Sen. Charles Grassley (R-Iowa) on Wednesday delivered sharp criticism of Jen Easterly, the director of the Cybersecurity and Infrastructure Security Agency (CISA). letter They are seeking documents and answers related to the January hack of the agency’s Chemical Safety Assessment Tool (CSAT) and the intrusion of a second classified system.
Grassley said cyberattacks could lead to “malicious activity” that could put at risk some of the country’s most sensitive industrial and critical infrastructure information.
The breach, which was caused by a vulnerability in an Ivanti product, also led to a compromise of a CISA gateway, potentially revealing critical details about US infrastructure operations.
The incident was first reported by Recorded Future News in March, with CISA acknowledging the intrusion at the time but declining to disclose which systems were compromised.
CISA did not publicly acknowledge that its highly sensitive CSAT program had been compromised until June 24th.
The agency also: February 29th Recommendation The company warned about the Ivanti vulnerability but did not disclose the hack originating from Ivanti in its announcement, even though it learned of it on January 26.
“CISA appears to have failed to take adequate steps to ensure the security of its systems, putting the nation at risk,” Grassley’s letter said.
“Such breaches of an agency tasked with protecting our nation’s cybersecurity and infrastructure security are cause for serious concern.”
Senator Grassley, the ranking member of the Senate Budget Committee, sent the letter in his capacity as the committee’s minority leader.
In announcing last week that CSAT had been hacked, the agency said information stored on the system was encrypted and that the encryption keys were “hidden from the type of access the threat actor had to the system.”
The agency also said there was no evidence that the hackers extracted data from CSAT, but noted the incident “may have resulted in potential unauthorized access” to the site’s security plans, security vulnerability assessments (SVAs) and user accounts within the system.
Grassley, a longtime advocate of government transparency, said in the letter that he wrote to Easterly in March about “CISA’s prioritizing combating misinformation and disinformation over protecting our nation’s critical infrastructure” and that the agency’s response “does not adequately answer all of your questions.”
The letter also warned that Congress may initiate “objective and independent oversight of CISA’s efforts to address recent cyberattacks.”
A CISA spokesman said the agency “does not comment on communications with Congress and responds directly to senators.”
“An unacceptable truth”
A former official who oversaw CSAT said the agency’s security failings were serious and cause for concern.
“The Ivanti breach is widespread, but it is unacceptable that our cyber agency would become another victim,” Brian Harrell, a former CISA deputy director for infrastructure security who oversaw both chemical security and IP gateways, told Recorded Future News in an email.
“This clearly does not help CISA’s CFATS update efforts given that CSAT tools were affected. [Chemical Facility Anti-Terrorism Standards’] “We need stronger regulations,” said Harrell, a former assistant secretary of Homeland Security who now works as an energy industry executive.
The CFATS program regulated security measures at high-risk facilities to mitigate the threat of terrorists weaponizing dangerous chemicals. Renewal of the program has been stalled in Congress since it expired in July 2023, leaving law enforcement, the chemical industry and the industry to work together to resolve the issue. CISA itself.
Senator Grassley set a deadline for CISA to submit a set of responses by July 17th, including:
- A complete record of all gateways, databases, tools, and systems that have been or could be compromised in an attack.
- A full list of all affected “facilities, organizations and individuals” and information about whether those groups had been warned that their data “might be misused.”
- Records detailing whether CISA knew about the “exploitation” of the Ivanti issue before the January attack, and if so, what specific steps it took to protect its gateways, systems and databases.
- If CISA had conducted its own “independent risk assessment” of Ivanti systems prior to the attack;
- “Exactly when” CISA became aware of the breach.
- How authorities learned of the hack, including documentation.
- How many records were available during the cyber attack and how many were accessed, along with supporting documentation.
- Please include any relevant records on what steps the authorities are taking to prevent recurrence.
Recorded Future
Intelligence Cloud.