Whistleblower details how DOGE may have taken sensitive NLRB data NPR
p
Jenna McLaughlin
pp
The DOGE team may have taken data related to union organizing and labor complaints and hid its tracks according to a whistleblower
Charlotte Gomez for NPR
hide caption
ppIn the first days of March a team of advisers from President Trumps new Department of Government Efficiency initiative arrived at the Southeast Washington DC headquarters of the National Labor Relations BoardppThe small independent federal agency investigates and adjudicates complaints about unfair labor practices It stores reams of potentially sensitive data from confidential information about employees who want to form unions to proprietary business informationppThe DOGE employees who are effectively led by White House adviser and billionaire tech CEO Elon Musk appeared to have their sights set on accessing the NLRBs internal systems Theyve said their units overall mission is to review agency data for compliance with the new administrations policies and to cut costs and maximize efficiencyppBut according to an official whistleblower disclosure shared with Congress and other federal overseers that was obtained by NPR subsequent interviews with the whistleblower and records of internal communications technical staff members were alarmed about what DOGE engineers did when they were granted access particularly when those staffers noticed a spike in data leaving the agency Its possible that the data included sensitive information on unions ongoing legal cases and corporate secrets data that four labor law experts tell NPR should almost never leave the NLRB and that has nothing to do with making the government more efficient or cutting spendingppMeanwhile according to the disclosure and records of internal communications members of the DOGE team asked that their activities not be logged on the system and then appeared to try to cover their tracks behind them turning off monitoring tools and manually deleting records of their access evasive behavior that several cybersecurity experts interviewed by NPR compared to what criminal or statesponsored hackers might dopp
White House senior adviser Elon Musk walks to the White House after landing in Marine One with President Trump on March 9
Samuel CorumGetty Images
hide caption
ppThe employees grew concerned that the NLRBs confidential data could be exposed particularly after they started detecting suspicious login attempts from an IP address in Russia according to the disclosure Eventually the disclosure continued the IT department launched a formal review of what it deemed a serious ongoing security breach or potentially illegal removal of personally identifiable information The whistleblower believes that the suspicious activity warrants further investigation by agencies with more resources like the Cybersecurity and Infrastructure Security Agency or the FBIppThe labor law experts interviewed by NPR fear that if the data gets out it could be abused including by private companies with cases before the agency that might get insights into damaging testimony union leadership legal strategies and internal data on competitors Musks SpaceX among them It could also intimidate whistleblowers who might speak up about unfair labor practices and it could sow distrust in the NLRBs independence they saidppThe new revelations about DOGEs activities at the labor agency come from a whistleblower in the IT department of the NLRB who disclosed his concerns to Congress and the US Office of Special Counsel in a detailed report that was then provided to NPR Meanwhile his attempts to raise concerns internally within the NLRB preceded someone physically taping a threatening note to his door that included sensitive personal information and overhead photos of him walking his dog that appeared to be taken with a drone according to a cover letter attached to his disclosure filed by his attorney Andrew Bakaj of the nonprofit Whistleblower AidppThe whistleblowers account is corroborated by internal documentation and was reviewed by 11 technical experts across other government agencies and the private sector In total NPR spoke to over 30 sources across the government the private sector the labor movement cybersecurity and law enforcement who spoke to their own concerns about how DOGE and the Trump administration might be handling sensitive data and the implications for its exposure Much of the following account comes from the whistleblowers official disclosure and interviews with NPRppI cant attest to what their end goal was or what theyre doing with the data said the whistleblower Daniel Berulis in an interview with NPR But I can tell you that the bits of the puzzle that I can quantify are scary This is a very bad picture were looking atppThe whistleblowers story sheds further light on how DOGE is operating inside federal systems and comes on the heels of testimony in more than a dozen court cases across the United States that reveal how DOGE rapidly gained access to private financial and personal information on hundreds of millions of Americans Its unclear how or whether DOGE is protecting the privacy of that data Meanwhile the threatening note though its origins are unknown is reflective of the current climate of fear and intimidation toward whistleblowersppTim Bearese the NLRBs acting press secretary denied that the agency granted DOGE access to its systems and said DOGE had not requested access to the agencys systems Bearese said the agency conducted an investigation after Berulis raised his concerns but determined that no breach of agency systems occurredppNotwithstanding the NLRBs denial the whistleblowers disclosure to Congress and other federal overseers includes forensic data and records of conversations with colleagues that provide evidence of DOGEs access and activities Meanwhile NPRs extensive reporting makes clear that DOGEs access to data is a widespread concern Across the government 11 sources directly familiar with internal operations in federal agencies and in Congress told NPR that they share Berulis concerns and some have seen other evidence that DOGE is exfiltrating sensitive data for unknown reasonsppAfter this story published White House spokesperson Anna Kelly said in a statement It is monthsold news that President Trump signed an Executive Order to hire DOGE employees at agencies and coordinate data sharing Their highlyqualified team has been extremely public and transparent in its efforts to eliminate waste fraud and abuse across the Executive Branch including the NLRBppInstead of a brandnew car for a 16thbirthday present Berulis got his first computerppIts a familiar story for tech nerds the world over He methodically took the machine apart to figure out how it works just like he had dissected radios from the thrift store years earlier I electrocuted myself once he recalledppBerulis was always interested in public service but the traditional paths didnt suit himppA knee injury prevented him from joining the military He served as a volunteer firefighter for a period and donated his time working for a local rape crisis hotline answering calls from victims in need of someone to listen But he told NPR I had an interest in serving my countryppBerulis had been a technical consultant for many years including in auditing and modernizing corporate systems when a job opened up at the National Labor Relations Boardpp
Daniel Berulis started working at the National Labor Relations Board about six months before President Trump started his second term
Grace RaverNPR
hide caption
ppWhile he didnt know much about the agency Berulis quickly found its mission to protect employees rights in line with his longstanding desire to help peopleppHe started about six months before President Trump was inaugurated for his second term this past January Berulis said he hit the ground running securing the NLRBs cloudbased data servers and reinforcing whats called zero trust principles which means that users can get access only to the parts of the system they need in order to do their jobs no more no less That way if an attacker gets hold of a single username and password the attacker cant access the whole systemppWhen I first started it was a dream come true he said There was a great opportunity to build up and do some good But after the inauguration he described a culture of fear descending over the agencyppThe first week of March engineers associated with DOGE arrived at the NLRBs headquarters according to Berulis disclosure Beforehand they had asked about what software hardware programming languages and applications the NLRB was using DOGE learned that it used commercially available cloud infrastructure that businesses typically use which connects to government cloud systems at other agencies and can be accessed remotelyppBerulis said he and several colleagues saw a black SUV and police escort enter the garage after which building security let the DOGE staffers in They interacted with a small number of staffers never introducing themselves to most of the IT teamppBerulis says he was told by colleagues that DOGE employees demanded the highest level of access what are called tenant owner level accounts inside the independent agencys computer systems with essentially unrestricted permission to read copy and alter data according to Berulis disclosureppWhen an IT staffer suggested a streamlined process to activate those accounts in a way that would let their activities be tracked in accordance with NLRB security policies the IT staffers were told to stay out of DOGEs way the disclosure continuesppFor cybersecurity professionals a failure to log activity is a cardinal sin and contradicts best practices as recommended by the National Institute of Standards and Technology and the Department of Homeland Securitys Cybersecurity and Infrastructure Security Agency as well as the FBI and the National Security AgencyppThat was a huge red flag said Berulis Thats something that you just dont do It violates every core concept of security and best practiceppThose forensic digital records are important for recordkeeping requirements and they allow for troubleshooting but they also allow experts to investigate potential breaches sometimes even tracing the attackers path back to the vulnerability that let them inside a network The records can also help experts see what data might have been removed Basic logs would likely not be enough to demonstrate the extent of a bad actors activities but it would be a start Theres no reason for any legitimate user to turn off logging or other security tools cybersecurity experts sayppNone of this is normal said Jake Braun the executive director of the Cyber Policy Initiative at the University of Chicagos Harris School of Public Policy and former acting principal deputy national cyber director at the White House in an interview with NPR about the whistleblowers disclosure This type of activity is why the government buys insiderthreatmonitoring technology So we can know things like this are happening and stop sensitive data exfiltration before it happens he told NPRppHowever the NLRBs budget hasnt had the money to pay for tools like that for years Berulis saidppA couple of days after DOGE arrived Berulis saw something else that alarmed him while browsing the internet over the weekendppMassachusetts Institute of Technology graduate and DOGE engineer Jordan Wick had been sharing information about coding projects he was working on to his public account with GitHub a website that allows developers to create store and collaborate on codeppAfter journalist Roger Sollenberger started posting on X about the account Berulis noticed something Wick was working on a project or repository titled NxGenBdoorExtractppWick made it private before Berulis could investigate further he told NPR But to Berulis the title itself was revealingppSo when I saw this tool I immediately panicked just for lack of a better term he said I kind of had a conniption and said Whoa whoa whoa He immediately alerted his whole teamppWhile NPR was unable to recover the code for that project the name itself suggests that Wick could have been designing a backdoor or Bdoor to extract files from the NLRBs internal case management system known as NxGen according to several cybersecurity experts who reviewed Berulis conclusionsppWick did not respond to NPRs requests for commentpp
