Cyber pros argue that the new Elon Musk-led department might have breached federal cybersecurity laws. The community is discovering new defaced pages on DOGE.gov that remain accessible three days after the cyberattack was widely announced.
Elon Musk’s Department of Government Efficiency (DOGE) is still reeling from last week's cyberattack. Despite the public outcry, the cybersecurity community on Reddit is discovering additional defaced pages still available on Monday.
“This .gov is hosted on insecure Cloudflare Pages,” one of the pages on DOGE.gov reads.
Cybernews reported that lax DOGE cybersecurity practices allowed hackers to access the website’s databases, which were left publicly open. They left messages calling a website a joke.
Now, cybersecurity experts argue that the website doesn’t comply with the minimal requirements set by the laws.
The Federal Information Security Modernization Act (FISMA), the FedRAMP Authorization Act, and similar legislation require all executive agencies to comply with minimum cybersecurity standards even when storing non-sensitive data.
“As a DoD contractor in cybersecurity, I really hope they get held accountable for this. Not an IL2, or IL5 (security categorization impact levels), or fedRAMP-certified platform. Storing CFI/CUI (controlled federal/unclassified information) and the spillage event. No ATO/ATC (authority to operate/connect) to even use this ‘program,’” one expert said.
This means that the website’s security is completely inadequate even to store insensitive data.
Other experts explained that private-sector contractors must adhere to very strict cybersecurity standards when serving government sites. The DOGE seems to disregard any of these.
“I really hope this gets noted for how far short it falls from the standards that contractors supporting critical functions of the federal government have had to adhere to,” one expert said.
“Threat actors aren’t going to stop trying to hack into or exfiltrate data because ‘we’re trying to be more efficient.’”
The expert also noted that their company had to work very hard to build certified platforms and get authorizations.
“I work for a cybersecurity SaaS firm that sells a FedRAMP product. As we approach this year's audit, I keep thinking, why do they bother auditing us? We're held to a much higher standard than our customers in this space,” another cyber pro said.
The DOGE department is slashing federal spending by cutting funding to numerous organizations and drastically overhauling or eliminating government employees, agencies, and programs. Some noted the irony that cybersecurity is also seen as “inefficient.”
Your email address will not be published. Required fields are markedmarked