Since Trump has taken control of the Federal Government again late last month, Elon Musk has been on a hack and slash campaign throughout various Government agencies as part of the Department of Government Efficiency (DOGE), which has been accessing sensitive information and data about Americans’ personally identifiable information (PII) and Government payment systems.
Then, last week, several Federal judges ordered that this access must be revoked across those same various Government agencies pending litigation, and that any and all data already in possession of DOGE and Elon Musk must be deleted.
But as anyone who works in cybersecurity (spoiler alert: I do!) will tell you: It’s too late.
In the cybersecurity field, there are two primary things we know about data security that dictate how we protect it: The first thing is that it is always infinitely better if the data is not stolen or accessed improperly in the first place, because the second thing we know is that if that data is improperly accessed or stolen, then it is practically impossible to ensure with absolute certainty that it is destroyed after the fact.
Of course, that is not to say that these orders should not have come at all because they aren’t pointless, after all, one of the first things you do after a cybersecurity incident is contain the threat, so to speak.
But as I alluded to earlier, verifying and ensuring that this data was in fact actually deleted is a daunting task. Let’s set aside that most Federal judges are probably not this tech-savvy to begin with for a moment, or the fact that courts don’t have enforcement arms staffed with Judge Dredd.
First, the devices being used by DOGE staffers, or appointees, or whatever, would have to be enrolled and registered into remote management services (MDM), and furthermore, these MDM systems must be under the control of the Federal court where the judge resides. Having this level of access and control would allow remediation scripts that could search for and delete the target data.
Second, while you may be able to target and selectively delete the pilfered data, that still wouldn’t account for any other things the data found its way into or onto. For example, most users nowadays are using automatic cloud backup solutions, and even if they aren’t using those, the data could very well have found its way onto a USB drive, or worse, been sent over email to someone else.
Tracking and logging all of these data movements and events would require a service like Extended Detection and Response (XDR) that also includes external USB control mechanisms. But these are also not fool proof methods of protection. Most XDR solutions can control USB drives in a linear fashion, such as what drive manufacturers are allowed to be mounted to a computer, but they don’t police the data going to and from USB drives, they typically only scan it for malware.
And considering that it was already reported that DOGE was setting up and using private servers at these various agencies, it is hard to imagine that either their workstation devices, or the servers they are using, are tied into the normal Government systems. In other words, I highly doubt these devices and servers are attached to the primary control systems that other agencies and staffers would have access to anyways.
So even if you somehow overcame all of that, if any of that data was printed to hard copies, then good luck tracking those down for shredding. Plus, that list above barely even scratches the tip of the iceberg. My point is that it becomes incredibly hard and complex to enforce an order such as the ones being issued by Federal judges right now, because by their very nature these orders are reactive as opposed to proactive measures.
Sadly, the ol’ rule of thumb still applies here: Once the data is improperly accessed or stolen, it is usually too late to unring the bell.
If it’s true that DOGE doesn’t have access to Americans’ personal data as Elon Musk claims, or if they do in fact comply fully with the order and torch all the data if they did, then this would be one of those very rare exceptions where all the data was definitively recovered and secured.
So while the judges’ orders are a welcome sign of life for democracy, I’m afraid that the damage has already been done, and all we can do now is police the fallout through reactionary methods.
However, it still remains that the best course of action is for Congress to flex its legislative muscle and put in place proactive laws that prevent these kinds of situations in the first place.