A screenshot of DOGE engineer Jordan Wicks public GitHub account that shows NxGenBdoorExtract The name itself suggests that Wick could have been designing a backdoor or Bdoor to extract files from the NLRBs internal case management system
Daniel BerulisAnnotation by NPR
hide caption
ppIt definitely seems rather odd to name it that said one of the engineers who built NxGen and asked for anonymity so as not to jeopardize their ability to work with the government again Or brazen if youre not worried about consequencesppThe whole idea of removing logging and getting tenantlevel access is the most disturbing part to me the engineer saidppNxGen is an internal system that was designed specifically for the NLRB inhouse according to several of the engineers who created the tool and who all spoke to NPR on condition of anonymity to avoid retaliation or adverse consequences for any future government workppThe engineers explained that while many of the NLRBs records are eventually made public the NxGen case management system hosts proprietary data from corporate competitors personal information about union members or employees voting to join a union and witness testimony in ongoing cases Access to that data is protected by numerous federal laws including the Privacy ActppThose engineers were also concerned by DOGE staffers insistence that their activities not be logged allowing them to probe the NLRBs systems and discover information about potential security flaws or vulnerabilities without being detectedppIf he didnt know the backstory any chief information security officer worth his salt would look at network activity like this and assume its a nationstate attack from China or Russia said Braun the former White House cyber officialppAbout a week after arriving the DOGE engineers had left the NLRB and deleted their accounts according to Berulis disclosure to CongressppIn the office Berulis had had limited visibility into what the DOGE team was up to in real timeppThats partly because he said the NLRB isnt advanced when it comes to detecting insider threats or potentially malicious actors inside the agency itself We as an agency have not evolved to account for those he explained We were looking for bad actors outside he saidppBut he counted on DOGE leaving at least a few traces of its activity behind puzzle pieces he could assemble to try to put together a picture of what happened details he included in his official disclosureppFirst at least one DOGE account was created and later deleted for use in the NLRBs cloud systems hosted by Microsoft DogeSA2d5c3e0446f9nlrbmicrosoftcomppThen DOGE engineers installed whats called a container a kind of opaque virtual computer that can run programs on a machine without revealing its activities to the rest of the network On its own that wouldnt be suspicious though it did allow the engineers to work invisibly and left no trace of its activities once it was removedppThen Berulis started tracking sensitive data leaving the places its meant to live according to his official disclosure First he saw a chunk of data exiting the NxGen case management systems nucleus inside the NLRB system Berulis explained Then he saw a large spike in outbound traffic leaving the network itselfpp
This screenshot shows a large spike in outbound traffic leaving the NLRB system
Whistleblower Aid
hide caption
ppFrom what he could see the data leaving almost all text files added up to around 10 gigabytes or the equivalent of a full stack of encyclopedias if someone printed them he explained Its a sizable chunk of the total data in the NLRB system though the agency itself hosts over 10 terabytes in historical data Its unclear which files were copied and removed or whether they were consolidated and compressed which could mean even more data was exfiltrated Its also possible that DOGE ran queries looking for specific files in the NLRBs system and took only what it was looking for according to the disclosurepp Loading ppRegardless that kind of spike is extremely unusual Berulis explained because data almost never directly leaves from the NLRBs databases In his disclosure Berulis shared a screenshot tracking data entering and exiting the system and theres only one noticeable spike of data going out He also confirmed that no one at the NLRB had been saving backup files that week or migrating data for any projectsppEven when external parties like lawyers or overseers like the inspector general are granted guest accounts on the system its only to view the files relevant to their case or investigation explained labor law experts who worked with or at the NLRB in interviews with NPRppNone of that confidential and deliberative information should ever leave the agency said Richard Griffin who was the NLRB general counsel from 2013 to 2017 in an interview with NPRppFor cybersecurity experts that spike in data leaving the system is a key indicator of a breach Berulis explainedppWe are under assault right now he remembered thinkingppWhen Berulis asked his IT colleagues whether they knew why the data was exfiltrated or whether anyone else had been using containers to run code on the system in recent weeks no one knew anything about it or the other unusual activities on the network according to his disclosure In fact when they looked into the spike they found that logs that were used to monitor outbound traffic from the system were absent Some actions taken on the network including data exfiltration had no attribution except to a deleted account he continued Nobody knows who deleted the logs or how they could have gone missing Berulis saidppThe IT team met to discuss insider threats namely the DOGE engineers whose activities it had little insight into or control over We had no idea what they did he explained Those conversations are reflected in his official disclosureppThey eventually launched a formal breach investigation according to the disclosure and prepared a request for assistance from the Cybersecurity and Infrastructure Security Agency CISA However those efforts were disrupted without an explanation Berulis said That was deeply troubling to Berulis who felt he needed help to try to get to the bottom of what happened and determine what new vulnerabilities might be exploited as a resultppIn the days after Berulis and his colleagues prepared a request for CISAs help investigating the breach Berulis found a printed letter in an envelope taped to his door which included threatening language sensitive personal information and overhead pictures of him walking his dog according to the cover letter attached to his official disclosure Its unclear who sent it but the letter made specific reference to his decision to report the breach Law enforcement is investigating the letterppIf the underlying disclosure wasnt concerning enough the targeted physical intimidation and surveillance of my client is If this is happening to Mr Berulis it is likely happening to others and brings our nation more in line with authoritarian regimes than with open and free democracies wrote Bakaj his attorney in a statement sent to NPR It is time for everyone and Congress in particular to acknowledge the facts and stop our democracy freedom and liberties from slipping away something that will take generations to repairppIn part because of the stymied internal investigation and the attempts to silence him Berulis decided to come forward publiclyppIn fact despite all that Berulis managed to uncover some stranger and more troubling details about what happened while DOGE was logged on which he enumerated in his official declarationppUnknown users also gave themselves a highlevel access key whats called a SAS token meaning shared access signature to access storage accounts before deleting it Berulis said there was no way to track what they did with itppSomeone had disabled controls that would prevent insecure or unauthorized mobile devices from logging on to the system without the proper security settings There was an interface exposed to the public internet potentially allowing malicious actors access to the NLRBs systems Internal alerting and monitoring systems were found to be manually turned off Multifactor authentication was disabled And Berulis noticed that an unknown user had exported a user roster a file with contact information for outside lawyers who have worked with the NLRBppBerulis said he noticed five PowerShell downloads on the system a task automation program that would allow engineers to run automated commands There were several code libraries that got his attention tools that he said appeared to be designed to automate and mask data exfiltration There was a tool to generate a seemingly endless number of IP addresses called requestsiprotator and a commonly used automation tool for web developers called browserless both repositories starred or favorited by Wick the DOGE engineer according to an archive of his GitHub account reviewed by NPRppWhile investigating the data taken from the agency Berulis tried to determine its ultimate destination But whoever had exfiltrated it had disguised its destination too according to the disclosureppDOGE staffers had permission to access the system but removing data is another matterppBerulis says someone appeared to be doing something called DNS tunneling to prevent the data exfiltration from being detected He came to that conclusion outlined in his disclosure after he saw a traffic spike in DNS requests parallel