CISA tries to contain data leak

https://krebsonsecurity.com/2026/05/lawmakers-demand-answers-as-cisa-tries-to-contain-data-leak/

Comments

fragmedeMay 22, 2026, 8:00 PM
> “Ultimately, this is a thing you can’t solve with a technical control,” Boileau said on this week’s podcast. “This is a human problem where you’ve hired a contractor to do this work and they have decided of their own volition to use GitHub to synchronize content from a work machine to a home machine. I don’t know what technical controls you could put in place given that this is being done presumably outside of anything CISA managed or even had visibility on.”

More competent technical control means a random contractor doesn't have passwords from mid-2025 to copy to their home machine that even still work after 30 days, if not 5.

xoaMay 22, 2026, 9:04 PM
This. In fact I thought the government had long since gotten pretty serious about using smartcards and HSMs for everything? Why let anyone take any sort of accessible credential at all vs handing out hardware they can use but that cannot have the credentials taken off? At some organizations the extra cost would be a concern of course but that wouldn't be the case here.

Or maybe that'd have been the sort of project and standard CISA would have formerly done before the Republicans gutted it last year I guess, and this is just another symptom of rot? But yeah to your point technology certainly can absolutely help with this sort of thing. It's not some inevitable act of nature.

acdhaMay 23, 2026, 12:16 AM
I think you have to look at it against the backdrop of so many people being fired and new employees being tasked with “urgent” projects across the government. It’s very plausible that the people who used to enforce all of the policies which would’ve preceded or contained this were either fired for political reasons or didn’t think they could tell someone to follow policy if it slowed them down.
mpyneMay 23, 2026, 4:56 PM
> In fact I thought the government had long since gotten pretty serious about using smartcards and HSMs for everything?

They do use it for a lot, but there are a lot of things that need to authenticate to each other in a modern ecosystem, especially if you're trying to replace security based on network boundaries as trust boundaries with zero trust (as the government is).

I worked with more than a few IL4 systems where the PKI/smartcard stuff was simply shoved into an F5 that did TLS termination and then everything on the internal VPC just used HTTP headers without even a crypto signature to convey which user had actually logged in.

As with anything else, the more you make it easy to the do the right thing, the more often you tend to see the right thing being done. So agencies that make it easy to request server PKI certs see increased uptake, other agencies just have server-to-server auth done by PSKs / API keys instead.

So the concern isn't usually cost but compliance, if it's nearly impossible to get those little developer experience affordances ATO'd themselves, agencies will instead just focus on getting the mission system itself ATO'd come hell or high water and the devs just get told to piece it together however...

nonameiguessMay 23, 2026, 12:33 PM
Not all "government" systems are the same. They're rated in terms of impact level and data classification. Classified systems can't be logged into outside of SCIFs anyway and have no outgoing connection to the Internet. Unclassified systems at IL5 require certificate auth with a government-issued smart card. IL4 requires endpoint attestation but can otherwise use normal username/password auth. Lower impact levels are not as heavily secured. I would have expected they at least require MFA to access the AWS API, but even that depends. A lot of times accounts will be split between production and non-production with MFA required on the production accounts, but work done purely for experimentation, platform development, or other non-user facing things that don't touch real data might not even be in GovCloud since the commercial accounts are cheaper.
andrewflnrMay 23, 2026, 2:48 AM
I worked for a bit in an org that was agglomerated into CISA. Let's just say PKI integration continues to be infeasibly difficult for most projects, especially small ones. (And cost is very, very much a concern. Be honest, do you want your taxes going into a project where it isn't?)
fragmedeMay 23, 2026, 7:41 PM
In the context of secrets getting lost with access to a number of sensitive systems, yes, I do think they could spend maybe a bit more money.
andrewflnrMay 24, 2026, 3:27 AM
"A bit more" is not comparable to "money is no concern". Either way, no amount of money can replace good judgment, which is what was actually lacking: if nothing else, judgment in who to hire.
dylan604May 22, 2026, 11:56 PM
I don't work with national secrets, but I do have access to sensitive/valuable to the client data. The thought of downloading anything directly to my device is just beyond me. I don't even like downloading log files with something like "aws s3 cp s3://client/file - | less". I'd much rather fire up a cheap instance and view the data within their VPC.
niwtsolMay 22, 2026, 8:07 PM
What an egregious mistake. "exhibits a pattern consistent with an individual operator using the repository as a working scratchpad or synchronization mechanism rather than a curated project repository" - isn't is git 101 to not put creds in git? What pattern do they think this is consistent with?
apnortonMay 22, 2026, 8:47 PM
They're not defending it as an established workflow pattern or some kind of best practice.

