Rear Adm. (Ret.) Mark Montgomery is a senior director at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies. He directs CSC 2.0, which works to implement the recommendations of the Cyberspace Solarium Commission. Montgomery is a principal member of the Cyber Initiatives Group.
OPINION — The so-called Department of Government Efficiency (DOGE) has made headlines regularly in recent weeks, as it works to slash the federal workforce and do away with government inefficiencies. The quasi-official organization, created by the Trump Administration and led by Elon Musk — who, according to a court filing from the White House, is not an actual employee of DOGE and “has no actual or formal authority to make government decisions himself” — has gained access to the data of various government agencies, from the Department of Education to the Internal Revenue Service, the Treasury Department to the Pentagon.
There have been critiques of the wisdom of certain DOGE cuts, but cybersecurity experts are raising a the alarm over something else: the potential cybersecurity risks posed by what they see as unsafe practices of DOGE employees – including the use of personal devices with unknown security controls when working with government data, and reports that DOGE personnel don’t appear to have the proper security vetting or cybersecurity expertise. Federal judges have blocked DOGE access to several government networks amid these concerns.
The Cipher Brief spoke with retired Rear Admiral Mark Montgomery, who served as Executive Director of the Cyberspace Solarium Commission and is Senior Director at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies, to discuss the cybersecurity risks associated with DOGE. Montgomery warned of shortcomings in the vetting of DOGE personnel and the agency’s cybersecurity practices. “Years of practices and governance and doing things the right way or holding people accountable for not doing the right way are thrown out,” Montgomery said.
Montgomery spoke with Cipher Brief Editor/Writer Ethan Masucol. Their conversation has been edited for length and clarity. You can also watch the full discussion on The Cipher Brief YouTube channel.
Masucol: Setting aside the debate over the work of the Department of Government Efficiency (DOGE), why is cybersecurity being brought up as an issue when we talk about this?
RADM Montgomery: We are allowing access to government systems by personnel and technology that has not been through the proper vetting or governance processes. And if we’re confused about whether DOGE can screw up, I would submit to you page one of The Washington Post and The New York Times for the last two weeks. There’s tons of administrative screwups in there. They accidentally fired the National Nuclear Security Agency workforce for some of our labs. There’s a lot of these issues. But very specifically for DOGE, if you can make those kinds of mistakes, my guess is you can make a cybersecurity mistake.
I’m for government efficiency. If you can find inefficiency, that’s great. I would not break all the rules of IT security and governance in doing it. There is no reason to do that other than they think they can. They don’t follow basic precepts of: has this person been properly trained on how to handle government information, on how to handle the PII – the personal identity information of people who’ve given it to the government? Things that we as citizens rely on. Things that President Trump has accused previous administrations of violating in the case of him and his supporters. He then is wantonly allowing these people to do it.
There’s this belief that Elon Musk is Superman, that he’s got some special cape and on cybersecurity he’s special because he’s made a lot of money in the IT world. Let’s be clear, his two current big companies, SpaceX and Tesla, are donkeys on cybersecurity. They’ve had terrible ransomware and/or breach-of-data incidents. They’re like everyone else. Telling me that Elon Musk is keeping an eye on cybersecurity is like telling me my five-year-old is keeping an eye on the car. That just doesn’t do it for me. It needs to be someone with a license, someone who knows how to follow the rules and someone who I would trust with the keys. So I’m very unhappy that we’re violating these basic governance rules with no accountability. And I suspect that the accountability for the people making these decisions won’t happen for months or years, if ever.
Everyone needs a good nightcap. Ours happens to come in the form of a M-F newsletter that provides the best way to unwind while staying up to speed on national security. (And this Nightcap promises no hangover or weight gain.) Sign up today.
Masucol: Are the issues here the vetting process and the personnel in DOGE? And there are reports that they’re using personal servers and computers, training AI models with government data, things like that?