to the data being exfiltrated a spike 1000 times the normal number of requestsppWhen someone uses this kind of technique they set up a domain name that pings the target system with questions or queries But they configure the compromised server so that it answers those DNS queries by sending out packets of data allowing the attacker to steal information that has been broken down into smaller chunksppWeve seen Russian threat actors do things like this on US government systems said one threat intelligence researcher who requested anonymity because they werent authorized to speak publicly by their employer That analyst who has extensive experience hunting nationstatesponsored hackers reviewed the whistleblowers technical claimsppThe difference is they were given the keys to the front door the researcher continued While the researcher clarified that it would be difficult to fully verify what happened without full access to the NLRB system they said Berulis conclusions and accompanying evidence were a cause for concern None of this is standard they saidppRuss Handorf who served in the FBI for a decade in various cybersecurity roles also reviewed Berulis extensive technical forensic records and analysis and spoke to NPR about his conclusionsppAll of this is alarming he said If this was a publicly traded company I would have to report this breach to the Securities and Exchange Commission The timeline of events demonstrates a lack of respect for the institution and for the sensitivity of the data that was exfiltrated There is no reason to increase the security risk profile by disabling security controls and exposing them less guarded to the internet They didnt exercise the more prudent standard practice of copying the data to encrypted and local media for escortppUntil theres an investigation done theres no way to definitively prove who did it Handorf concludedpp
The National Labor Relations Board seal hangs inside a hearing room at the agencys headquarters in Washington DC in 2019
Andrew HarrerBloomberg via Getty Images
hide caption
ppDOGEs intentions with regard to the NLRB data remain unclear Many of the systems that DOGE embedded itself in across the rest of the government have payment or employment data information that it could use to evaluate which grants and programs to halt and whom to fireppBut the case management system is very differentppIt houses information about ongoing contested labor cases lists of union activists internal case notes personal information from Social Security numbers to home addresses proprietary corporate data and more information that never gets published openlyppExperts interviewed by NPR acknowledge that there are inefficiencies across government that warrant further review but they say they dont see a single legitimate reason that DOGE staffers would need to remove the data from the case management system to resolve those problemsppThere is no reason whatsoever for accessing the information Now could any agency be more efficient More effective Positively But what you need for that is people who understand what the agency does That is not by mining data putting algorithms in and creating a breach of security said Harley Shaiken a professor emeritus at the University of California Berkeley who specializes in labor and information technologyppThere is nothing that I can see about what DOGE is doing that follows any of the standard procedures for how you do an audit that has integrity and thats meaningful and will actually produce results that serve the normal auditing function which is to look for fraud waste and abuse said Sharon Block the executive director of Harvard Law Schools Center for Labor and a Just Economy and a former NLRB board memberppThe mismatch between what theyre doing and the established professional way to do what they say theyre doing that just kind of gives away the store that they are not actually about finding more efficient ways for the government to operate Block saidppFor labor law experts the mere possibility that sensitive records were copied is a serious danger that could create a chilling effect for employees everywhere who turn to the National Labor Relations Board for protectionppJust saying that they have access to the data is intimidating said Kate Bronfenbrenner the director of labor education research at Cornell University and codirector of the Worker Empowerment Research Network People are going to go Im not going to testify before the board because you know my employer might get accessppBronfenbrenner the child of immigrant parents who fled the Soviet Union and Nazicontrolled Germany said she spends a lot of time thinking about how systems can crumble under the right circumstances You know theres this belief that we have these checks and balances but anyone whos part of the labor movement should know thats not true she told NPRppWith access to the data it would make it easier for companies to fire employees for union organizing or keep blacklists of organizers illegal activities under federal labor laws enforced by the NLRB But people get fired in this country all the time for the lawful act of trying to organize a union said BlockppHaving a copy of the opposing counsels notes as companies prepare for legal challenges would also be an attractive possibility she continuedppIts not just employees who might suffer if this data got out Companies also sometimes provide detailed statements on internal business planning and corporate structure in the midst of unfairlaborpractice complaint proceedings If a company was attempting to fire someone who it alleged had disclosed trade secrets and was fighting an unfairlaborpractice complaint based around that decision those trade secrets might come up in the boards investigation too That information would be valuable to competitors regulators and othersppOverall the potential exposure of the NLRBs data could have serious implicationsppI think it is very concerning said Shaiken It could result in damage to individual workers to unionorganizing campaigns and to unions themselves he saidppIt is bringing a wrecking ball into the dentist office meaning this is wildly disproportionate and raises real dangers Shaiken continuedppLabor law experts were particularly concerned about what they described as clear conflicts of interest particularly when it comes to Elon Musk his companies and his vast network of former employees and allies who are now getting access to government jobs and datappTrump and Musk during an interview with Fox Newss Sean Hannity said Musk would recuse himself from anything involving his companies I havent asked the president for anything ever Musk said Im getting a sort of a daily proctology exam here You know its not like Ill be getting away with something in the dead of night However DOGE has been granted highlevel access to a lot of data that could benefit Musk and there has been no evidence of a firewall preventing misuse of that datappThere are multiple ongoing cases involving Musk and the NLRB For one after a group of former SpaceX employees lodged a complaint with the NLRB lawyers representing SpaceX some of whom were recently hired into government jobs filed suit against the NLRB They argued that the agencys structure is unconstitutionalpp
Elon Musk speaks with thenPresidentelect Donald Trump and guests at a viewing of the launch of the sixth test flight of the SpaceX Starship rocket on Nov 19 2024 in Brownsville Texas
Brandon BellGetty Images
hide caption
ppSen Chris Murphy DConn raised his concerns about Musk accessing sensitive labor investigation data on cases against his companies or competitors during the confirmation hearing for Trumps labor secretary Lori ChavezDeRemer in midFebruary He pressed her to answer whether she believed the NLRB is constitutional and to commit to keeping sensitive data confidential While she said she was committed to privacy and said she respects the NLRBs authority she insisted that Trump has the executive power to exercise it as he sees fitppAll this is happening in the context of a broader attempt by the White House to hamstring labor agenciesppThe NLRB was created to guarantee workers rights to organize and to address problems that workers have in the workplace said Shaiken of UC Berkeley Under President Joe Biden he recalled the labor movement enjoyed an unusual amount of support from Washington But what we have seen is a sharp slamming of the brakes to that and putting the vehicle in reverse in terms of what Trump has done so far he continuedppIn addition to sending DOGE to the NLRB the Trump administration tried to neutralize the boards power to enforce labor law by removing its member Gwynne Wilcox Courts have gone back and forth on whether Wilcoxs removal was illegal as presidents are meant to demonstrate cause for dismissal of independent board membersppRepresentatives of DOGE and former colleagues of Musks who have been installed across the federal government have failed to reassure the public or the courts that they have taken the proper precautions to protect the data theyre ingesting and that private business interests wont influence how that data is used or what policy decisions are made Block and the other labor law experts interviewed by NPR sayppIts not that hes a random person whos getting information that a random person shouldnt have access to said Harvard Laws Block But if they really did get everything then he has information about the cases the government is building against him she saidppDOGE is whether they admit it or not headed by somebody who is the subject of active investigation and prosecution of cases It is incredibly troubling she saidppMusks company xAI could also benefit from sucking up all the data DOGE has collected to train its algorithms Cybersecurity experts like Bruce Schneier a wellknown cryptographer and adjunct lecturer at the Harvard Kennedy School have pointed to this concern at length in interviews and written piecesppAccording to two federal government sources who were not authorized to speak publicly about their workplaces and who shared email documentation with NPR managers have consistently been warning employees that their data could be subject to AI review particularly their email responses to the Muskled campaign to get federal employees to detail what they did last week in five bullet points every MondayppIts not a flight of imagination to see several DOGE staffers release some of that data surreptitiously to Musk or people close to him said ShaikenppIf the data isnt properly protected after it leaves the agency or if DOGE left a digital door open to the agency itself data could also be exposed to potential sale or theft by criminals or foreign adversaries An attacker could also try to take advantage of the connections between the NLRBs cloud account and other government cloud environments using their access to the NLRB as a foothold to move to other