A federal judge’s order that Elon Musk’s team temporarily cease boring into the Treasury Department’s payment systems raises a far larger question: whether what Elon Musk has labeled the Department of Government Efficiency is creating a major cyber and national security vulnerability.
The activities of Mr. Musk’s government cost-cutting effort, U.S. District Judge Paul A. Engelmayer said in his order on Saturday, risk “the disclosure of sensitive and confidential information” and render the Treasury’s systems “more vulnerable than before to hacking.”
It is a risk that cybersecurity experts have been sounding alarms over in the past 10 days, as Mr. Musk’s band of young coders demanded access to the Treasury’s innermost systems. That access was ultimately granted by Scott Bessent, the newly confirmed Treasury secretary.
But other than vague assurances that the new arrivals at the Treasury’s door had proper clearances, there was no description of how their work would be secured — and plenty of reason to believe that it would make it easier for Chinese and Russian intelligence services to target the Treasury’s systems.
That was the central argument made by 19 attorneys general as they sought a temporary restraining order to get Mr. Musk’s workers out of the Treasury systems. And Judge Engelmayer endorsed it on Saturday, limiting access to existing Treasury officials until a hearing next week in front of a different federal judge.
The government has maintained that Mr. Musk’s team has been limited to reviewing “read-only” data in the Treasury Department’s systems, though the administration is now placing appointees in positions where they could do much more.
The concern about the targeting of the department is hardly hypothetical: In December, the agency said in a letter to Congress that a Chinese intelligence group had broken into its systems and stolen unclassified material. A full assessment of that damage has not been made public. But it was a reminder that the Treasury Department — as much at the Pentagon and its contractors, the C.I.A. and the White House — are high on Beijing’s target list. And any new access to the agency’s systems potentially creates a new way in for intruders.
In the days before the order, concerns over the potential security vulnerabilities created by Mr. Musk’s project were rampant. The Washington Post reported that a subcontractor to Booz Allen Hamilton, the firm that runs much of the Treasury’s threat detection center, had issued a written warning; it was retracted after its contents were leaked.
Outside experts have described, in detail, what could happen when an outsider gains sudden access to a locked-down system: Personal data could leak, payments could be diverted and information about political rivals could be collected.
Bruce Schneier, a cybersecurity expert at Harvard and the author of a series of books on security vulnerabilities, including “Click Here to Kill Everybody,” called the entry of Mr. Musk’s force “the most consequential security breach” in American history.
Mr. Schneier noted that the intrusion came “not through a sophisticated cyberattack or an act of foreign espionage, but through official orders by a billionaire with a poorly defined government role.”
Mr. Musk, of course, is attuned to cybersecurity issues. Starlink, the satellite system run by his company SpaceX, kept Ukraine in communications after the Russian invasion and is considered highly secure. So are the reusable rocket operations of SpaceX, which China’s space engineers have been eager to replicate.
So federal officials say that they have been shocked by the carelessness with which Mr. Musk’s workers pierced government systems, including two that are repositories of millions of sensitive records: the Treasury and the U.S. Office of Personnel Management, both of which have been major targets of China’s intelligence services.
“The Treasury Department is a significant foreign policy actor in its own right,” James Goldgeier and Elizabeth N. Saunders wrote on Friday in Foreign Affairs. The authors, who are fellows at the Brookings Institution, noted the agency plays a central role in sanctions policy. The major sanctions targets — China, Russia, Iran and North Korea — are also the primary cyberadversaries for the United States.
“If Musk’s team has access to and can rewrite the code directing U.S. government payments, the cybersecurity and privacy risks would be massive,” they wrote. “Hostile intelligence services are likely already at work trying to assess which Musk team members might be sloppy with their digital devices or vulnerable to entrapment or coercion.”
The authors also noted that if Mr. Musk’s team has been granted security clearances, as the White House insists, it would most likely be with minimal to no vetting, a process that usually takes months.
During the Obama administration, Chinese intelligence services pierced the Office of Personnel Management’s files on the security clearances of more than 20 million Americans. American officials assume Chinese agents combined that data with stolen records from Starwood hotels and the Anthem health system to draw a picture of where the officials were traveling and who they worked with.
“Foreign adversaries typically spend years attempting to penetrate government systems like these, using stealth to avoid being seen,” Mr. Schneier said. “In this case, external operators with limited experience and minimal oversight are doing their work in plain sight and under massive public scrutiny,” with high-level access to “America’s most sensitive networks.”
Mr. Musk’s group says that it is using “radical transparency” as it examines the spending patterns of government agencies. But little is known about how those on his team are getting access to information or whether they are making changes to systems that might introduce security vulnerabilities. The Trump administration has not revealed the names of most of the young Musk recruits, nor explained what kinds of clearances they have.
In a letter this week to Senator Ron Wyden, the Oregon Democrat who raised concerns about the cost-cutting team’s work, Jonathan Blum, a Treasury official, said there was no reason for concern.
“Treasury has no higher obligation than managing the government’s finances on behalf of the American people,” he wrote, “and its payments system is critical to that process. In keeping with that mission, Treasury is committed to safeguarding the integrity and security of the system.”
He said the protections in the system were “robust and effective” and under constant review.
The post The Musk team’s Treasury access raises security fears, even after an ordered pause. appeared first on New York Times.
