America’s unfolding cybersecurity catastrophe
In which the United States has been compromised by a domestic adversary and faces a future where no Five Eyes nation with an ounce of self-preservation will trust it as an intelligence partner.
The ongoing incursions into America’s sensitive and critical federal government databases, networks, financial systems, and code repositories are likely the most significant breach of a nation state’s cyber sovereignty in history. America has a national security and cybersecurity crisis on its hands that transcends impact beyond the U.S.: it is staring down a future in which it will no longer be trusted for intelligence sharing by any of its fellow Five Eyes nations.
Every United States government and DoD security standard has been circumvented by not a nation-state threat — but by a domestic adversary.
The payment system at the U.S. Treasury Department has been taken over and private citizens — Elon Musk’s Department Of Government Efficiency — have admin privileges. Extensive and untested changes have been pushed into the Treasury’s code base to create backdoors into critical payment controls. The GSA has been taken over by the same operatives, Musk’s acolytes; they also seized control of USAID to dismantle it, classified information has been accessed, its employees have been harassed, locked out, and threatened, its website and DNS records have been wiped. Its new head, Pete Marocco, was identified as a January 6 rioter who participated in the attempted insurrection.
The same operatives have taken control of the OPM and installed a private server on its network to seize federal workers’ data, intercept communications and pose as government officials to send unencrypted mail to over two million government workers (creating unsecured comm channels subsequently barraged with spam, and very likely malware). It has been used to access employee PII, deactivate staff emails, send and store unencrypted data, and lock government workers out of systems. Combined with the server’s after-the-fact privacy impact assessment, we can expect that no standardized authentication and monitoring schemes are in place.
In cybersecurity terms, DOGE is “insider threat,” APT (Advanced Persistent Threat), and domestic adversary combined. One that we can be sure has wildly varying levels of cybersecurity competency and security hygiene.
Initial impressions would have us believe the DOGE assault on government systems is being done by clownish pimply-faced kids who are merely opportunists for whom computer security is merely an afterthought. Yet we can see this was a planned operation. These threat actors are more like what an infosec colleague described as “those Nazi red team assholes who go to DEF CON.” But they are also skids — “script kiddies.” For example, DOGE’s Edward Coristine was fired from enterprise security firm Path, a provider of DDoS prevention services, for sharing company information. Afterward Coristine bragged on Discord claiming he had backdoor access to Path’s systems and openly asked where to find a readymade L7 tool — used for Layer 7 DDoS attacks.
Who needs backdoors when you can use the front?
Controls exist because massive failures made them necessary. Perhaps you’ve heard of the 2015 Office of Personnel Management (OPM) breach, in which its classified employee database was breached and exfiltrated. That’s when we learned that among the records held by OPM are extremely detailed data from background checks on U.S. spies that can include NSA, military and intelligence personnel. At least 21 million government employees were exposed; cleared spies and lab employees alike had their secrets spilled (and lives put at risk), as well as then-FBI director James Comey. It got worse when OPM admitted 5.6 million fingerprints were in its stolen databases. Biometric data. Current and former intelligence officials said at the time the threat to national security was so massive that it “will last for decades and cost billions of dollars to monitor.” That was ten years ago.
But what happened within the past two weeks is a physical man-in-the-middle attack (MITM) with a server. It is bad for so many reasons, but also the worst-case scenario for people who have applied for jobs in positions requiring a clearance.
The U.S. Treasury, GSA, OPM, USAID, USDS, NOAA, and more, and counting. These are not unclassified networks that deal with unclassified information, though even the unclassified parts deal with sensitive information. These systems are among the highest-value targets in the world by foreign threat actors.
And unlike espionage, where no one knows you’re being compromised and attacked — which is what these systems were fine-tuned to prevent — the entire world knows that when it comes to the U.S., everything is compromised now. The world is watching this happen in real time.
By circumventing layers and years of federal security standards, rules, and procedures, U.S. systems have officially become lower-risk targets for nation-state adversaries. Back when the United States was still a high-risk target (last month), one of those adversaries expended considerable time, effort, and resources to hack the law enforcement wiretapping backdoors built into U.S. telecom systems. Foreign threat actor Salt Typhoon’s espionage attack was under investigation January 23rd when the White House dismantled Homeland Security’s Cyber Safety Review Board (CSRB) — the group that was in charge of the investigation. Wednesday, Cybersecurity and Infrastructure Security Agency (CISA) employees were presented with the government-wide “Deferred Resignation Program” upsell-to-nowhere and less than one day to accept or decline it. For U.S. adversaries seeking intelligence or wishing harm on critical infrastructure, for stealing secrets or poisoning information wells, this is like waving a red flag at a bull.
The ongoing DOGE compromise, combined with the Trump administration’s freezing of federal aid (including the Cybersecurity Grants program, which was meant for securing U.S. infrastructure) threatens all aspects of U.S. public, corporate, private, and government cybersecurity. Remember the Colonial Pipeline attack in 2021 and the critical vulnerabilities found in industrial control switches? That’s U.S. cyber infrastructure.
Distributed Denial of Problem
No one with decision-making power learned from the US Capitol assault on January 6 — that is, to think beyond the concept of “foreign adversary” and acknowledge white supremacist domestic terrorist hackers as an extremely serious threat. They might as well have reset the U.S. federal government’s password to “123456.”
For the most part, the cybersecurity industry is ostriching and “business as usual.” Yet all parts of cybersecurity and national security, public sector and private, are affected or will be very soon. Nearly everyone in cyber works at companies that do business with the U.S. government in one way or another, and now some randos with no experience, no clearance, and no security checks who have been selected for loyalty now have access to company data and dealings, not to mention contracts and payment approvals. Trump cannot be reasoned with. DOGE does not care about orders from judges or lawsuits. Just wait until cybersecurity contracts hinge on anti-DEI hiring language.
Opinion pieces are emerging in the world outside with headlines like “It is time to move the UN and international law out of the West.” Yet domestically, the front page of Washington Post has “Judge bars Trump from putting additional USAID workers on leave” and “Trump needs to erect guardrails for DOGE.” Thoughts and prayers. CNN has “Trump says he’s revoking Biden’s access to classified information” and “Time magazine’s provocative cover puts Elon Musk behind Trump’s desk.” New York Times has two top headlines right now: “Young Aides Emerge as Enforcers in Musk’s Broadside Against Government” and a “Smoky, Buttery Shrimp” recipe.
The U.S. now faces a new global awareness about itself, where even if a different White House regime takes control in four years, America is a country just one election away from destabilizing again and becoming a high-risk intelligence threat. No nation with any interest in an independent, stable future will share intelligence information with the U.S. when they know it’s a matter of if — not when — that information will be shared, traded, stolen, stored on unsecured servers, sent via unencrypted channels, or leaked.
It almost feels rude to our adversaries who’ve spent millions, untold resources, people, sweat, training, and decades of costly strategy and PR skirmishes with the end goal of pwning the United States only to watch us do it to ourselves like a deranged child gleefully licking a light socket.
Violet Blue has reported on hacking and cybersecurity for over fifteen years with bylines at CBS News, CNET, CNN, Engadget, Financial Times, PC World, Popular Science, Tech Republic, The Spinoff, and many more. Her independent reporting is made possible through the support of Threat Model Patrons. Ms. Blue is also an award-winning author. Image via Wikimedia Commons/James Nash (aka Cirrus), license CC 2.0. Edited to fix typo.
