Suspicious DOGE Activity at the NLRB

Today I am going to do something a bit different from my previous posts. I am going to focus almost exclusively on an article published by National Public Radio (NPR) titled, "A whistleblower's disclosure details how DOGE may have taken sensitive labor data". The article and the accompanying radio story were the work of Jenna McLaughlin and detail the experiences of a whistleblower named Daniel Berulis who is an information technology specialist at the National Labor Relations Board. According to Berulis, members of a team from the U.S. DOGE Service, after disabling security mechanisms, may have exfiltrated sensitive data from the NLRB. Exactly what data and for what purposes it may have been removed is not clear, but Berulis paints a very troubling picture.

In previous posts about DOGE and Shadow President Elon Musk, I have repeatedly stressed my concern that sensitive government data might be transferred for use by Musk, either for his own informational purposes or for use in training the artificial intelligence models used by Musk's AI company, xAI. The apparent data theft reported by Berulis is not clear evidence that this has happened, but it is an indication that it might have happened. Either way, this episode highlights the cavalier manner in which DOGE has treated sensitive U.S. government data.

First, the facts as told by Berulis. In March of this year, a team from DOGE descended upon the NLRB. The DOGE staff immediately demanded access to the agency's IT systems, including a case management system housing extremely sensitive information about NLRB investigations. The DOGE team asked that logging systems on the computers be turned off, and team members turned off other monitoring systems themselves. The team took additional evasive behavior that appeared aimed at covering their tracks. The NLRB IT department became so concerned by the behavior that it launched a formal review of potentially illegal security breaches. Berulis felt his department's efforts to shed light on the DOGE activities were running into dead ends and filed a formal whistleblower complaint. Berulis also provided his report to NPR.

While trying to track DOGE's activities, Berulis discovered a massive spike in outgoing traffic originating from the NLRB's case management system. All told, about 10 gigabytes of data were exfiltrated. Moreover, the data was not simply transferred via normal mechanisms but instead utilized a hacker trick of using a system normally used to translate computer names to internet addresses. Log files that might have recorded this activity had been deleted. The destination to which the data had been transferred could not be discovered.

In the past, I spent eight years working on a cybersecurity team within the U.S. government. My duties included securing IT systems and investigating hacks and other security incidents. What Berulis describes is almost a textbook example of how hackers operate. If there were legitimate reasons for transferring data from NLRB systems, such a transfer could have been done openly and documented. The multiple steps that the DOGE team took to hide their activity strongly suggest that this transfer was not legitimate. Imagine that the DOGE team had entered a public library and, instead of checking out books and leaving via the front door, they had crawled through the library's ventilation system and exited through a vent opening to the outside? Would not that appear suspicious? This is more or less what happened in this case; only the data was not publicly available books but, instead, highly sensitive information.

Berulis and his colleagues were unable to determine exactly what data had been exfiltrated and have no idea why it was stolen. However, the activity raises several concerns. It is possible, for example, that the DOGE team either intentionally or accidentally left the NLRB systems vulnerable to future attacks. In one concerning incident, within 15 minutes after a DOGE staffer created a new account, there were attempts to log in to that account with the correct username and password from an IP address in Russia. Personally, I would not put much emphasis on the address; that could be faked, and a skilled Russian hacker would hide his origin in any case, but the use of the correct username and password is extremely disturbing. That suggests an information leak, either within the NLRB or within DOGE. In what might be close to a worst-case scenario, DOGE may have a system for storing credentials that has been compromised.

This also raises the possibility that DOGE may be storing sensitive information insecurely. While DOGE is routinely described by its supporters as the most transparent government agency, it is, in fact, very opaque. For instance, in this example, we don't know what data was stolen, let alone where and how it is being stored or used. Even a well-intentioned effort could have unintended security oversights that allow unauthorized access to the data. This fear is significantly greater if the data exfiltration was not well-intentioned. We have to assume that DOGE staffers are as vulnerable to bribery, blackmail, intimidation, and other forms of coercion as anyone else.

Even more problematic, given the DOGE ties to Musk, is whether this data was stolen for his benefit. Musk is currently involved in litigation challenging the right of the NLRB to even exist. There are multiple cases involving Musk or his companies before the NLRB right now. The data could be very helpful to Musk in his legal actions. Alternatively, Musk could be feeding the data to his AI systems. We can't say that this has happened, but we also can't say that it hasn't happened. That is one result of turning off auditing and logging systems.

Even more disturbing with regard to Berulis, the whistleblower, was what happened after he began investigating DOGE's activities. He returned to his home one day to find an envelope taped to his front door. Inside the envelope was a letter containing considerable personal information about him. There was also a photo of Berulis walking his dog that appears to have been taken by a drone. There was a warning that Berulis should stop looking into DOGE's activities. Berulis turned the documents over to law enforcement, who are currently investigating.

Concerns about data exfiltration from government agencies are not limited to the NLRB. According to the NPR article, an aide to a Democratic member of the House Oversight Committee said that the committee is in possession of several reports showing that DOGE has transferred sensitive government data for unknown purposes. Erie Meyer, the former chief technology officer at the Consumer Financial Protection Bureau (CFPB), is quoted in the article describing very similar activity by a DOGE team at the CFPB: "Meyer said DOGE employees granted themselves ‘God-tier’ access to the CFPB's systems, turned off auditing and event logs and put the cybersecurity experts responsible for insider threat detection on administrative leave."

DOGE has gained access to some of the most sensitive information about Americans including our tax records, social security data, and health information. Previously, access to that data had been severely restricted. DOGE has removed all barriers to its own access. The fact that DOGE, with almost no controls on its own activities, is engaging in suspicious activities and transferring sensitive data for unknown purposes should be concerning to all of us. 

I will close with a quote from a statement made by Berulis' lawyer, Andrew Bakaj:

"If the underlying disclosure wasn't concerning enough, the targeted, physical intimidation and surveillance of my client is. If this is happening to Mr. Berulis, it is likely happening to others and brings our nation more in line with authoritarian regimes than with open and free democracies. It is time for everyone – and Congress in particular – to acknowledge the facts and stop our democracy, freedom, and liberties from slipping away, something that will take generations to repair."