networksppBoth criminals and foreign adversaries traditionally have used information like this to enrich themselves through a variety of actions explained Handorf the former FBI cyber official That includes blackmail targeting and prioritizing intellectual property theft for espionage or even harming a company to enrich anotherppWithin minutes after DOGE accessed the NLRBs systems someone with an IP address in Russia started trying to log in according to Berulis disclosure The attempts were near realtime according to the disclosure Those attempts were blocked but they were especially alarming Whoever was attempting to log in was using one of the newly created DOGE accounts and the person had the correct username and password according to Berulis While its possible the user was disguising their location its highly unlikely theyd appear to be coming from Russia if they wanted to avoid suspicion cybersecurity experts interviewed by NPR explainedppOn their own a few failed login attempts from a Russian IP address arent a smoking gun those cybersecurity experts interviewed by NPR said But given the overall picture of activity its a concerning sign that foreign adversaries may already be searching for ways into government systems that DOGE engineers may have left exposedppWhen you move fast and break stuff the opportunity to ride the coattails of authorized access is ridiculously easy to achieve said Handorf What he means is that if DOGE engineers left access points to the network open it would be very easy for spies or criminals to break in and steal data behind DOGEppHe said he could also see foreign adversaries trying to recruit or pay DOGE team members for access to sensitive data It would not surprise me if DOGE is accidentally compromisedppThis is exactly why we usually architect systems using best practices like the principle of least privilege Ann Lewis the former director of Technology Transformation Services at the General Services Administration told NPR in an interview The principle of least privilege is a fundamental cybersecurity concept that states that users should have only the minimum rights roles and permissions required to perform their roles and responsibilities This protects access to highvalue data and critical assets and helps prevent unauthorized access accidental damage from user errors and malicious actions ppBakaj Berulis lawyer told NPR in a written statement This case has been particularly sensitive as it involves the possibility of sophisticated foreign intelligence gaining access to sensitive government systems which is why we went to the Senate Intelligence Committee directlyppThe NLRB isnt alone in those concernsppIn over a dozen lawsuits in federal courts around the country judges have demanded that DOGE explain why it needs such expansive access to sensitive data on Americans from Social Security records to private medical records and tax information But the Trump administration has been unable to give consistent and clear answers largely dismissing cybersecurity and privacy concernsppIn one case dealing with Treasury Department payment systems that control trillions of dollars in federal spending US District Judge Jeannette Vargas blocked DOGE access on Feb 21 finding a real possibility exists that sensitive information has already been shared outside of the Treasury Department in potential violation of federal lawppIts an area of focus for Democratic lawmakers on the House Committee on Oversight and Government Reformpp
US District Judge Jeannette Vargas blocked DOGE access to the Treasury Department over the possibility that sensitive information has already been shared outside of the Treasury Department
Alex BrandonAP
hide caption
ppAn aide for the Democratic minority on the House Oversight Committee who was not authorized to speak publicly told NPR that the committee is in possession of multiple verifiable reports showing that DOGE has exfiltrated sensitive government data across agencies for unknown purposes revealing that Berulis disclosure is not an isolated incidentppBut government cybersecurity officials are already resigning or being fired forced to relocate or put on administrative leave all over the federal government from the Cybersecurity and Infrastructure Security Agency to the Interior Department That has limited their power to respond to the ongoing disruptions or keep track of what DOGE is doingppOne of the first people to speak out about DOGEs access to sensitive data was Erie Meyer who resigned as the chief technology officer at the Consumer Financial Protection Bureau CFPB in February She has provided testimony in ongoing court cases surrounding DOGEs access and also spoke to NPR in an interview The CFPB has sensitive and potentially marketmoving data Meyer said DOGE employees granted themselves Godtier access to the CFPBs systems turned off auditing and event logs and put the cybersecurity experts responsible for insider threat detection on administrative leave When IT experts at the CFPB planned to conduct an after action report on DOGEs activities they were stonewalled she continuedppWhen she heard about how DOGE engineers operated at the NLRB particularly the steps they took to obfuscate their activities she recognized a patternppI am trembling she said upon hearing about the potential exposure of data from the NLRB They can get every piece of whistleblower testimony every report everything This is not goodppOther technical employees working with government agencies who spoke to NPR shared Berulis concernsppOur cyber teams are pissed because they have to sit on their hands when every single alarm system we have regarding insider threats is going off said one employee at an agency of the Interior Department who requested anonymity fearing retribution Cybersecurity teams wanted to shut off new users access to the system the employee continued but were ordered to stand downppMeanwhile in a letter published on March 13 on Federal News Network 46 former senior officials from the General Services Administration one of the government agencies hardest hit by DOGEs costcutting efforts and that oversees nearly all federal buildings and purchasing wrote that they believed highlysensitive IT systems are being put at risk and sensitive information is being downloaded to unknown unvetted external sources in clear violation of privacy and dataprotection rulesppThe Trump administration could be trying to codify DOGEs practices into how the government shares information said Kel McClanahan the executive director of nonprofit public interest law firm National Security Counselors who is representing federal employees in a lawsuit concerning the Office of Personnel Managements use of a private email serverppWeeks after DOGE staffers descended on federal buildings across Washington Trump issued an executive order urging increased data sharing by eliminating information silos in whats seen by experts like McClanahan as an attempt to give DOGE engineers further top cover in accessing and amalgamating sensitive federal data despite laws concerning privacy and cybersecurityppThe entire reason we have a Privacy Act is that Congress realized 50 years ago that the federal government was just overflowing with information about normal everyday people and needed some guardrails in place McClanahan told NPR The information silos are there for a reason he continued Its astonishing to me that the very people who not a handful of years ago were screaming about the government tracking us with vaccines now cheer for feeding every piece of information about themselves into Elon Musks stupid SkynetppDOGE appears to still be in the process of visiting federal agencies across the country including just recently the Securities and Exchange Commission according to one former government source directly familiar with the matter who requested anonymity to share information they werent authorized to share Across the government its unclear how much sensitive data has been removed and collected and combinedppIts also unclear where the labor data went and who has access to it But for experts in workers rights the threat is immediate and existentialppThis shocks the conscience said Richard Griffin the former general counsel of the NLRB And if DOGE operatives captured and removed case files it could constitute a violation of the Privacy ActppFor Berulis it was important to speak out because he believes people deserve to know how the governments data and computer systems are at risk and to prevent further damage As a former IT consultant Berulis says he would have been fired for operating like DOGEpp
Daniel Berulis hopes that there might be further investigations into mishandling of sensitive data across the federal government
Grace RaverNPR
hide caption
ppDisclosing his concerns was a moral imperative at this point he said Ive never encountered this in my 20 years of ITppHis hope is that there might be further investigations into mishandling of sensitive data across the federal governmentppI believe with all my heart that this goes far beyond just case data he said I know there are people at other agencies who have seen similar behavior I firmly believe that this is happening maybe even to a greater extent at other agenciesppFor overseers investigators and IT experts in a similar position he hopes to provide a road map of what to look forppIt was my goal by disclosing to Congress not to focus on me at all but to give them information that they might not necessarily have the things that you dont necessarily look for unless you know where to look he continuedppThe NLRB said it would cooperate with any investigations that stem from Berulis disclosure to CongressppAs an agency protecting employee rights the NLRB respects its employees right to bring whistleblower claims to Congress and the Office of Special Counsel and the Agency looks forward to working with those entities to resolve the complaints said Bearese the agencys acting spokesperson in a statementppBerulis had a simple request for the DOGE engineers Be transparent If you have nothing to hide dont delete logs dont be covert Be open because thats what efficiency is really about If this is all a huge misunderstanding then just prove it Put it out there Thats all Im askingppBut ultimately if the systems that DOGE accesses are left insecure it might not matter if its intentions are honorable he concludedppThis could just be the start of the operation They still havent crossed that boundary where theyre plugged into every federal system out there he continued So maybe there is still timeppNPRs Stephen Fowler contributed reporting NPRs Brett Neely edited this story ppHave information or evidence to share about DOGEs access to data inside the federal government Reach out to the author Jenna McLaughlin through encrypted communications on Signal at jennamclaughlin54 Stephen Fowler is available on Signal at stphnfwlr25 Please use a nonwork devicep
