Sen. Charles E. Grassley said America’s top domestic cybersecurity agency has failed to provide basic information about a hack it suffered more than a year ago, in January 2024.
The Cybersecurity and Infrastructure Security Agency revealed last year that hackers breached its Chemical Security Assessment Tool, which the government uses to gather data from facilities with dangerous chemicals.
Mr. Grassley, Iowa Republican, started investigating the breach in July 2024, soon after CISA publicly revealed the breach, and he said Tuesday that the agency has yet to fully explain what happened.
“It appears that CISA cannot definitively determine whether or not the data on 506,191 individuals has been misused, exfiltrated, or used in furtherance of criminal activity,” Mr. Grassley said in a letter to CISA.
In a notification to Congress last year shared by Mr. Grassley’s office, CISA said it determined that the “privacy incident presents a moderate risk of harm” despite the hackers having access to the agency’s tool for two days.
“Due to the limited visibility within the antiquated CSAT, CISA cannot disprove access or exfiltration with a high degree of confidence,” the CISA notification said. “Further, CISA does not have knowledge or evidence of misuse of the [personally identifiable information], nor can it definitively speak to any related criminal activity or who may have received compromised PII if it was exfiltrated.”
CISA’s notice of the hack to Congress in April said its forensic analysis of the breach was ongoing.
Mr. Grassley requested the results of the analysis in July 2024 and he said Tuesday he has not received the results of the agency’s findings nor its communications with potential victims.
CISA’s message to potential victims last year was that it did not know the full extent of the potential damage caused by the hackers.
“We hope that our security measures worked,” CISA’s Kelly Murray said in a July 2024 webinar with potential victims. “We have no evidence to state that they did not.”
It also remains unclear if CISA ever figured out who hacked the agency.
The breach of CISA’s tool took advantage of Ivanti appliances, including Ivanti Connect Secure. CISA worked with Mandiant, a Google-owned cyber unit, to issue an advisory about problems with Ivanti in February 2024. The advisory directed readers to Mandiant’s blog that attributed complications with Ivanti Connect Secure in January 2024 to a China-linked espionage threat actor.
CISA’s April 2024 notice to Congress said the threat actor was “unknown” and Mr. Grassley demanded a status update on the agency’s findings from CISA on Tuesday.
CISA declined to comment to The Washington Times on Wednesday.
