Dem
47
GOP
53
With the blessing of Secretary of the Treasury Scott Bessent, Elon Musk has been given the power—but not the legal authority—to control the federal government's payment system through which $6 trillion worth of payments flow every year. This move has stoked widespread alarm that Musk has already violated the Privacy Act, cybersecurity laws, and other laws. Alan Butler of the Electronic Privacy Information Center said: "The scale here is unprecedented in terms of the risk to sensitive personal and financial information. It's an absolute nightmare." Mary Ellen Callahan, former Chief Privacy Officer at the Department of Homeland Security, was apoplectic. She said: "If we lose control of that data, we've lost control forever." Alex Joel, an adjunct professor of law at American University, said of Musk's personal decision to kill off USAID despite Congress having created and funded the agency: "I think it's the most clearly unconstitutional act that he's doing."
It's not just the payment system that Musk and his band of hackers have commandeered. They also have taken over the Office of Personnel Management (OPM) and sent out a mass mailing offering an early buyout to federal employees who want to quit. The only problem here (OK, the most obvious problem here) is that Congress has not authorized or funded any such buyout. Also, a lawsuit alleges that Musk ordered a private e-mail server to be set up in the office controlled by his band of merry young men. Private e-mail server? Private e-mail server? We read about that once somewhere a few years ago. We forget where, though. But we vaguely recall some people saying it was a security problem.
What Musk clearly understands is that laws are not self-enforcing. In a modern government (or corporation, as well) control of the IT systems is really the key to controlling the beast. If you are old enough, you might remember photos of some revolutionary guerilla group in some distant country claiming victory when they captured the TV station in the capital. A modern version of a coup is not capturing the TV station, but capturing the government's computers. That has been done now, so the rest should be easy.
A story in Wired reports that a 25-year-old engineer named Marko Elez working for Musk has acquired root access and can log in from his notebook computer (via ssh—secure shell) to two of the most sensitive government systems, the Payment Automation Manager and the Secure Payment System, and change the code there, possibly making hidden, undocumented, and effectively irreversible changes while reporting to no one except Musk. Needless to say, this violates all kinds of privacy and security laws. If Musk has ordered Elez or anyone else in his band of kids to copy data from the federal systems onto their notebooks, that would violate another batch of privacy and security laws. One (anonymous) federal worker with a decade of cybersecurity experience in multiple federal agencies said that the actions of Musk and his allies violate both the spirit and letter of the Federal Information Security Management Act (FISMA) and security controls established by the National Institute of Standards and Technology for securing federal systems. The person further added: "These systems have now become untrusted, so once this is done and over, to have those systems back to the level of assurances they had on Jan. 20 will require a lot of work and a lot of resources." And, we might add: "a lot of time." (V)