Shortly before 11 a.m. on Sunday, the 80,000 physicians, health scientists, disease detectives, and others tasked with safeguarding the nation’s health received instructions to respond to an email sent the day before asking them, “What did you do last week?”

The email arose from a Saturday dispatch issued by President Donald Trump on the social-media platform he owns, Truth Social. “ELON IS DOING A GREAT JOB, BUT I WOULD LIKE TO SEE HIM GET MORE AGGRESSIVE,” he wrote.

The response from Elon Musk arrived seven hours later on the social-media platform he owns, X. The billionaire Trump confidant leading the effort to slash the federal workforce wrote that afternoon that he was acting on Trump’s “instructions” and ensuring that “all federal employees will shortly receive an email requesting to understand what they got done last week.”

The result was a government-wide email directing federal workers to detail their accomplishments over the previous week, in five bullet points. Musk wrote on X: “Failure to respond will be taken as a resignation.”

The directive sent agencies scrambling to tell their employees what to do. Some instructed them not to respond. Others made clear that a reply was mandatory. And then there was the Department of Health and Human Services—an epicenter of the chaos engulfing Washington.

“This is a legitimate email,” read Sunday morning’s instructions from HHS, which advised employees to respond by the deadline set for 11:59 p.m. ET on Monday.

But later that day, the directions changed. Employees were told to “pause” answering the email, according to new guidance sent Sunday at 5 p.m., which pointed to concerns about the sensitivity of department business. HHS promised that updated guidance would arrive Monday at noon.

By late afternoon on Monday, many federal health workers had left their offices with no new guidance, uncertain about whether to respond to the email and whether ignoring it would jeopardize their jobs.

They didn’t know that the federal government’s main personnel agency, which had sent Saturday’s government-wide email, had quietly instructed agencies midday Monday that a response was voluntary. Those instructions effectively rescinded Musk’s threats.

For Musk, the episode was a setback. For federal workers struggling to get their bearings, they told us it was just one more reason to feel both fury and fear.

“This whole administration is a fucking train wreck,” a federal health official said.

The shifting and contradictory instructions divided Trump’s Cabinet, and for the first time, created daylight between Musk and the White House. Even before the administration formally conceded that responses were voluntary, Trump advisers had privately signaled support for agency heads who told their employees not to reply to the email, owing to the sensitivity of their work.

Most of the pushback to the Musk directive came from the country’s national-security agencies, including the CIA, the FBI, and the Department of Homeland Security. A senior official at NASA, which advised employees not to respond, called the request an “unprecedented ask and unprompted attack on our workforce” in a weekend email to employees that was described to us. A deputy commander at the Navy told people in his chain of command, “Please do NOT respond at this time,” accenting his order using bold red text.

The cascading series of contradictory guidance reflected the unusual balance of power between Trump and Musk, and the unpredictable consequences for millions of federal workers. “It’s a psyop,” said a senior official at the Department of Veterans Affairs, referring to a psychological operation, in this case intended to intimidate federal workers. “It’s a form of harassment. But there’s no one to complain to because no one knows exactly where it’s coming from or who’s behind it.”  

The president’s Saturday morning post spurred Musk to confer with his deputies at the Department of Government Efficiency and develop the hastily written email, according to a White House official. The email was sent by the Office of Personnel Management, now staffed at senior levels by Musk’s deputies. They told agency employees that they intended to use artificial intelligence to analyze the responses and develop reports about further changes to the federal workforce, according to an OPM official familiar with their comments.

Two senior administration officials said that the haphazard nature of Musk’s directive rankled some in the West Wing, as concerns grow that the billionaire’s authority is encroaching on the power of Cabinet secretaries.

Trump, for his part, publicly backed Musk’s effort. “I thought it was great because we have people that don’t show up to work and nobody even knows if they work for the government,” the president told reporters during an appearance Monday with French President Emmanuel Macron. “What he’s doing is saying, ‘Are you actually working?’ And then if you don’t answer, you’re sort of semi-fired or you’re fired, because a lot of people are not answering because they don’t even exist.”

White House Press Secretary Karoline Leavitt also defended the actions: “This was the president’s direction to Elon, and it is being carried out as planned,” she said. “Everyone at the White House knew very well that it was coming.”

The same can’t be said for other parts of the federal government, where agency heads were caught off guard and many recipients mistook the email for phishing. Employees on leave or on vacation feared that they would lose their job. At HHS, department leadership was given just a five-minute warning before the email went out, a senior official at the Centers for Disease Control and Prevention told his staff on Monday, according to people familiar with his account. HHS did not respond to a request for comment.