Jenna McLaughlin
pp
The DOGE team may have taken data related to union organizing and labor complaints and hid its tracks according to a whistleblower
Charlotte Gomez for NPR
hide caption
ppIn the first days of March a team of advisers from President Trumps new Department of Government Efficiency initiative arrived at the Southeast Washington DC headquarters of the National Labor Relations BoardppThe small independent federal agency investigates and adjudicates complaints about unfair labor practices It stores reams of potentially sensitive data from confidential information about employees who want to form unions to proprietary business informationppThe DOGE employees who are effectively led by White House adviser and billionaire tech CEO Elon Musk appeared to have their sights set on accessing the NLRBs internal systems Theyve said their units overall mission is to review agency data for compliance with the new administrations policies and to cut costs and maximize efficiencyppBut according to an official whistleblower disclosure shared with Congress and other federal overseers that was obtained by NPR subsequent interviews with the whistleblower and records of internal communications technical staff members were alarmed about what DOGE engineers did when they were granted access particularly when those staffers noticed a spike in data leaving the agency Its possible that the data included sensitive information on unions ongoing legal cases and corporate secrets data that four labor law experts tell NPR should almost never leave the NLRB and that has nothing to do with making the government more efficient or cutting spendingppMeanwhile according to the disclosure and records of internal communications members of the DOGE team asked that their activities not be logged on the system and then appeared to try to cover their tracks behind them turning off monitoring tools and manually deleting records of their access evasive behavior that several cybersecurity experts interviewed by NPR compared to what criminal or statesponsored hackers might dopp
White House senior adviser Elon Musk walks to the White House after landing in Marine One with President Trump on March 9
Samuel CorumGetty Images
hide caption
ppThe employees grew concerned that the NLRBs confidential data could be exposed particularly after they started detecting suspicious login attempts from an IP address in Russia according to the disclosure Eventually the disclosure continued the IT department launched a formal review of what it deemed a serious ongoing security breach or potentially illegal removal of personally identifiable information The whistleblower believes that the suspicious activity warrants further investigation by agencies with more resources like the Cybersecurity and Infrastructure Security Agency or the FBIppThe labor law experts interviewed by NPR fear that if the data gets out it could be abused including by private companies with cases before the agency that might get insights into damaging testimony union leadership legal strategies and internal data on competitors Musks SpaceX among them It could also intimidate whistleblowers who might speak up about unfair labor practices and it could sow distrust in the NLRBs independence they saidppThe new revelations about DOGEs activities at the labor agency come from a whistleblower in the IT department of the NLRB who disclosed his concerns to Congress and the US Office of Special Counsel in a detailed report that was then provided to NPR Meanwhile his attempts to raise concerns internally within the NLRB preceded someone physically taping a threatening note to his door that included sensitive personal information and overhead photos of him walking his dog that appeared to be taken with a drone according to a cover letter attached to his disclosure filed by his attorney Andrew Bakaj of the nonprofit Whistleblower AidppThe whistleblowers account is corroborated by internal documentation and was reviewed by 11 technical experts across other government agencies and the private sector In total NPR spoke to over 30 sources across the government the private sector the labor movement cybersecurity and law enforcement who spoke to their own concerns about how DOGE and the Trump administration might be handling sensitive data and the implications for its exposure Much of the following account comes from the whistleblowers official disclosure and interviews with NPRppI cant attest to what their end goal was or what theyre doing with the data said the whistleblower Daniel Berulis in an interview with NPR But I can tell you that the bits of the puzzle that I can quantify are scary This is a very bad picture were looking atppThe whistleblowers story sheds further light on how DOGE is operating inside federal systems and comes on the heels of testimony in more than a dozen court cases across the United States that reveal how DOGE rapidly gained access to private financial and personal information on hundreds of millions of Americans Its unclear how or whether DOGE is protecting the privacy of that data Meanwhile the threatening note though its origins are unknown is reflective of the current climate of fear and intimidation toward whistleblowersppTim Bearese the NLRBs acting press secretary denied that the agency granted DOGE access to its systems and said DOGE had not requested access to the agencys systems Bearese said the agency conducted an investigation after Berulis raised his concerns but determined that no breach of agency systems occurredppNotwithstanding the NLRBs denial the whistleblowers disclosure to Congress and other federal overseers includes forensic data and records of conversations with colleagues that provide evidence of DOGEs access and activities Meanwhile NPRs extensive reporting makes clear that DOGEs access to data is a widespread concern Across the government 11 sources directly familiar with internal operations in federal agencies and in Congress told NPR that they share Berulis concerns and some have seen other evidence that DOGE is exfiltrating sensitive data for unknown reasonsppAfter this story published White House spokesperson Anna Kelly said in a statement It is monthsold news that President Trump signed an Executive Order to hire DOGE employees at agencies and coordinate data sharing Their highlyqualified team has been extremely public and transparent in its efforts to eliminate waste fraud and abuse across the Executive Branch including the NLRBppInstead of a brandnew car for a 16thbirthday present Berulis got his first computerppIts a familiar story for tech nerds the world over He methodically took the machine apart to figure out how it works just like he had dissected radios from the thrift store years earlier I electrocuted myself once he recalledppBerulis was always interested in public service but the traditional paths didnt suit himppA knee injury prevented him from joining the military He served as a volunteer firefighter for a period and donated his time working for a local rape crisis hotline answering calls from victims in need of someone to listen But he told NPR I had an interest in serving my countryppBerulis had been a technical consultant for many years including in auditing and modernizing corporate systems when a job opened up at the National Labor Relations Boardpp
Daniel Berulis started working at the National Labor Relations Board about six months before President Trump started his second term
Grace RaverNPR
hide caption
ppWhile he didnt know much about the agency Berulis quickly found its mission to protect employees rights in line with his longstanding desire to help peopleppHe started about six months before President Trump was inaugurated for his second term this past January Berulis said he hit the ground running securing the NLRBs cloudbased data servers and reinforcing whats called zero trust principles which means that users can get access only to the parts of the system they need in order to do their jobs no more no less That way if an attacker gets hold of a single username and password the attacker cant access the whole systemppWhen I first started it was a dream come true he said There was a great opportunity to build up and do some good But after the inauguration he described a culture of fear descending over the agencyppThe first week of March engineers associated with DOGE arrived at the NLRBs headquarters according to Berulis disclosure Beforehand they had asked about what software hardware programming languages and applications the NLRB was using DOGE learned that it used commercially available cloud infrastructure that businesses typically use which connects to government cloud systems at other agencies and can be accessed remotelyppBerulis said he and several colleagues saw a black SUV and police escort enter the garage after which building security let the DOGE staffers in They interacted with a small number of staffers never introducing themselves to most of the IT teamppBerulis says he was told by colleagues that DOGE employees demanded the highest level of access what are called tenant owner level accounts inside the independent agencys computer systems with essentially unrestricted permission to read copy and alter data according to Berulis disclosureppWhen an IT staffer suggested a streamlined process to activate those accounts in a way that would let their activities be tracked in accordance with NLRB security policies the IT staffers were told to stay out of DOGEs way the disclosure continuesppFor cybersecurity professionals a failure to log activity is a cardinal sin and contradicts best practices as recommended by the National Institute of Standards and Technology and the Department of Homeland Securitys Cybersecurity and Infrastructure Security Agency as well as the FBI and the National Security AgencyppThat was a huge red flag said Berulis Thats something that you just dont do It violates every core concept of security and best practiceppThose forensic digital records are important for recordkeeping requirements and they allow for troubleshooting but they also allow experts to investigate potential breaches sometimes even tracing the attackers path back to the vulnerability that let them inside a network The records can also help experts see what data might have been removed Basic logs would likely not be enough to demonstrate the extent of a bad actors activities but it would be a start Theres no reason for any legitimate user to turn off logging or other security tools cybersecurity experts sayppNone of this is normal said Jake Braun the executive director of the Cyber Policy Initiative at the University of Chicagos Harris School of Public Policy and former acting principal deputy national cyber director at the White House in an interview with NPR about the whistleblowers disclosure This type of activity is why the government buys insiderthreatmonitoring technology So we can know things like this are happening and stop sensitive data exfiltration before it happens he told NPRppHowever the NLRBs budget hasnt had the money to pay for tools like that for years Berulis saidppA couple of days after DOGE arrived Berulis saw something else that alarmed him while browsing the internet over the weekendppMassachusetts Institute of Technology graduate and DOGE engineer Jordan Wick had been sharing information about coding projects he was working on to his public account with GitHub a website that allows developers to create store and collaborate on codeppAfter journalist Roger Sollenberger started posting on X about the account Berulis noticed something Wick was working on a project or repository titled NxGenBdoorExtractppWick made it private before Berulis could investigate further he told NPR But to Berulis the title itself was revealingppSo when I saw this tool I immediately panicked just for lack of a better term he said I kind of had a conniption and said Whoa whoa whoa He immediately alerted his whole teamppWhile NPR was unable to recover the code for that project the name itself suggests that Wick could have been designing a backdoor or Bdoor to extract files from the NLRBs internal case management system known as NxGen according to several cybersecurity experts who reviewed Berulis conclusionsppWick did not respond to NPRs requests for commentpp
