Testimony to the House Committee on Oversight and Government Reform

Hearing titled “The Federal Government in the Age of Artificial Intelligence”

View or Download the PDF

Data security breaches present significant dangers to everyone in the United States, from private citizens to corporations to government agencies to elected officials. Over the past four months, DOGE’s approach to data access has massively exacerbated the risk. DOGE employees have accessed and exfiltrated data from a variety of government agencies in order to, in part, train AI systems. Their actions have weakened security within the federal government by bypassing and disabling critical security measures, exporting sensitive data to environments with less security, and consolidating disparate data streams to create a massively attractive target for any adversary.

Data consolidation might seem harmless or even positive, but we have to understand what’s at stake when our data gets consolidated. Data is power. Any entity, whether public or private, that holds data about individuals has some ability to understand, predict, and manipulate their behavior. For example, major tech companies use people’s individual data to deliver advertising that shapes what we buy and even what we believe.

Our government collects much broader and more intimate data about Americans. The power of that data depends not just on the amount and sensitivity of the data, but also on how it is organized. The separation of government data into many separate stores across many agencies limits what the government—and potential malicious actors—can do with it. Accordingly, significant security, privacy, and liberty interests are built into that separation. Connecting disconnected data stores represents a massive increase in the power of whoever holds that data.

Whether you fear government tyranny, attacks from foreign adversaries, or attacks from domestic malicious actors, the AI-fueled consolidation of citizen data should make your fears grow. If the consolidation is carried out recklessly and in secret, as DOGE affiliates are largely doing, this new and unchecked power presents serious risks to every American.

What DOGE and its affiliates are doing with government systems and data

Starting in late January, DOGE personnel gained extensive access to government systems containing Americans’ sensitive personal data [1]. For example, at the Treasury Department they obtained access to payment systems that process trillions of dollars in government transactions. DOGE employees gained both “read” and, in at least one case, temporary “edit” access as well [2]. This means that they were able to both see and alter the data. At the Consumer Financial Protection Bureau, DOGE employees gained “read access” to sensitive financial data [3]. DOGE also gained access to health information, social security numbers, military records, and more from the Center for Medicare and Medicaid Services and from Veterans Affairs. DOGE accessed data [4] at many other major agencies including the Office of Personnel Management and Departments of Commerce, Education, Energy, Labor, Health and Human Services, and Transportation. (This period is discussed in more detail in Appendix A, “Understanding DOGE and Your Data.”)

Since January, DOGE has transformed from an agency to a more integrated program across agencies as many DOGE personnel and affiliates have moved into official roles within the government. In this new capacity, DOGE affiliates (who are no longer constrained in their data access by court orders or inter-agency agreements) have become widely embedded across agencies including Office of Personnel Management, the General Services Administration, Treasury, Health and Human Services, and many more.

At these organizations, they are overseeing a transformation of data practices that follows a common “DOGE approach” with 4 distinguishing features:

  1. Data consolidation: Exfiltrating and connecting the massive US databases to create a single pool of data that covers all people in the United States. This has long been a goal among some tech leaders: in fact, Oracle started as a CIA project, and aimed to create a database covering everyone in the US. Toward this end, DOGE affiliates are working to connect databases across many agencies, including highly sensitive data sets like IRS taxpayer returns which have been kept separate to encourage trust and tax compliance among the public.
  2. Reduced security protocols: DOGE affiliates have consistently removed access controls and audit logs, created unmonitored copies of data, exposed highly sensitive data to cloud-hosted tools, sought maximally permissive data access waivers, and omitted previously required security protocols for vetting staff.
  3. AI training and processing: Processing this data with AI tools, which exposes data outside carefully monitored environments.
  4. Outsourcing: Transferring control over data access to private companies, especially Palantir.

For example, at IRS, DOGE is attempting to create a single tool that would allow access to all data from IRS systems (consolidation) [5]. Public reporting indicates that Palantir employees were working on the projects without a signed contract that would stipulate security measures (reduced security protocols). The plan for the project involved using AI tools (AI) controlled by a private entity to manage access to all IRS data (outsourcing).

The data consolidation, removal of controls, AI use, and outsourcing to private sector actors may seem to enhance efficiency, but it actually amplifies known dangers of data in the hands of our adversaries.

