to map who is involved in government, who has a clearance, and who might be a spy entering their own country. That attack was a big deal when it happened.

The Treasury Department data includes details on the money the U.S. government pays to people. This is money that’s being paid to elected officials, to judges, to police officers, to CEOs. It’s very valuable data for coercive purposes.

These government systems are now less secure than they were because of DOGE’s actions. And here again, we don’t know the full extent of what is going on. We hear that systems are being modified, that unsecured mail servers are being attached to networks. This is an even bigger security issue. Attackers could potentially gain access through vulnerabilities in these new changes—whether hardware or software. And this level of access also means the potential to control. So, could Russia threaten to shut down our payments network, either wholly of selectively? Could they delete people from our personnel databases, or add people? What happens if we lose our ability to know who has a security clearance or not? The ramifications of this are scary, and go well beyond “government efficiency.”