-
@ Marcus Hutchins :verified:
2025-02-13 18:53:19
Interesting statement filed in the case against the Treasury and DOGE which gives us some cybersecurity insights. Here's the key takeaways:
- Only a single DOGE employee (25 year old engineer Marko Elez) has direct access to the Treasury payment systems.
- The DOGE employee was only allowed to access the systems from an encrypted government issued laptop.
- The government issued laptop is equipped with monitoring software, data loss prevention, and tools to block internet access, and use of removable storage devices.
- Strict instructions were given that no data could leave this laptop for the duration of the engagement.
- The employee was meant to only have read access to treasury systems, but was accidentally granted write access.
- Following the accident, the employee's laptop was examined and it was concluded that no data had been written during the mistake.
- After the employee temporarily resigned over racist Twitter posts, all access was revoked, and all government issued equipment was recovered.
- The DOGE employee shared updates about his work with another DOGE employee, which "may have occasionally included screenshots of payment systems data or records"
My take:
If true, it seems that unlike other instances at different agencies, the Treasury abided by strict security protocols.
My only real cybersecurity question here are:
1) They document claims screenshots of payment records were shared with another DOGE employee. It doesn't specify how they were shared. Was it just the authorized employee showing his screen to someone, or were they transmitted outside of the laptop? If it's the latter, then it calls much of the claims made in the article into question.
2) This statement isn't clear "The Bureau enabled enhanced monitoring on his laptop, which included the ability to monitor and block website access, block the use of external peripherals (such as USB drives or mass storage devices), monitor any scripts or commands executed on the device, and block access to cloud-based storage services."
The use of the phrase "included the ability to" isn't really clear on if those security controls were actually being enforced. The phrasing could simply mean they enabled software that had those capabilities, but they weren't being used.
Now, cybersecurity aside, the bigger question is what was the purpose of any of this? To audit something as complex as a treasury payment systems, you'd need teams of forensic accountants.
A single 25 year old software engineer with no prior treasury experience poking around some files on a laptop is not an audit. The entire DOGE operation seems like a charade. The organization consists almost entirely of young engineers pulled from Musk's other companies, has produced no plan for how they intend to audit any of these systems, and lacks any oversight at all.
https://www.documentcloud.org/documents/25521978-gov/
https://media.infosec.exchange/infosec.exchange/media_attachments/files/113/998/084/512/015/506/original/81bb52baef818701.png