The usage of "exhibit a pattern consistent with..." is just describing what it looks like the repository was used for. i.e. it's not a set of government sourcecode for an internal project, it's not something indicative of intentionally leaking large amounts of data, etc.

nkriscMay 22, 2026, 9:58 PM
> What pattern do they think this is consistent with?

They clearly stated what pattern this usage is consistent with: using it as a sort of personal scratch pad.

You’re assigning more meaning to the statement than there is. They are simply stating an observation.

nacozarinaMay 23, 2026, 1:11 PM
not at all a mistake; the us govt is fully-compromised by foreign intelligence and this ‘breach’ was fully intentional
throwaway27448May 23, 2026, 2:38 PM
Worse—it may even be compromised by domestic interests
irishcoffeeMay 22, 2026, 10:22 PM
If I had a dollar for the amount of secrets committed to public repositories I could probably retire. No, that isn’t an excuse. Pretending the US govt isn’t made up of people just like you or I is quite silly.
Terr_May 22, 2026, 11:34 PM
Hold up, I think we have some sort of math denominator problem here.

You'd be rich if you got a dollar for every worldwide murder too, but that doesn't make murder a common workplace occurrence.

SnowflakeOnIceMay 26, 2026, 4:28 PM
Your general point here is reasonable. But to provide some domain knowledge context: secrets are leaked _very_ often!

In public data (source code on GitHub, etc.) you can expect a prevalence somewhere in the range of 0.5-2.5 live secrets per gigabyte of content. Now yes, there are more than 8 billion people on earth now and the murder prevalence is a lot higher than 0.5-2.5 per billion. But there are _far_ more bytes of public content than there are people on earth, so in absolute terms, there are far more leaked secrets than murders.

If you look at other types of data (like internal Git forges), the prevalence is much higher.

I think you could indeed retire with $1 per leaked secret!

irishcoffeeMay 22, 2026, 11:47 PM
‘Tis a lot different mentality typing git commit/git push than it is to murder someone in cold blood, I guess?
Terr_May 23, 2026, 12:06 AM
I was thinking more purely in terms of frequency. For a dollar a pop, you can be "rich" for worldwide events that are actually very rare things.
irishcoffeeMay 25, 2026, 1:03 PM
Probably. Was just a silly turn of phrase.
joleyjMay 23, 2026, 3:06 PM
“Experts who reviewed the exposed secrets said the commit logs for the code repository showed the CISA contractor disabled GitHub’s built-in protection against publishing sensitive credentials in public repos.”

This makes it seem more intentional to me. Regardless of what the ultimate purpose were use of the repository was it says to me, the person knew what they were doing and it wasn’t just an innocent oversight like anybody could’ve made.

ArubisMay 22, 2026, 11:32 PM
If I had a dollar for each secret I’ve committed to a public repo, I could probably buy a couple of sandwiches. I’m not smarter and my opsec probably isn’t any better than most old devs, but I also don’t have a treasure trove of government secrets on disk and—crucially!—_I would make different decisions if did_.

The nuance here: when I’ve slipped and committed secrets, it’s typically a relative nothing burger: most common case is API keys to some third-party service. I’ve worked across a bunch of regulated industries and, within those, not caused a breach—because being in that space you know to be more careful, and because the companies in those spaces (wisely!) tend to support good security practices, more so than the industry average.

imglorpMay 22, 2026, 8:47 PM
It's almost like gutting the agency of experts diminishes their opsec capacity among many others.