The known dangers of data in the hands of our adversaries

Americans may disagree about who counts as an adversary, but everyone agrees we have them. And the more powerful someone is—whether they be an individual, a corporation, or the government itself—the more powerful the adversaries they attract.

We already know that America’s geopolitical adversaries are attempting to access the consolidated DOGE data. When DOGE staff gained access to sensitive NLRB data, a user with a Russian IP address immediately tried to log in with the staffers’ (correct) usernames and passwords [6]. These efforts happened “in near real-time”, with no lag between issuing log-in credentials and the log-in attempts. While these specific log-in attempts were blocked, they are likely the tip of a much larger iceberg.

What can our adversaries do with data?

Adversarial Use Case 1: Coercion

First, data can be used to ruin reputations, target people for harassment or financial ruin because of their political ties under a future administration, or undercut people’s businesses by leaking secrets to competitors.

Data can be used to coerce people for a variety of purposes: into revealing information, providing access, disavowing or changing their political positions, or otherwise cooperating with an adversary. The more powerful the person, the more valuable the coercion. Some of the basic techniques for using data for coercion include the following:

  • Blackmail and threats. Adversaries use government data profiles to find people to blackmail and threaten into giving up information, access, or decision-making power. These threats can leverage the most innocuous data. Something as simple as a home address or the name of a child’s school, which can easily be found on a tax return, can be weaponized. Threatening to leak sensitive data on social media and whip up an outraged mob (sometimes called doxxing) puts public figures and their families in immediate danger. Of course, stigmatized or secret behavior can also be identified from government data, including married public figures treated for STDs under Medicare or VA benefits, people who were treated for mental illness or drug use, people with unusual financial transactions indicating gambling problems or hidden investments, or people with family members facing these issues.
  • Bribery. It’s much easier to identify possible bribery targets when the adversary has access to financial data, like tax returns from the IRS.
  • Using sensitive corporate information. The data systems DOGE can access aren’t limited to individuals. There are reports of DOGE access at the Consumer Financial Protection Bureau, the National Labor Relations Board, the Federal Aviation Administration, the Food and Drug Administration, and more. All this data provides incredible leverage over companies: the ability to leak information about vulnerabilities to a competitor, identify We know that corporations are targets for nation-state actors, as in the SolarWinds attack from 2020, which gave the Russian government access to over 14,000 government and corporate systems.

Coercion doesn’t have to target the elected official or other public figure directly. Anyone with a relationship can be a target: the public figure, their staff, their family, their friends. In fact, access to broad data simplifies the process of mapping those relationships: an adversary can use this data to identify potential targets based on employment, residence, school similarities, etc.

Adversarial Use Case 2: Preparing the Battlefield for Cyberwar

The true risks of cybersecurity issues often aren’t seen right away. It may take months or years to maneuver into position to coerce critical public figures. But coercion isn’t the only risk.

In any future armed conflict with China or another nation-state-level actor, it’s highly likely that a first step would be to cause massive economic disruption, including targeting elite actors so they are distracted by personal concerns during the crisis. Data is a crucial resource in such a conflict: if the attacker wants to target bank accounts associated with members of Congress or military leadership, for example, data from OPM, IRS, and the Treasury Payments System (all of which have been accessed by DOGE affiliates) would be invaluable.

Adversaries can also use data and systems access—even if it is read only—to learn more about how to access systems in the future. It’s similar to allowing a thief to walk around your house and take pictures without touching anything. The thief can note vulnerabilities, the locations of valuables, and other useful information for future attacks.

Finally, we know that American adversaries have installed back doors in our critical infrastructure systems, like the power grid [7, 8]. This is a major ongoing threat to the public. Given the many security breaches and decreases in compartmentalization observed as DOGE has worked to centralize data and access, it is a certainty that American adversaries are looking to exploit those breaches to provide themselves with access going forward. Back doors into the Treasury Payments System or other crucial infrastructure could be immensely valuable in a cyberconflict.

How DOGE has created unprecedented cybersecurity risks for the American people and government

DOGE’s approach is making the risks of weaponization more real and the potential impacts more devastating.