A screenshot of DOGE engineer Jordan Wicks public GitHub account that shows NxGenBdoorExtract The name itself suggests that Wick could have been designing a backdoor or Bdoor to extract files from the NLRBs internal case management system
Daniel BerulisAnnotation by NPR
hide caption
ppIt definitely seems rather odd to name it that said one of the engineers who built NxGen and asked for anonymity so as not to jeopardize their ability to work with the government again Or brazen if youre not worried about consequencesppThe whole idea of removing logging and getting tenantlevel access is the most disturbing part to me the engineer saidppNxGen is an internal system that was designed specifically for the NLRB inhouse according to several of the engineers who created the tool and who all spoke to NPR on condition of anonymity to avoid retaliation or adverse consequences for any future government workppThe engineers explained that while many of the NLRBs records are eventually made public the NxGen case management system hosts proprietary data from corporate competitors personal information about union members or employees voting to join a union and witness testimony in ongoing cases Access to that data is protected by numerous federal laws including the Privacy ActppThose engineers were also concerned by DOGE staffers insistence that their activities not be logged allowing them to probe the NLRBs systems and discover information about potential security flaws or vulnerabilities without being detectedppIf he didnt know the backstory any chief information security officer worth his salt would look at network activity like this and assume its a nationstate attack from China or Russia said Braun the former White House cyber officialppAbout a week after arriving the DOGE engineers had left the NLRB and deleted their accounts according to Berulis disclosure to CongressppIn the office Berulis had had limited visibility into what the DOGE team was up to in real timeppThats partly because he said the NLRB isnt advanced when it comes to detecting insider threats or potentially malicious actors inside the agency itself We as an agency have not evolved to account for those he explained We were looking for bad actors outside he saidppBut he counted on DOGE leaving at least a few traces of its activity behind puzzle pieces he could assemble to try to put together a picture of what happened details he included in his official disclosureppFirst at least one DOGE account was created and later deleted for use in the NLRBs cloud systems hosted by Microsoft DogeSA2d5c3e0446f9nlrbmicrosoftcomppThen DOGE engineers installed whats called a container a kind of opaque virtual computer that can run programs on a machine without revealing its activities to the rest of the network On its own that wouldnt be suspicious though it did allow the engineers to work invisibly and left no trace of its activities once it was removedppThen Berulis started tracking sensitive data leaving the places its meant to live according to his official disclosure First he saw a chunk of data exiting the NxGen case management systems nucleus inside the NLRB system Berulis explained Then he saw a large spike in outbound traffic leaving the network itselfpp
This screenshot shows a large spike in outbound traffic leaving the NLRB system
Whistleblower Aid
hide caption
ppFrom what he could see the data leaving almost all text files added up to around 10 gigabytes or the equivalent of a full stack of encyclopedias if someone printed them he explained Its a sizable chunk of the total data in the NLRB system though the agency itself hosts over 10 terabytes in historical data Its unclear which files were copied and removed or whether they were consolidated and compressed which could mean even more data was exfiltrated Its also possible that DOGE ran queries looking for specific files in the NLRBs system and took only what it was looking for according to the disclosurepp Loading ppRegardless that kind of spike is extremely unusual Berulis explained because data almost never directly leaves from the NLRBs databases In his disclosure Berulis shared a screenshot tracking data entering and exiting the system and theres only one noticeable spike of data going out He also confirmed that no one at the NLRB had been saving backup files that week or migrating data for any projectsppEven when external parties like lawyers or overseers like the inspector general are granted guest accounts on the system its only to view the files relevant to their case or investigation explained labor law experts who worked with or at the NLRB in interviews with NPRppNone of that confidential and deliberative information should ever leave the agency said Richard Griffin who was the NLRB general counsel from 2013 to 2017 in an interview with NPRppFor cybersecurity experts that spike in data leaving the system is a key indicator of a breach Berulis explainedppWe are under assault right now he remembered thinkingppWhen Berulis asked his IT colleagues whether they knew why the data was exfiltrated or whether anyone else had been using containers to run code on the system in recent weeks no one knew anything about it or the other unusual activities on the network according to his disclosure In fact when they looked into the spike they found that logs that were used to monitor outbound traffic from the system were absent Some actions taken on the network including data exfiltration had no attribution except to a deleted account he continued Nobody knows who deleted the logs or how they could have gone missing Berulis saidppThe IT team met to discuss insider threats namely the DOGE engineers whose activities it had little insight into or control over We had no idea what they did he explained Those conversations are reflected in his official disclosureppThey eventually launched a formal breach investigation according to the disclosure and prepared a request for assistance from the Cybersecurity and Infrastructure Security Agency CISA However those efforts were disrupted without an explanation Berulis said That was deeply troubling to Berulis who felt he needed help to try to get to the bottom of what happened and determine what new vulnerabilities might be exploited as a resultppIn the days after Berulis and his colleagues prepared a request for CISAs help investigating the breach Berulis found a printed letter in an envelope taped to his door which included threatening language sensitive personal information and overhead pictures of him walking his dog according to the cover letter attached to his official disclosure Its unclear who sent it but the letter made specific reference to his decision to report the breach Law enforcement is investigating the letterppIf the underlying disclosure wasnt concerning enough the targeted physical intimidation and surveillance of my client is If this is happening to Mr Berulis it is likely happening to others and brings our nation more in line with authoritarian regimes than with open and free democracies wrote Bakaj his attorney in a statement sent to NPR It is time for everyone and Congress in particular to acknowledge the facts and stop our democracy freedom and liberties from slipping away something that will take generations to repairppIn part because of the stymied internal investigation and the attempts to silence him Berulis decided to come forward publiclyppIn fact despite all that Berulis managed to uncover some stranger and more troubling details about what happened while DOGE was logged on which he enumerated in his official declarationppUnknown users also gave themselves a highlevel access key whats called a SAS token meaning shared access signature to access storage accounts before deleting it Berulis said there was no way to track what they did with itppSomeone had disabled controls that would prevent insecure or unauthorized mobile devices from logging on to the system without the proper security settings There was an interface exposed to the public internet potentially allowing malicious actors access to the NLRBs systems Internal alerting and monitoring systems were found to be manually turned off Multifactor authentication was disabled And Berulis noticed that an unknown user had exported a user roster a file with contact information for outside lawyers who have worked with the NLRBppBerulis said he noticed five PowerShell downloads on the system a task automation program that would allow engineers to run automated commands There were several code libraries that got his attention tools that he said appeared to be designed to automate and mask data exfiltration There was a tool to generate a seemingly endless number of IP addresses called requestsiprotator and a commonly used automation tool for web developers called browserless both repositories starred or favorited by Wick the DOGE engineer according to an archive of his GitHub account reviewed by NPRppWhile investigating the data taken from the agency Berulis tried to determine its ultimate destination But whoever had exfiltrated it had disguised its destination too according to the disclosureppDOGE staffers had permission to access the system but removing data is another matterppBerulis says someone appeared to be doing something called DNS tunneling to prevent the data exfiltration from being detected He came to that conclusion outlined in his disclosure after he saw a traffic spike in DNS requests parallel to the data being exfiltrated a