Anyone Can Push Updates to the DOGE.gov Website

To be fair, this site, (the full stack), is hosted on Cloud Fare, which is a FedRAMP approved contractor, and most .gov domains are contracted to cloud services, The concern here is that DevOps and SecDevOps is the ONLY training and work experience the kids at DOGE have, this was a pretty basic flaw that was exploited, and these kids are now accessing personnel and finance records of possibly everyone, and possibly making code changes to proprietary databases and apps that they have no previous experience in.
My concern here is how much they will break before they realize that bringing in senior level folks from each dept and experienced outside consultants to actually get this right doesn't equate to failing, the way that breaking things does.

SGM Jeff Mccloud - Assuming this is true about their creds, if they have DevSecOps training (which denotes Security is prioritized along with pushing products out). They should be aware enough to implement the required security standards into the mix as they go. This is not a complex site requiring significant effort to meet government compliance, benchmark security standards, and all updates/patching. They are not making changes to the government systems, nor do they need to. They simply need the data in which they can enter into their own tools for analysis, normalization, and reporting. Having done threat hunting in government networks, I can confidently say we never needed to modify the mission partner's network other than install sensors and/or endpoint agents. Neither interfere with the systems/applications, other than the endpoint agents adding a little bit more CPU/Memory usage (which can be scaled where required). However, in this case, they do not need to install agents, nor do they need network sensors. Each agency/department has a repository of data which can be copied and/or extracted without disrupting the system itself. This can be fed into a stand-alone system(s) to do what DOGE needs to do. Those results are then extracted again to be reported into site like DOGE.gov. Additionally, I would imagine there is an agreement that all analyzed data, once analysis is completed, will be destroyed and the systems used will be thoroughly wiped.

Maj Kevin "Mac" McLaughlin - There is evidence that they got write access at least once, and security professionals with a lot of years in the business writing about this have concerns about this team.

https://www.zetter-zeroday.com/court-documents-shed-new-light-on-doge-access-and-activity-at-treasury-department/
https://thebulletin.org/2025/02/why-doges-meddling-at-treasury-could-have-catastrophic-consequences-for-the-us-economy/

At least in their previous job/internship, these kids had seniors with years of experience to keep them on the tracks.
I would be less worried if that was also the case in DOGE.
I would be much less worried if even one of those seniors was at least in grade school during the Pentium/Win95 era, and had some govt experience somewhere, and one that has had a few years of accounting experience at any level anywhere.
Ideally it would be 2 or 3 seniors that have the amount of experience you have in the military and private sector but on the database analysis and accounting side. And then ideally some of the kids that had at least a year or internship in those areas.

SGM Jeff Mccloud - I think you need to take a look at the DOGE team in its entirety. There is a wealth of experience in all shapes and forms. Furthermore, the team is also comprised of government oversight/advisors to help the data science folks normalize the data. THe "kids" helping out on the data collection side are no different than any other contractor the Federal Government hires all the time to do similar things. Both require authorization, both are required to comply with federal government standards to view the data and access information. As you likely know, there are young members in the military today who have access to various levels of classified data up to the TS/SCI level.

As for Marko Elez, first, you do realize he was removed from the DOGE team right? Granted this was not as a result of the access he was given, but I think you need to read and understand what your own article said about the one example you cited:

"Marko Elez, a controversial 25-year-old employee working temporarily at the Treasury Department for Elon Musk's Department of Government Efficiency (DOGE), did have "write" privileges to one sensitive Treasury Department payments database in February. His access was the equivalent of data-editing privileges, however, not administrative-level network access as previously reported, and the "write" privilege was given to him by mistake for one day before Treasury discovered the error and revoked the privilege, according to an affidavit filed this week by a Treasury executive. There is no sign that Elez altered anything in the database before Treasury staff changed his access privileges."

So, put simply, it was a mistake on the DOT's part (or was it?). The DOGE team never asked for that level of access, nor do they want to modify data. This, by the way, happens ALL THE TIME in my world, when my analysts request read only access to assess the security of a client's cloud environments. When we confirm this, we kindly point out the mistake and have them remove that access. Your article also speaks to how the DOT ensured he could only connect via a government approved laptop with the approved tools, which is all in line with the mandates in maintaining their approval to operate and approval to connect policies. Furthermore it also stated the following: "Gioeli told the court that his staff established a number of security measures at the start of Elez's employment in January to restrict and monitor his access to Treasury payment systems and prevent unauthorized activity, such as exfiltrating data or sharing it with unauthorized parties." I will also add, no one on the DOGE team is even going to want that level of access knowing the potential for the dept/agency to point finger at them if something bad happens.

While it is still possible that Elez could have captured and exfilled data, this is highly unlikely and somewhat easy to confirm on the goverment laptop he was issued. But you might notice the article states nothing that the government confirmed there was any modification or unauthorized access to/exfil of data.

Bottom line, everything I stated to you on how this works apprears to be accurate. The DOGE team is not connecting non-government systems to these environments, they aren't asking for admin level access (it was given by mistake), they are not installing unapproved tools, and they are not stealing or modifying data. And to criticse them simply because several of them are in their 20s is ridiculous. I have 20 year olds performing cybersecurity analyst work in Fortune 500 companies all the time. While I pride myself in being the generation that usured in the Internet and changed the world in terms of connecting the world, this generation is ushering in technologies like AI and data analytic tools. Tools which even the "experienced" accountant types have yet to learn and understand how they can be used to better organize their own data. I have a lot of respect for the younger generation today and their ability to improve on the capabilities they've inherited. in the end, they are not the ones making conclusions for the final reporting to the department and agency leads. They collect data, normalize it, remove the noise, and enable those who actually understand it, to make conclusions on where there might be issues in the spending.

By the way, in my late 20s, I was literally breaking into Air Force bases, Joint level DoD networks, and SCIFS, both on the physical and cyber side, while leading Air Force Red Teams (with no senior officer looking over our shoulders). Believe me, I have captured very critical information and was able to make sense of topics that are not in my lane. While this isn't the objective of DOGE (to capture unsecured information), it is similar in nature, and age had nothing to do with anything. Back then there were few people in their senior years that could even do what we did. But we were still trusted to do it and we were highly successful. This is why I say, let DOGE in and bring some out of the box / critical thinking into the mix. If my work can reshape the Air Force's / DoD's prioritization of cyebrsecurity (which it did), DOGE has a chance to modify the way we look at our budgets/spending. We need to stop fighting this, concentrate on avoiding mistakes, and perform the due diligence in confirming what the reported numbers are saying. Case in point, the latest numbers on SS, I highly doubt reflect reality. This is why we need the SS experts (both on their operational side and their IT/Dev side) to explain why the data is reflecting more people are drawing from SS than there are total Americans living today.