Pooled sensitive data with weak cybersecurity protections creates significant risks to elected officials, national security, and the public as a whole. Some of the most serious risks come from the potential for access to this data because it can be more easily attained by both criminals and nation states. By combining vast amounts of data, and bypassing or disabling industry standard security protocols, DOGE affiliates have started to amass an irresistibly tempting honeypot for adversaries who want leverage over them.

In 2015 as part of a hack of the Office of Personal Management, China gained access to all data on the SF-86, the form used by government employees who are applying for security clearances, and possibly to a broader set of data on federal employees. This one time breach was widely regarded as a massive security threat, because it exposed extremely personal data about people in sensitive positions to an American adversary. China suddenly knew who had been hired for intelligence agencies, and had detailed dossiers. This breach pales in comparison to the potential magnitude of data exposure from the combined DOGE datasets, but many of the security risks are similar.

Bypassing security practices creates a risk of back doors and security breaches

DOGE’s lax security practices have been widely described in the media, and I have discussed them in my sworn declaration in AFL-CIO vs OPM (attached as Appendix B). DOGE and its affiliates have hired young, inexperienced staffers with minimal relevant background to work on critical infrastructure with major security risks. Worse, they have simply skipped the universal background checks required for people with sensitive access, leading to situations where staff with foreign ties and connections to criminal enterprises have been given broad access to critical data and infrastructure.

We know about some major breaches already: DOGE affiliates have posted classified information online, configured web and email servers in ways that allowed public attacks, and had their usernames and passwords used by actors with Russian IP addresses immediately after those credentials were issued.

Given the security breaches we know about, it is likely that there are many more we are not aware of. Once such access is revoked, it is possible to begin the work of identifying any back installed due to these lax practices. However, the process will take years of massive audits costing hundreds of millions of dollars. Claims that access has been “read only” cannot be trusted, meaning that identifying and eliminating vulnerabilities will take years and hundreds of millions of dollars in auditing and rewriting software to address. Until that audit process happens, there is no knowing who—inside or outside of government—controls what.

Consolidating data makes the risks of cybersecurity breaches worse

In a castle or an office building, one way to prevent access by thieves is to include multiple layers of access controls: key cards, keys, pass codes, a security guard, and more. This is known as defense in depth. As discussed above, DOGE and its affiliates have avoided many components of access control.

But another key component of cybersecurity is compartmentalization: once inside the metaphorical building, each person’s key only opens their own office. This limits the downside risk of any given breach. DOGE has been focused on combining data sets to create individual level profiles of each person in the United States. Instead of stocking each person’s metaphorical office with only the data they need, they propose to combine all the data rooms into a single large space which many government agencies can access. After consolidation, stealing credentials (an office key) doesn’t merely give access to one person’s office, but to the entire stash.

This creates an incredibly tempting target with many access points for any adversary. Any leaked or compromised data accessed by American adversaries can help adversarial actors identify people who may be able to offer them increased access. As the government increases its engagement with companies like Palantir, both federal agencies and those companies in turn become targets. In the meantime, opportunities for control and harassment by this administration or by future administrations are unprecedented, especially since the increase in AI capabilities allows vast amounts of data to be processed in real time.

Because DOGE and its affiliates have bypassed standard security practices, there is almost no way to do an audit on what data was copied or who has it. That ship has sailed. It’s quite possible we will see government data on US citizens and classified topics gradually emerge on dark networks in the years ahead. In the meantime, this administration, future administrations, and any adversaries who gain access to the consolidated data will have nearly unprecedented access to data they can use for coercion and hacking. While significant damage has already been done, ongoing access makes it much worse. Until the data pipeline is shut down, there is the risk that adversaries will have not only a single moment’s snapshot, but a constantly updated source of information on where to focus their efforts at blackmail, threats, and bribery on people based on current data.

Finally, any pooled data source will inevitably be prone to errors, as duplicate records, similar records, and data artifacts propagate through the connection. We have already seen major errors of interpretation, as when DOGE affiliates claimed there were people over 150 years old receiving SSA benefits. Those erroneous dates were an artifact of issues with date-handling in COBOL, a software language used in the mid-20th century to create many of SSA’s data systems. As data systems are pooled and centralized, errors will propagate and combine. AI tools are unlikely to reduce this issue, since they are not likely to have appropriate contextual information to assess how to manage errors.