RADM Montgomery: So yes and yes. Yes, I’m worried about the personnel, and the vetting was obviously awful. I mean, these people are measurably underqualified for the jobs that they’re doing. And then when you do the actual vetting of the human’s performance, you find all these things they’ve done both as a human, but also as a cyber professional, that cause you to think they should not be given unlimited access with no governance. There clearly was no vetting of people. If there’s vetting of people, you wouldn’t have had these guys.
If the Chinese didn’t already own OPM [Office of Personnel Management] previously, they’d probably be back in there right now. But my guess is they’re like, we’ve got enough of Montgomery’s records already. We’ll let it go.
This is a really frustrating thing. Years of practices and governance and doing things the right way or holding people accountable for not doing the right way are thrown out. What’s the standard now? When they leave, what’s the standard? Is the standard whatever I feel like doing?
Masucol: Is there a way to accomplish what the DOGE team is trying to do, and for them to have this kind of access, while safeguarding security?
RADM Montgomery: Sure — take your time and do it right. GAO [the Government Accountability Office] does great assessments. GAO does not do great assessments in 18 days. They do great assessments in 18 months. I’m not saying you have to take 18 months. I’m saying you have to take the time to do it right.
Masucol: I’m glad you brought up the GAO. It’s another body that seems to have the same access to networks for the same sort of auditing and efficiency review as DOGE. But the difference there is the time, as you said.
RADM Montgomery: And more importantly, the difference is the adherence to rules and governance structures. DOGE is not special. We’re treating it like it’s special. The president is treating it like it’s special. It will be proven to not be special.
Looking for a way to get ahead of the week in cyber and tech? Sign up for the Cyber Initiatives Group Sunday newsletter to quickly get up to speed on the biggest cyber and tech headlines and be ready for the week ahead. Sign up today.
Masucol: Why is this an issue that ordinary Americans should be worried about in terms of security compromises?
RADM Montgomery: Well, I would say the government owns a startling amount of information about you. And that information is not contained in one agency in one file, but in multiple agencies and multiple files and at different levels of information.
Your IRS information is fairly revealing and compromising in the sense of exposing you to financial malicious activity. Your information in HHS or Health and Human Services or Social Security Administration certainly could put you at risk for exploitation by criminal actors. And then for some of us who have been in the military, intelligence services, there’s information that puts us at risk from nation states and espionage. So I would say every American is probably affected in multiple agencies. And if you’re in the military or intelligence services or government service with clearances, then you’re especially affected.
Masucol: I don’t think DOGE is going to be slowing down anytime soon. So what are your thoughts, concerns, and suggestions going forward?
RADM Montgomery: I do think those will be slowed down by the court processes over time. You just have to get people who have standing. Some of this stuff will start to be impacted a little. I’d like to go back in time and make them adhere to standards — can’t do that. There’s no indication to me that they’re getting that much better. They might be a little, but as I said, some of the people that they failed to vet properly were fired and then rehired. So that is why I have little optimism.
The Cipher Brief is committed to publishing a range of perspectives on national security issues submitted by deeply experienced national security professionals.
Opinions expressed are those of the author and do not represent the views or opinions of The Cipher Brief.
Have a perspective to share based on your experience in the national security field? Send it to [email protected] for publication consideration.
Read more expert-driven national security insights, perspective and analysis in The Cipher Brief
DEEP DIVE — The “Salt Typhoon,” “Volt Typhoon” and “Silk Typhoon” cyber espionage campaigns have become symbols of China’s efforts to hack U.S. infrastructure – and […]More
EXPERT INTERVIEW — World leaders and tech executives are gathered in Paris for the latest global summit on artificial intelligence. The French AI summit, co-hosted by […]More
BOTTOM LINE UP FRONT — When word first came last week that China’s AI startup DeepSeek had launched an artificial intelligence (AI) assistant that could compete […]More
BOTTOM LINE UP FRONT — The U.S. is facing an onslaught from adversaries in cyberspace, and while conversations about the response has focused on bolstering cybersecurity […]More
EXPERT INTERVIEWS — Does Chinese ownership of the wildly popular TikTok app pose a national security risk to the United States? And if so, what should […]More