spike 1000 times the normal number of requestsppWhen someone uses this kind of technique they set up a domain name that pings the target system with questions or queries But they configure the compromised server so that it answers those DNS queries by sending out packets of data allowing the attacker to steal information that has been broken down into smaller chunksppWeve seen Russian threat actors do things like this on US government systems said one threat intelligence researcher who requested anonymity because they werent authorized to speak publicly by their employer That analyst who has extensive experience hunting nationstatesponsored hackers reviewed the whistleblowers technical claimsppThe difference is they were given the keys to the front door the researcher continued While the researcher clarified that it would be difficult to fully verify what happened without full access to the NLRB system they said Berulis conclusions and accompanying evidence were a cause for concern None of this is standard they saidppRuss Handorf who served in the FBI for a decade in various cybersecurity roles also reviewed Berulis extensive technical forensic records and analysis and spoke to NPR about his conclusionsppAll of this is alarming he said If this was a publicly traded company I would have to report this breach to the Securities and Exchange Commission The timeline of events demonstrates a lack of respect for the institution and for the sensitivity of the data that was exfiltrated There is no reason to increase the security risk profile by disabling security controls and exposing them less guarded to the internet They didnt exercise the more prudent standard practice of copying the data to encrypted and local media for escortppUntil theres an investigation done theres no way to definitively prove who did it Handorf concludedpp
The National Labor Relations Board seal hangs inside a hearing room at the agencys headquarters in Washington DC in 2019
Andrew HarrerBloomberg via Getty Images
hide caption
ppDOGEs intentions with regard to the NLRB data remain unclear Many of the systems that DOGE embedded itself in across the rest of the government have payment or employment data information that it could use to evaluate which grants and programs to halt and whom to fireppBut the case management system is very differentppIt houses information about ongoing contested labor cases lists of union activists internal case notes personal information from Social Security numbers to home addresses proprietary corporate data and more information that never gets published openlyppExperts interviewed by NPR acknowledge that there are inefficiencies across government that warrant further review but they say they dont see a single legitimate reason that DOGE staffers would need to remove the data from the case management system to resolve those problemsppThere is no reason whatsoever for accessing the information Now could any agency be more efficient More effective Positively But what you need for that is people who understand what the agency does That is not by mining data putting algorithms in and creating a breach of security said Harley Shaiken a professor emeritus at the University of California Berkeley who specializes in labor and information technologyppThere is nothing that I can see about what DOGE is doing that follows any of the standard procedures for how you do an audit that has integrity and thats meaningful and will actually produce results that serve the normal auditing function which is to look for fraud waste and abuse said Sharon Block the executive director of Harvard Law Schools Center for Labor and a Just Economy and a former NLRB board memberppThe mismatch between what theyre doing and the established professional way to do what they say theyre doing that just kind of gives away the store that they are not actually about finding more efficient ways for the government to operate Block saidppFor labor law experts the mere possibility that sensitive records were copied is a serious danger that could create a chilling effect for employees everywhere who turn to the National Labor Relations Board for protectionppJust saying that they have access to the data is intimidating said Kate Bronfenbrenner the director of labor education research at Cornell University and codirector of the Worker Empowerment Research Network People are going to go Im not going to testify before the board because you know my employer might get accessppBronfenbrenner the child of immigrant parents who fled the Soviet Union and Nazicontrolled Germany said she spends a lot of time thinking about how systems can crumble under the right circumstances You know theres this belief that we have these checks and balances but anyone whos part of the labor movement should know thats not true she told NPRppWith access to the data it would make it easier for companies to fire employees for union organizing or keep blacklists of organizers illegal activities under federal labor laws enforced by the NLRB But people get fired in this country all the time for the lawful act of trying to organize a union said BlockppHaving a copy of the opposing counsels notes as companies prepare for legal challenges would also be an attractive possibility she continuedppIts not just employees who might suffer if this data got out Companies also sometimes provide detailed statements on internal business planning and corporate structure in the midst of unfairlaborpractice complaint proceedings If a company was attempting to fire someone who it alleged had disclosed trade secrets and was fighting an unfairlaborpractice complaint based around that decision those trade secrets might come up in the boards investigation too That information would be valuable to competitors regulators and othersppOverall the potential exposure of the NLRBs data could have serious implicationsppI think it is very concerning said Shaiken It could result in damage to individual workers to unionorganizing campaigns and to unions themselves he saidppIt is bringing a wrecking ball into the dentist office meaning this is wildly disproportionate and raises real dangers Shaiken continuedppLabor law experts were particularly concerned about what they described as clear conflicts of interest particularly when it comes to Elon Musk his companies and his vast network of former employees and allies who are now getting access to government jobs and datappTrump and Musk during an interview with Fox Newss Sean Hannity said Musk would recuse himself from anything involving his companies I havent asked the president for anything ever Musk said Im getting a sort of a daily proctology exam here You know its not like Ill be getting away with something in the dead of night However DOGE has been granted highlevel access to a lot of data that could benefit Musk and there has been no evidence of a firewall preventing misuse of that datappThere are multiple ongoing cases involving Musk and the NLRB For one after a group of former SpaceX employees lodged a complaint with the NLRB lawyers representing SpaceX some of whom were recently hired into government jobs filed suit against the NLRB They argued that the agencys structure is unconstitutionalpp
Elon Musk speaks with thenPresidentelect Donald Trump and guests at a viewing of the launch of the sixth test flight of the SpaceX Starship rocket on Nov 19 2024 in Brownsville Texas
Brandon BellGetty Images
hide caption
ppSen Chris Murphy DConn raised his concerns about Musk accessing sensitive labor investigation data on cases against his companies or competitors during the confirmation hearing for Trumps labor secretary Lori ChavezDeRemer in midFebruary He pressed her to answer whether she believed the NLRB is constitutional and to commit to keeping sensitive data confidential While she said she was committed to privacy and said she respects the NLRBs authority she insisted that Trump has the executive power to exercise it as he sees fitppAll this is happening in the context of a broader attempt by the White House to hamstring labor agenciesppThe NLRB was created to guarantee workers rights to organize and to address problems that workers have in the workplace said Shaiken of UC Berkeley Under President Joe Biden he recalled the labor movement enjoyed an unusual amount of support from Washington But what we have seen is a sharp slamming of the brakes to that and putting the vehicle in reverse in terms of what Trump has done so far he continuedppIn addition to sending DOGE to the NLRB the Trump administration tried to neutralize the boards power to enforce labor law by removing its member Gwynne Wilcox Courts have gone back and forth on whether Wilcoxs removal was illegal as presidents are meant to demonstrate cause for dismissal of independent board membersppRepresentatives of DOGE and former colleagues of Musks who have been installed across the federal government have failed to reassure the public or the courts that they have taken the proper precautions to protect the data theyre ingesting and that private business interests wont influence how that data is used or what policy decisions are made Block and the other labor law experts interviewed by NPR sayppIts not that hes a random person whos getting information that a random person shouldnt have access to said Harvard Laws Block But if they really did get everything then he has information about the cases the government is building against him she saidppDOGE is whether they admit it or not headed by somebody who is the subject of active investigation and prosecution of cases It is incredibly troubling she saidppMusks company xAI could also benefit from sucking up all the data DOGE has collected to train its algorithms Cybersecurity experts like Bruce Schneier a wellknown cryptographer and adjunct lecturer at the Harvard Kennedy School have pointed to this concern at length in interviews and written piecesppAccording to two federal government sources who were not authorized to speak publicly about their workplaces and who shared email documentation with NPR managers have consistently been warning employees that their data could be subject to AI review particularly their email responses to the Muskled campaign to get federal employees to detail what they did last week in five bullet points every MondayppIts not a flight of imagination to see several DOGE staffers release some of that data surreptitiously to Musk or people close to him said ShaikenppIf the data isnt properly protected after it leaves the agency or if DOGE left a digital door open to the agency itself data could also be exposed to potential sale or theft by criminals or foreign adversaries An attacker could also try to take advantage of the connections between the NLRBs cloud account and other government cloud environments using their access to the NLRB as a foothold to move to other networksppBoth criminals and foreign