Some of the agencies that advised employees to respond to Musk’s email sought to justify the request in guidance issued on Monday. John W. York, a senior counselor to Treasury Secretary Scott Bessent, told employees, “The OPM message reflects an effort to increase accountability by the federal workforce, just as there is in the private sector. Given the voluminous and extremely important work that Treasury staff perform on a daily basis, we expect that compliance will not be difficult or time-consuming.”

Around 5 p.m. Monday, HHS finally issued new guidance affirming that a reply was not mandatory but warning employees who did detail their professional activities to protect sensitive data. “Assume that what you write will be read by malign foreign actors and tailor your response accordingly,” the guidance stated.

Meanwhile, there were signs that OPM was working to make parts of the Musk directive permanent, at least within the agency. In an email to employees Monday evening, OPM’s acting director wrote that he had asked the chief human capital officer to “operationalize this exercise” so that employees continue to “submit weekly accomplishment bullets.”

In certain corners of the federal government, workers made light of the Musk request. One Pentagon official told a colleague that his reply would include time spent on Fox News, Truth Social, and X—more reliable sources of information about the terms of his employment than his own bosses.

“Who are we taking orders from?” the Pentagon official said. “No one really knows.”

“Having the best spies, the best collection systems, and the best analysts will not help an intelligence service if it leaks like a sieve,” the former CIA speechwriter Charles E. Lathrop remarked in The Literary Spy, a book of quotations about espionage that he compiled. Lathrop, who wrote under a pseudonym, was making a point about counterintelligence—the flushing out of enemy spies and leakers who might compromise a spy agency’s precious secrets. Counterintelligence, Lathrop observed, “is the kidneys of national security: necessary, but unheralded until something goes wrong.”

These days, something looks to have gone very wrong—with the kidneys and maybe with the brain, too.  

To protect secrets, people who will be handling classified information or assuming positions of trust within intelligence agencies are vetted, often by law-enforcement agents, who interview friends and co-workers, review travel histories, and analyze financial information to determine whether someone might make an attractive recruit for a foreign intelligence service. Perhaps he’s in debt and would be willing to sell sensitive information. Or maybe she harbors some allegiance to a hostile country or cause and might be willing to spy for it. Looking for these red flags is counterintelligence 101, an imperfect, laborious, and invasive process that American presidents of both major parties have nevertheless accepted as the cost of doing intelligence business.

[David Deming: DOGE is failing on its own terms]

But the legion of Elon Musk acolytes who have set up shop inside federal agencies in the past few weeks do not appear to have been subjected to anything approaching rigorous scrutiny. President Donald Trump has also nominated to key national-security positions people whose personal and financial histories contain at least caution flags. This deviation from past practice has created a new kind of counterintelligence predicament, officials and experts have told me. Rather than staying on high alert for hidden threats, the counterintelligence monitors have to worry about the people in charge.

The public knows very little about how, or if, staff at the new Department of Government Efficiency that Musk runs were vetted before they obtained access to the Treasury Department’s central payment system or the files of millions of government employees at the Office of Personnel Management. These two databases could help U.S. adversaries uncover the identities of intelligence officers and potentially their sources, people with knowledge about how the systems are set up told me.

Precisely what the DOGE teams are doing with this information, whom they’ve shared it with, and whether they have adequately protected it from falling into the wrong hands remains unknown. But the risks posed by this direct access to the government’s central nervous system are entirely foreseeable.

“The fact that people are getting access to classified and personally identifiable information who are not being vetted by our national-security system means it is more likely that there are going to be damaging leaks,” Tim Naftali, a counterintelligence expert and presidential historian at Columbia’s School of International and Public Affairs, told me.

Why would President Trump, who is the ultimate arbiter of who gets to see classified information, take such risks? One answer is rooted in his historic distrust of the FBI, whose agents traditionally conduct background investigations of senior administration officials as they assume their posts. Trump views the bureau as a hotbed of disloyal conspirators. During the presidential transition, he reportedly resisted efforts to allow FBI background checks, and how thoroughly members of his administration were vetted, if at all, is still not clear.

Animus and mistrust likely guide the president’s decisions here. He has publicly seethed at the agents who searched his Florida home, as part of an investigation that led to felony charges for mishandling national-security information after he left office. The agents who worked on that case are assigned to a counterintelligence squad at the FBI’s Washington field office, and the White House is trying to fire them. These agents routinely investigate threats to U.S. national security, and removing them would at least temporarily stall their efforts.

“In his dark passion for retribution, Trump is making his own government, which is our government, more vulnerable to adversarial penetration,” Naftali said.

