The U.S. Cybersecurity and Infrastructure Security Agency left digital keys to its own cloud storage accounts in plain text in a public GitHub repository, exposing passwords, keys and tokens for months before the problem was fixed over the weekend. The repository was reportedly named “Private-CISA.”
One exposed file, titled “importantAWStokens,” included the administrative credentials to three Amazon AWS GovCloud servers. Another file, “AWS-Workspace-Firefox-Passwords.csv,” listed plaintext usernames and passwords for dozens of internal CISA systems, including one called “LZ-DSO,” which appears to be short for “Landing Zone DevSecOps,” the agency’s secure code development environment, according to a government contractor who reviewed the material.
CISA said there was no indication that any sensitive data was compromised as a result of the incident. But the repository, created in November of last year, appears to have left the agency’s internal credentials exposed for about six months, a long window for a system built around protecting others from exactly this kind of mistake.
The lapse lands in a politically fraught moment for the agency. CISA is a relatively new branch of the Department of Homeland Security, created by law signed by Donald Trump in 2018. Trump later clashed with the agency’s leadership during the period between the 2020 election and Jan. 6, 2021, and he fired the director he had appointed. Since returning to office, he has moved to sharply reduce CISA’s funding, while neither of the acting directors he has named has been confirmed by the Senate.
The public exposure also highlights a basic contradiction at the center of cyber defense work: the agency charged with helping others avoid security failures had its own credentials sitting in a public code repository. That kind of error can be contained, as CISA says it was here, but it still raises the question of how many internal safeguards failed before anyone noticed the files were open to the world.