adversaries traditionally have used information like this to enrich themselves through a variety of actions explained Handorf the former FBI cyber official That includes blackmail targeting and prioritizing intellectual property theft for espionage or even harming a company to enrich anotherppWithin minutes after DOGE accessed the NLRBs systems someone with an IP address in Russia started trying to log in according to Berulis disclosure The attempts were near realtime according to the disclosure Those attempts were blocked but they were especially alarming Whoever was attempting to log in was using one of the newly created DOGE accounts and the person had the correct username and password according to Berulis While its possible the user was disguising their location its highly unlikely theyd appear to be coming from Russia if they wanted to avoid suspicion cybersecurity experts interviewed by NPR explainedppOn their own a few failed login attempts from a Russian IP address arent a smoking gun those cybersecurity experts interviewed by NPR said But given the overall picture of activity its a concerning sign that foreign adversaries may already be searching for ways into government systems that DOGE engineers may have left exposedppWhen you move fast and break stuff the opportunity to ride the coattails of authorized access is ridiculously easy to achieve said Handorf What he means is that if DOGE engineers left access points to the network open it would be very easy for spies or criminals to break in and steal data behind DOGEppHe said he could also see foreign adversaries trying to recruit or pay DOGE team members for access to sensitive data It would not surprise me if DOGE is accidentally compromisedppThis is exactly why we usually architect systems using best practices like the principle of least privilege Ann Lewis the former director of Technology Transformation Services at the General Services Administration told NPR in an interview The principle of least privilege is a fundamental cybersecurity concept that states that users should have only the minimum rights roles and permissions required to perform their roles and responsibilities This protects access to highvalue data and critical assets and helps prevent unauthorized access accidental damage from user errors and malicious actions ppBakaj Berulis lawyer told NPR in a written statement This case has been particularly sensitive as it involves the possibility of sophisticated foreign intelligence gaining access to sensitive government systems which is why we went to the Senate Intelligence Committee directlyppThe NLRB isnt alone in those concernsppIn over a dozen lawsuits in federal courts around the country judges have demanded that DOGE explain why it needs such expansive access to sensitive data on Americans from Social Security records to private medical records and tax information But the Trump administration has been unable to give consistent and clear answers largely dismissing cybersecurity and privacy concernsppIn one case dealing with Treasury Department payment systems that control trillions of dollars in federal spending US District Judge Jeannette Vargas blocked DOGE access on Feb 21 finding a real possibility exists that sensitive information has already been shared outside of the Treasury Department in potential violation of federal lawppIts an area of focus for Democratic lawmakers on the House Committee on Oversight and Government Reformpp
US District Judge Jeannette Vargas blocked DOGE access to the Treasury Department over the possibility that sensitive information has already been shared outside of the Treasury Department
Alex BrandonAP
hide caption
ppAn aide for the Democratic minority on the House Oversight Committee who was not authorized to speak publicly told NPR that the committee is in possession of multiple verifiable reports showing that DOGE has exfiltrated sensitive government data across agencies for unknown purposes revealing that Berulis disclosure is not an isolated incidentppBut government cybersecurity officials are already resigning or being fired forced to relocate or put on administrative leave all over the federal government from the Cybersecurity and Infrastructure Security Agency to the Interior Department That has limited their power to respond to the ongoing disruptions or keep track of what DOGE is doingppOne of the first people to speak out about DOGEs access to sensitive data was Erie Meyer who resigned as the chief technology officer at the Consumer Financial Protection Bureau CFPB in February She has provided testimony in ongoing court cases surrounding DOGEs access and also spoke to NPR in an interview The CFPB has sensitive and potentially marketmoving data Meyer said DOGE employees granted themselves Godtier access to the CFPBs systems turned off auditing and event logs and put the cybersecurity experts responsible for insider threat detection on administrative leave When IT experts at the CFPB planned to conduct an after action report on DOGEs activities they were stonewalled she continuedppWhen she heard about how DOGE engineers operated at the NLRB particularly the steps they took to obfuscate their activities she recognized a patternppI am trembling she said upon hearing about the potential exposure of data from the NLRB They can get every piece of whistleblower testimony every report everything This is not goodppOther technical employees working with government agencies who spoke to NPR shared Berulis concernsppOur cyber teams are pissed because they have to sit on their hands when every single alarm system we have regarding insider threats is going off said one employee at an agency of the Interior Department who requested anonymity fearing retribution Cybersecurity teams wanted to shut off new users access to the system the employee continued but were ordered to stand downppMeanwhile in a letter published on March 13 on Federal News Network 46 former senior officials from the General Services Administration one of the government agencies hardest hit by DOGEs costcutting efforts and that oversees nearly all federal buildings and purchasing wrote that they believed highlysensitive IT systems are being put at risk and sensitive information is being downloaded to unknown unvetted external sources in clear violation of privacy and dataprotection rulesppThe Trump administration could be trying to codify DOGEs practices into how the government shares information said Kel McClanahan the executive director of nonprofit public interest law firm National Security Counselors who is representing federal employees in a lawsuit concerning the Office of Personnel Managements use of a private email serverppWeeks after DOGE staffers descended on federal buildings across Washington Trump issued an executive order urging increased data sharing by eliminating information silos in whats seen by experts like McClanahan as an attempt to give DOGE engineers further top cover in accessing and amalgamating sensitive federal data despite laws concerning privacy and cybersecurityppThe entire reason we have a Privacy Act is that Congress realized 50 years ago that the federal government was just overflowing with information about normal everyday people and needed some guardrails in place McClanahan told NPR The information silos are there for a reason he continued Its astonishing to me that the very people who not a handful of years ago were screaming about the government tracking us with vaccines now cheer for feeding every piece of information about themselves into Elon Musks stupid SkynetppDOGE appears to still be in the process of visiting federal agencies across the country including just recently the Securities and Exchange Commission according to one former government source directly familiar with the matter who requested anonymity to share information they werent authorized to share Across the government its unclear how much sensitive data has been removed and collected and combinedppIts also unclear where the labor data went and who has access to it But for experts in workers rights the threat is immediate and existentialppThis shocks the conscience said Richard Griffin the former general counsel of the NLRB And if DOGE operatives captured and removed case files it could constitute a violation of the Privacy ActppFor Berulis it was important to speak out because he believes people deserve to know how the governments data and computer systems are at risk and to prevent further damage As a former IT consultant Berulis says he would have been fired for operating like DOGEpp
Daniel Berulis hopes that there might be further investigations into mishandling of sensitive data across the federal government
Grace RaverNPR
hide caption
ppDisclosing his concerns was a moral imperative at this point he said Ive never encountered this in my 20 years of ITppHis hope is that there might be further investigations into mishandling of sensitive data across the federal governmentppI believe with all my heart that this goes far beyond just case data he said I know there are people at other agencies who have seen similar behavior I firmly believe that this is happening maybe even to a greater extent at other agenciesppFor overseers investigators and IT experts in a similar position he hopes to provide a road map of what to look forppIt was my goal by disclosing to Congress not to focus on me at all but to give them information that they might not necessarily have the things that you dont necessarily look for unless you know where to look he continuedppThe NLRB said it would cooperate with any investigations that stem from Berulis disclosure to CongressppAs an agency protecting employee rights the NLRB respects its employees right to bring whistleblower claims to Congress and the Office of Special Counsel and the Agency looks forward to working with those entities to resolve the complaints said Bearese the agencys acting spokesperson in a statementppBerulis had a simple request for the DOGE engineers Be transparent If you have nothing to hide dont delete logs dont be covert Be open because thats what efficiency is really about If this is all a huge misunderstanding then just prove it Put it out there Thats all Im askingppBut ultimately if the systems that DOGE accesses are left insecure it might not matter if its intentions are honorable he concludedppThis could just be the start of the operation They still havent crossed that boundary where theyre plugged into every federal system out there he continued So maybe there is still timeppNPRs Stephen Fowler contributed reporting NPRs Brett Neely edited this story ppHave information or evidence to share about DOGEs access to data inside the federal government Reach out to the author Jenna McLaughlin through encrypted communications on Signal at jennamclaughlin54 Stephen Fowler is available on Signal at stphnfwlr25 Please use a nonwork devicep