Security risks now pervade the federal government, thanks largely to a cadre of youngsters, some barely out of high school, whom Musk has deployed inside federal agencies, ostensibly to identify wasteful government spending. In addition to the Treasury Department and the Office of Personnel Management, DOGE agents have reportedly accessed information networks at the State Department, the Centers for Disease Control and Prevention, the Centers for Medicare & Medicaid Services, the Commerce Department, the Education Department, and the Energy Department, among others. Musk has further plans to send teams to other major organizations, including the Pentagon.

[Read: The government’s computing experts say they are terrified]

As his teams fan out, the kidneys of counterintelligence are backing up.

At Treasury, a security team warned that DOGE employees’ access to a central government payment network presents an “unprecedented insider threat risk,” The Washington Post reported last week. The government defines an insider threat as “someone with regular or continuous access” to a computer system who could exploit the information for criminal purposes, leak it to unauthorized parties, or sell it to a foreign government. Edward Snowden, the government contractor who disclosed classified information about NSA surveillance to journalists and who now lives in Russia, is the classic modern example.  

Two intelligence officials told me that the Treasury system, which processes more than $5 trillion in payments each year, contains sensitive national-security information. It could be used to uncover the identities of U.S. intelligence officers—who are after all paid from the Treasury—as well as people or organizations who are paid to spy on behalf of the United States.

These names are not explicitly identified as intelligence assets in the Treasury network, but an adversary with the time and know-how could use the Treasury data, possibly in concert with other information, to discover classified identities, the officials indicated. According to the Post, a senior career official at the department raised such concerns in a letter to Treasury Secretary Scott Bessent. The official recommended some unknown mitigating steps that Bessent reportedly approved.

At the Office of Personnel Management, DOGE employees gained access to information, including addresses and salary history, about Treasury and State Department employees working in “sensitive security positions,” the Post also reported. Personnel data are another puzzle piece that could allow an adversary to identify who works for the intelligence community, and potentially in what country they’re stationed.

“Little pieces of information matter a lot when they’re put together with other little pieces of information,” Joel Brenner, who was in charge of U.S. counterintelligence policy under Presidents George W. Bush and Barack Obama, told me. This is standard intelligence tradecraft. “That’s how we do it. That’s how every intelligence service does it,” Brenner said.

The Office of Personnel Management is not known for its counterintelligence prowess. A decade ago, Chinese hackers breached the agency’s computer networks and stole the records of millions of U.S. government employees, in one of the great espionage coups of recent history. As I reported at the time, officials had earlier resisted a plan to merge a system known as Scattered Castles, which contained the records of intelligence-agency personnel and others who held security clearances, with OPM’s system, fearing exposure in just this scenario.

Their concerns proved prescient, and today, Scattered Castles remains segregated from OPM’s systems—fortunately, given recent reports that Musk’s team has connected its own server to OPM’s systems, which could open a gateway for foreign hackers to again burrow in.

Yet intelligence-personnel records may still be at risk. Last week the CIA sent OPM a list of names of new CIA officers via an unclassified email, people familiar with the matter told me. The CIA sent only the officers’ first names and the first initial of their last names. But even those fragments of information could be useful to foreign spies.

Over the weekend, a former senior CIA official showed me the steps by which a foreign adversary who knew only his first name and last initial could have managed to identify him from the single line of the congressional record where his full name was published more than 20 years ago, when he became a member of the Foreign Service. The former official was undercover at the time as a State Department employee. If a foreign government had known even part of his name from a list of confirmed CIA officers, his cover would have been blown. The cover of a generation of young intelligence officers now appears to depend on whether Musk’s DOGE kids are, with no obvious experience in such matters, properly handling and protecting the information that the CIA sent them.  

How trustworthy are Musk’s employees? Early reports suggest that if they had been subject to traditional background checks, which they apparently were not, some of them would have had trouble passing. One standout in this regard, Edward Coristine, a 19-year-old DOGE member who has used the online handle “Big Balls,” was fired from an internship after he was accused of sharing proprietary information with a competitor, Bloomberg reported. After he was dismissed, the former intern bragged on an online chat platform that he “had access to every machine” and could have deleted crucial data from the company’s servers. “I never exploited it because it’s just not me,” Coristine reportedly wrote. This is the textbook definition—indeed, the U.S. government’s definition—of an insider threat.

The cybersecurity journalist Brian Krebs has written that Coristine was affiliated with a community of chat channels “that function as a kind of distributed cybercriminal social network.” Coristine, who was first identified not in a government announcement but by investigative reporters at Wired, founded a company that “controls dozens of web domains, including at least two Russian-registered domains,” the publication reported. Coristine has recently been named a senior adviser at the State Department, according to the Post.