In 2020 Chris Krebs contradicted stolen election claims. In 2025, Trump sacked Krebs and revoked his clearance, leaving CISA without a director. https://en.wikipedia.org/wiki/Chris_Krebs

In March 2025, the cuts began. https://techcrunch.com/2025/03/11/doge-axes-cisa-red-team-st...

In 2026, it was still without a director and running on fumes. https://techcrunch.com/2026/02/25/us-cybersecurity-agency-ci...

This activity is consistent with intentionally weakening a country's defenses from within and sowing chaos.

wnevetsMay 22, 2026, 8:51 PM
If a foreign adversary was in charge would we know the difference?
subscribedMay 24, 2026, 4:49 PM
Exactly. He's a Putin asset. Everything he does is either enriching himself and his ilk, or helping Putin.

It's staggering the country is just looking at him.

andrewflnrMay 22, 2026, 11:08 PM
Let's be real, it's more directly consistent with aggressive incompetence and hiring/firing based on loyalty. As for how the relevant fools ended up with the power to hire or fire, I'll grant that's a more complicated question...
binkMay 22, 2026, 10:52 PM
Krebs was fired in 2020, not 2025.
imglorpMay 22, 2026, 11:53 PM
Correct, thank you, I can't edit now though. Fired in 2020, clearance revoked in 2025.
0xbadcafebeeMay 22, 2026, 10:01 PM
> CISA, which lost more than a third of it workforce and almost all of its senior leaders after the Trump administration forced a series of early retirements, buyouts, and resignations across the agency’s various divisions
omgJustTestMay 22, 2026, 11:52 PM
Seems senators had questions about why CISA was scaling back efforts related to election security[1]. Tulsi's resignation today seems interestingly timed to when this became public.

[1]https://www.padilla.senate.gov/newsroom/press-releases/padil...

da_chickenMay 23, 2026, 1:46 AM
I don't know why US senators are up in arms about this. Trump was extremely clear when he gave them his budget that he wanted CISA's budget drastically cut. He also specifically directed CISA to shut down their election security office.

This is the "who killed Hannibal" meme. If Padilla and Warner didn't know about this, then they're incompetent themselves. Especially because they reported on it last year:

https://www.padilla.senate.gov/newsroom/news-coverage/cnn-tr...

Why did you forget this happened, Padilla?

N2yhWNXQN3k9May 23, 2026, 1:57 AM
> Why did you forget this happened, Padilla?

because behind any senator there is a propaganda team, not a brain

tardedmemeMay 23, 2026, 7:40 AM
It takes brains to run successful propaganda.
maptMay 23, 2026, 8:00 AM
It takes brains to run propaganda that successfully changes minds.

Propaganda that just confirms preexisting mass delusions is actually pretty easy to run if you have a lot of support from similar actors running adjacent campaigns.

immanuwellMay 23, 2026, 9:18 AM
the real kicker here isn't just the leaked aws govcloud keys - it's that a contractor manually disabled github's secret scanning protection
0x59May 22, 2026, 8:58 PM
Reminds me of the enshittification of public transit. Reduce funding, service level decreases, negative sentiment follows.

Eventually, paths like that may lead to increased privatization through security contractors.

mrtesthahMay 22, 2026, 11:13 PM
It was a security contractor who leaked the creds. So this is already the increased privatization end-game.
pooookaMay 26, 2026, 7:56 PM
Reduced funding has nothing to do with degraded service. MTA is one of the worlds most expensive public transit systems and 15-20% of it's 21 billion dollar budget is being consumed by debt. The term enshittification, in my view, is just a progressive catch phrase for systemantics.