Additionally, our adversaries could deliberately introduce errors into the data in an attempt to poison the AI systems. This is a known method of attack, and has been extensively researched within the AI security community.

Whether accidentally or deliberately, errors in the AI training data or input puts people at risk of having benefits cut off, or being targeted for fraud, across multiple systems rather than just one. It also results in an untrustworthy AI system. Unless the data inputs to the AI are known to be accurate and complete, the AI’s outputs cannot be trusted as accurate and complete. This is known as the integrity problem.

AI amplifies the dangers of data consolidation and shoddy security practices

Historically, one of the major limits on using data is the difficulty of searching through large volumes of data. As AI capabilities and deployment increase, that limitation decreases.

  • Using government data sources to train AI creates a permanent, untraceable record of the data. AI tools can access and return their training data, and can also use it to comb for vulnerabilities in either the system or the data.
  • This administration or a future administration could use AI tools combined with data access to create massive surveillance systems that target all Americans.
  • AI tools are not ready to take over for humans. No responsible company in the world is turning over its corporate decision-making or customer interactions to AI agents at scale. Using AI agents for higher-level systems creates exponential risks. There have been numerous stories recently of AI interfering with their being shut down, sending secret emails on its own, and so on. Giving AI agents the opportunity to do this on government services puts national security and public well-being at risk.

DOGE’s approach has already done irreparable damage to American security. However, the situation can get even worse. We must stanch the flow of data so that at least what our adversaries have taken will soon be outdated. By following the DOGE approach, the current administration has increased both the likelihood and the potential scale of attacks against us and endangered our safety, both individually and collectively. A decisive shift in the administration’s approach to data security can begin to right the ship.

Appendices

A. Alexander Pascal, Allison Stanger, Bruce Schneier, Kinney Zalesne, Nick Pyati, Sarah Hubbard, and Vivian Graubard. “Understanding DOGE and Your Data”. March 31, 2025. https://ash.harvard.edu/resources/understanding-doge-and-your-data/

B. Bruce Schneier: Declaration from AFL-CIO vs OPM, United States District Court, Southern District of New York, Case No. 1:25-cv-01237-DLC, April 21, 2025.

References

[1] The New York Times. “The People Carrying Out Musk’s Plans at DOGE.” Published in The New York Times, February 27, 2025. https://www.nytimes.com/interactive/2025/02/27/us/politics/doge-staff-list.html

[2] Jeff Stien. “Treasury revoked editing access ‘mistakenly’ given to DOGE staffer.” Published in The Washington Post, February 11, 2025. https://www.washingtonpost.com/business/2025/02/11/doge-treasury-access-marko-elez/

[3] Makena Kelly. “DOGE Is Now Inside the Consumer Financial Protection Bureau.” Published in Wired, February 7, 2025. https://www.wired.com/story/doge-access-consumer-financial-protection-bureau-data/

[4] Tanya S. Chutkan. State of New Mexico vs. Elon Musk. Memorandum Opinion and Order. February 18, 2025. https://storage.courtlistener.com/recap/gov.uscourts.dcd.277463/gov.uscourts.dcd.277463.29.0.pdf

[5] Makena Kelly. “Palantir Is Helping DOGE With a Massive IRS Data Project.” Wired, April 11, 2025. https://www.wired.com/story/palantir-doge-irs-mega-api-data/

[6] Jenna McLaughlin. “A whistleblower’s disclosure details how DOGE may have taken sensitive labor data.” NPR, April 15, 2025. https://www.npr.org/2025/04/15/nx-s1-5355896/doge-nlrb-elon-musk-spacex-security

[7] Ryan Lucas. “Wray warns Chinese hackers are aiming to ‘wreak havoc’ on U.S. critical infrastructure.” NPR, January 31, 2024. https://www.npr.org/2024/01/31/1228153857/wray-chinese-hackers-national-security

[8] Andy Greenberg. “China-Linked Hackers Breached a Power Grid—Again.” Wired, September 12, 2023. https://www.wired.com/story/china-redfly-power-grid-cyberattack-asia/

Categories: Computer and Information Security

Tags: Testimony

Sidebar photo of Bruce Schneier by Joe MacInnis.