[Read: If DOGE goes nuclear]

Government computer-security experts are worried that DOGE members could corrupt vital technology systems. “Musk and his crew could act deliberately to extract sensitive data, alter fundamental aspects of how these systems operate, or provide further access to unvetted actors,” my colleagues wrote in The Atlantic last week. An insider need not even behave maliciously to cause havoc. DOGE agents, who are overwhelmingly young with little professional experience or familiarity with older government systems, “may act with carelessness or incompetence, breaking the systems altogether. Given the scope of what these systems do, key government services might stop working properly, citizens could be harmed, and the damage might be difficult or impossible to undo.”

The counterintelligence risks don’t extend only to unchecked young people with the keys to the government’s kingdoms of data. Some of Trump’s Cabinet nominees—including those for two national-security positions—raise classic red flags.

According to his financial disclosure forms, Kash Patel, Trump’s nominee to run the FBI, was paid $25,000 last year by a film company owned by a dual U.S.-Russian citizen that has made programs promoting “deep state” conspiracy theories pushed by the Kremlin, the Post reported. Receiving money from a foreign government is a basic risk factor because it raises questions about whether a government employee’s favor or influence can be bought.

The resulting six-part documentary appeared on Tucker Carlson’s online network, itself a reliable conduit for Kremlin propaganda. In the film, Patel made his now infamous pledge to shut down the FBI’s headquarters in Washington and “open it up as a museum to the ‘deep state.’” The FBI is one of the Russian intelligence services’ main targets for espionage.

On his disclosure forms, which were made public only after he testified in his Senate confirmation hearing, Patel describes the payment as an “honorarium.” That term traditionally implies a nominal or even negligible sum of money, which this was not. He also listed consulting work for clients that include the Qatari embassy and said that he would keep his stock in the Cayman Islands–based parent company of the clothing brand Shein, which was founded in China.

According to his financial disclosure forms, Robert F. Kennedy Jr., Trump’s nominee to run the Health and Human Services Department, is saddled with up to $1.2 million in credit-card debt. Owing money is another risk factor because it might induce people to accept funds in exchange for sensitive information. Investigators examine bank records, credit-card statements, and other financial documents to determine how much debt a security-clearance applicant carries and its proportion to his level of income.

Allegiance or even sympathy to a hostile power is yet another warning sign. Tulsi Gabbard, Trump’s director of national intelligence, has drawn widespread criticism for her statements supporting Russian President Vladimir Putin as well as her 2017 meeting with Syria’s then-president, Bashar al-Assad. More alarming, the Post found evidence that Gabbard tried to obfuscate details about the nature of her encounters with the Syrian dictator from congressional investigators and may have lied to her staff. Having a history of shady meetings with any foreign national, much less the head of a country, is a great way not to be approved for a security clearance. (Just ask Trump’s son-in-law Jared Kushner, whose own opaque interactions with foreign officials temporarily stopped him from obtaining a clearance in the first Trump administration.)

During her confirmation hearing, Gabbard resisted entreaties from her fellow Republicans and Democrats—with whom she used to caucus when she was a member of Congress—to condemn Edward Snowden’s leaks and label him a “traitor.” Gabbard, who has long praised Snowden as a courageous whistleblower and called on Trump to pardon him, would say only that he “broke the law,” an obstinate position that left the distinct impression she approves of what Snowden did. Nevertheless, today the Senate voted largely along party lines to confirm Gabbard’s nomination as the nation’s top intelligence official.

Traditionally, counterintelligence officials have judged people whose ideology mirrors that of an adversarial state, or who have financial conflicts of interest, to be at higher risk of becoming spies or leaking secrets. “At the moment, that’s the population from which President Trump is selecting his most powerful and influential members of his administration,” Naftali told me.

[Read: It’s time to worry about DOGE’s AI plans]

Trump’s assault on the country’s national-security agencies stems from a distrust that millions of Americans share, Jeffrey Rogg, an intelligence historian at the University of South Florida, told me. Trump has repeatedly said—accurately—that the intelligence community often falls short of its basic obligation of keeping the United States from being taken by surprise by the country’s adversaries. And the agencies have failed several times to root out their own insider threats. Those counterintelligence debacles shake public confidence and bolster Trump’s critique that the intelligence agencies are dysfunctional and even corrupt.

At the same time, many career intelligence officers don’t trust the president or the people he has chosen to lead. They believe that Trump has misled the public about what the intelligence agencies are really there to do. And these, too, are accurate complaints, shared by many Americans.

Intelligence agencies depend on trust, both in their own employees and from the public. That confidence is disintegrating. As Rogg told me, “This is where we’re going to be our own worst enemies.”