CISA Security Leak

Crazy story:

Until this past weekend, a contractor for the Cybersecurity & Infrastructure Security Agency (CISA) maintained a public GitHub repository that exposed credentials to several highly privileged AWS GovCloud accounts and a large number of internal CISA systems. Security experts said the public archive included files detailing how CISA builds, tests and deploys software internally, and that it represents one of the most egregious government data leaks in recent history.

News article.

Tags: , , ,

Posted on May 22, 2026 at 9:58 AM7 Comments

Comments

Clive Robinson May 22, 2026 11:51 AM

@ Bruce, ALL,

Many years ago on this blog I posted an observation that is in effect,

“The difference between a bureaucrat and a businessman is they both have a book of rules. If the bureaucrat stays within the rules they are always safe… But if the businessman stays within the rules they will loose to those that don’t.”

I predict that when investigated it will be found that either,

1, They stayed within the rules.
2, That the rules are contradictory

Thus either way “lessons will be learned”…

But the reality as the Frenchman Alphonse Karr once observed,

“Plus ca change, plus c’est la meme chose.”

Or as most in the rest of the Western Hemisphere say,

“The more things change, the more they stay the same.”

Rontea May 22, 2026 1:02 PM

Here, we see an agency tasked with defending national cybersecurity exposed by the simple act of a contractor using a public GitHub repository as personal infrastructure. This isn’t about the sophistication of attackers; it’s about the inevitability of error in complex systems.

Anonymous May 22, 2026 1:10 PM

@clive re: if the businessman stays within the rules they will loose to those that don’t .

Bureaucrats operate within a framework where risk mitigation is paramount, ensuring career longevity through compliance. Conversely, business leaders must navigate environments that reward calculated risk-taking and strategic deviation from conventional norms. Success in business often accrues to those willing to challenge the boundaries of the rulebook, leveraging innovation and adaptability as their competitive advantage.

lurker May 22, 2026 2:14 PM

Has anybody checked that these “credentials” are bona fide? The optimist thinks maybe this could be a honeypot …

Clive Robinson May 22, 2026 10:06 PM

@ Anonymous

With regards your comment above,

https://www.schneier.com/blog/archives/2026/05/cisa-security-leak.html/#comment-454615

What you say is more or less a rework of what I said.

But…

The issue is the “Bureaucratic framework”, in that it mostly prevents even necessary work being done. Put simply the world moves forwards but the framework either remains the same or goes backwards.

For instance in the UK there is a general “cost saving rule” that at 20,000ft sounds like a good idea…

But what it actually means is that

“You can only make a spending, if you can demonstrate it makes a cost saving to the existing processes.”

If you read that twice you will realise that it says in effect as a bureaucrat with a budget and headcount (ie Empire and Status),

1, Existing processes must remain to maintain Dept size/budget.
2, You can not have any new processes to meet societal changes.

The way around this is to demonstrate a new process will bring in income for the “Treasury” of the organisation (not your empire).

However there is another fun rule about you can not cross-subsidise one Dept from another Dept. So you can not take “parking revenue” and use it to “buy books for education”.

Nor can a Dept “make a profit” or “carry budget forward”.

The result is that any Dept that would show a surplus such as Parking Revenue” has to spend what it earns before the end of the financial year or loose it. Which in turn means the organisation looses funding from the Government tax take.

So the net result is there is no Dept that “can have a surplus”.

The usual way around this is to put what would be a process that earns a surplus in a Dept that has another process that always has a cost that very much exceeds any potential surplus.

The result is the organisation is always “loosing money” so will have to put up local taxes every year to stop it’s self becoming “Bankrupt”.

I could go to explain how this gives rise to the evils of PFI and PPF and the likes of companies like one many call insultingly “Crapita” that takes any “surplus” out as it’s own profit, and gives kick-backs to central government politicians and political parties…

However as has been seen with the “Group 4 Security”(G4S) and separately Serco “privatising companies” they “make errors” the rest of us call “fraud”,

https://www.bbc.co.uk/news/business-48853870

Yet not only do they get away with it, they also get new UK Government Business…

Speaking of which back in the news is the Post Office “Horizons Project” Scandal, that has been mentioned on this blog from time to time… That was such a disaster and caused many innocent people to be jailed and others to commit suicide. This happened because rather than the Post Office admit it was the project and the prime contractor (Fujitsu Europe) that were entirely incompetent for vainglorious reasons they behaved in malicious ways to “cover it up” and eventually failing.

The person who was most directly responsible is Ms Paula Vennells, who was the Post Office chief executive between 2012 and 2019. During the enquiry she pretended she had not been aware of the issues… Though there is plenty of evidence to say otherwise. She was also a “holier than thou” Anglican priest and had at one point been considered for the role of Bishop of London considered the third most senior but possibly most politically influential position in the Church of England(CoE). The scandal caused her to “pull back” from her position in the CoE, and after a massive petition in 2024 said she would hand back her “Commander of the Order of the British Empire”(CBE) honour. But she did not, and the honour was revoked in 2024 for “bringing the honours system into disrepute”.

To be honest this is by no means the first abd certainly won’t be the last Scandal caused by the links between Gov Bureaucracy and PFI etc Businesses in the UK. Birmingham Council looks like it may well be the next to hit the main stream media with a massive splat due to prime contractor Oracle. In that the replacement for the SAP system has so far cost over 150million and with costs rising fast… With it expected to be well north of 170million over ten times what was originally budgeted and still not work as specified / contracted,

https://www.theregister.com/software/2026/01/29/birmingham-oracle-erp-fiasco-now-144m-and-still-not-working/4238750

I’d like to say such things are rare, but in the UK with Government pushed PFI –under Tony Blair– the Bureaucracy-Business link is a veritable pipeline for both central and local government tax revenue “out of the country” to what is basically “fraud” by the “Prime Contractors”.

I hope that explains my skepticism, and whilst I’m naturally a “Techno Optimist” overwhelming experience with certain types of humanity has ground me down to being a “pessimist”. Which is why I can firmly predict that large AI projects involving Governments are going to be either Scandals or Disasters as certain types try to encode “political mantra” into them as an “arms length” way to avoid responsibility for the Societal harm they cause by their cognitive biases.

Who? May 25, 2026 11:50 AM

Sorry, I need to quote Live Free or Die Hard!

“We’re the ones supposed to keep this from happening, and it happened to us.”

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.