Any system grows to fill its known universe and as it grows it operates in unpredictable ways. And the unseen changes dictate what the system really does (not it's job title). MTA is not here to be your public transportation. It's job is to generate massive debt for investment bankers on wall street who get paid through nefarious interest swap agreements. And how many other city metro's are operating under the same investment banking schemes? From what I could tell LA, Denver, Phili, Detroit and (up until recently) Chicago.

bandramiMay 23, 2026, 12:18 AM
I remember when they leaked a million SF-86s. You know, the form we fill out with a ton of highly personal information so they can decide if we can be trusted with sensitive data.
browsingonlyMay 23, 2026, 1:01 AM
That wasn't a leak, it was a breach (perpetrated by Chinese state security).
fhnMay 23, 2026, 2:33 AM
with a breach, the data ends up in one group's hand but a leak means everyone gets access. Which would you rather have?
r_leeMay 23, 2026, 2:54 AM
I think logically you'd want the former. with a leak the group will get their hands on it anyways, might as well try to limit reach
dgacmuMay 23, 2026, 2:29 AM
Wasn't that OPM, not CISA?
bandramiMay 23, 2026, 5:33 AM
Yes, multiple times IIRC (my "they" was more general than a specific agency)

CISA, however, was the administration whose head was caught using an unauthorized commercially-hosted LLM for government data a few months ago:

https://cyberpress.org/cisa-public-chatgpt/

acquacowMay 23, 2026, 3:35 AM
Yeah, that was OPM...twice.
fhnMay 22, 2026, 10:30 PM
Lawmakers want answers but they never provide answers themselves. Who watches the so-called watchers? Corruption on a massive scale on by lawmakers but when a key gets published, heads will roll? Keys are mistakenly published all the time by very smart people. Ever ran rm -rf *? Every destroy a production db? Ever power off the wrong server? Yes.
verisimiMay 23, 2026, 5:34 AM
Their watching is about control not care. It is covertly adversarial; "care" is a justification, not the reality.
pianopatrickMay 23, 2026, 12:51 AM
If these guys who are supposed to be the experts cannot really be secure on the internet, I'm not sure how anyone else is supposed to be secure on the internet.
quantifiedMay 23, 2026, 3:59 AM
This is post-Doge. Doge did its thing well. Sadly, a lot of other people parrotted Doge's lies.
Cider9986May 22, 2026, 8:35 PM
Maybe Massie was right when he didn't want to fund CISA.
water-data-dudeMay 22, 2026, 9:44 PM
Maybe this is what happens when you fill roles based on loyalty to one person rather than competence
m3047May 22, 2026, 5:06 PM
CISA said “there is no indication that any sensitive data was compromised as a result of the incident.”

Oh wow. Except for those secrets.

bandramiMay 23, 2026, 12:50 AM
Unfortunately "sensitive" has a specific meaning that they may be being legalistic with. PII, for example, is generally not "sensitive".
oofbeyMay 23, 2026, 2:03 AM
Willful ignorance. "No indication" meaning they haven't seen any evidence anything was compromised. Could be because they've been working very hard not to look at any evidence or analysis of what happened. "I'm not aware of X" is very different from "X is not true".
stephbookMay 23, 2026, 8:49 AM
They probably don't have systems in place to even detect that data was snorkeled off.

So "no indication" is completely correct.

shaknaMay 22, 2026, 11:43 PM
Well, "Sensitive" is the second lowest data label. It must all just be above that.
InsideOutSantaMay 22, 2026, 8:58 PM
Except for all the leaked data, absolutely no data was leaked.
hsbauauvhabzbMay 22, 2026, 10:58 PM
See the trick is to not consider your data sensitive, no SENSITIVE data was leaked.
Terr_May 22, 2026, 11:31 PM
There is no data leakage from the application where the front-fell-off, because we towed the data outside the environment.

https://m.youtube.com/watch?v=3m5qxZm_JqM

hsbauauvhabzbMay 22, 2026, 11:58 PM
‘Logs do not indicate hackers access any sensitive data, because we did not implement logging and did not look very hard for auxiliary evidence’
unethical_banMay 23, 2026, 12:10 AM
Didn't RTFA, was any actual secret data or any IOC, log tampering, etc. found?
iluvcommunismMay 23, 2026, 12:55 PM
[dead]