CISA’s acting head uploaded sensitive files into public version of ChatGPT

It's so often the guys that are at the top who are the exception to the rules that are the problem.

I knew some folks who worked military communications and they broke rules regularly because senior officers just didn't want to walk across the street to do something secure...

It’s absolutely necessary to have ChatGPT.com blocked from ITAR/EAR regulated organizations, such as aerospace, defense, etc. I’m really shocked this wasn’t already the case.

I really enjoyed unchecking all those cookie controls. Of the 1668 partner companies who are so interested in me, a good third have a "legitimate interest". With each wanting to drop several cookies, it seems odd that Privacy Badger only thinks there are 19 cookies to block. Could some of them be fakes - flooding the zone?

Damn. I forgot to read the article.

Yay, on-premise llms are what is recomended for serious use, at least US gov thinks that :) But rest of us need to pay subscriptions for 3r party businesses passing back and forth our... everything ?

In old days ppl was saying: "I have no secrets" and now we evolved into "I know how to not upload important docs" ;)

People were already careless with social media which was openly public. I imagine it’ll be worse with these LLMs for the average person.

I for one, after doing a bit of reserach, was shocked to find out the person in question is apparently completely unqualified for the job (if him pasting sensitive information into public ChatGPT didn't already make that abundantly clear). But the highlight from his Wikipedia page is this one:

>In December 2025, Politico reported that Gottumukkala had requested to see access to a controlled access program—an act that would require taking a polygraph—in June. Gottumukkala failed the polygraph in the final weeks of July. The Department of Homeland Security began investigating the circumstances surrounding the polygraph test the following month and suspended six career staffers, telling them that the polygraph did not need to be administered.[12]

So the guy failed a polygraph to access a highly controlled system full of confidential information, and the solution to that problem was to fire the people in charge of ensuring the system was secure.

We're speed running America into the ground and half the country is willfully ignorant to it happening.

It's bizarre that someone would choose to use the public, 4o bot over the ChatGPT Pro level bot available in the properly siloed and compliant Azure hosted ChatGPT already available to them at that time. The government can use segregated secure systems set up specifically for government use and sensitive documents.

It looks like he requested and got permission to work with "For Unofficial Use Only" documents on ChatGPT 4o - the bureaucracy allowed it - and nobody bothered to intervene. The incompetence and ignorance both are ridiculous.

Fortunately, nothing important was involved - it was "classified because everything gets classified" bureaucratic type classification, but if you're CISA leadership, you've gotta be on the ball, you can't do newbie bullshit like this.

the current united states government is staffed mostly with unserious people, or people who are serious about doing crimes against humanity. there's very little in between.

There have to be GovCloud only LLMs just for this case.

I swear this government is headed by appointed nephews of appointed nephews.

I keep thinking back about that Chernobyl miniseries; head of the science department used to run a shoe factory. No one needs to be competent at their job anymore

I wonder how far removed the interim director of the CISA is from any real world security. I bet they have not seen or solved any real security problems and merely are an executive looking over cybersec. This probably is another example of why you need rank and file security peeps into security leadership roles rather than some random exec.

I would like to be able to say that it is uncommon, but based on what I am seeing in my neck of the woods, all sorts of, one would think, private information is ingested by various online llms. I would have been less annoyed with it had those been local deployments, but, uhhh, to say it is not a first choice is being over the top charitable with current corporates. And it is not even question of money! Some of those corps throw crazy money at it.

edit: Just in case, in the company I currently work at, compliance apparently signed off on this with only a rather slim type of data verbotten from upload.

The Dept of Homeland Security has had its own internal gen-AI chat bot since before Trump took office [0]. That this guy couldn’t make do with that, and didn’t think through the repercussions of uploading non-public documents to a public chatbot doesn’t bode well for his ability to manage CISA

[0] https://www.dhs.gov/archive/news/2024/12/17/dhss-responsible...

I adore that this guy had security clearance and I doubt I'd clear that bar. Last time I looked at the interview there was a question:

> have you ever misused drugs?

and I doubt I'd be able to resist the response:

> of course not, I only use drugs properly.

also I wouldn't lie, because that's would undermine the purpose. Still sad I can't apply for SC jobs because I'm extremely patriotic and improving my nation is something that appeals.

It’s happening all across corporate too

This administration's op-sec has been consistently "barney fife" levels of incompetence.

Sounds about on par with what I would expect competence wise.

If I did this with a banal internal documentation at work I would be written up and maybe fired over breaking known policy. This administration is so ridiculously incompetent, and interim head of cyber security.. leaks. The onion wouldn't write this.

This is a "Cybersecurity chief" causing an intern-level IT incident.

In many industries, this would be a rapid incident at the company-level and also an immediate fireable offense and in some governments this would be a complete massive scandal + press conference broadcasted across the country.

I’m a little surprised by the takes in the comments. Obviously, heads of departments or agencies, CEOs, or similar personnel are generally not in the same league as normal employees when it comes to compliance.

Productivity and efficiency are key for their work. I am sure there are lots of Sysadmins here, that had to disable security controls for a manager or had to configure something in a way to circumvent security controls from actually working. I have been in many situations where I have been asked by IT colleagues if doing something like that was fine, because an executive had to read a PowerPoint file NOW.

BTW, what's the current status on LLMs and confidential documents ? Which license from which suppliers are fine and which aren't ?

Where does this "cybersecurity monitoring" take place? On OpenAIs side? Or some kind of monitoring tools on the devices themself?

Once again, if you or I did this, it's federal crime and federal time.

But when the chief does it, it's an oopsie poopsie "special exemption".

I wonder how they could discern the upload of sensitive documents from non-sensitive ones

I can't say I'm shocked.

Better go have him sit in front of a powerpoint for a few hours. That'll help him.

My assumption is that it goes the other direction on a permanent basis.

How is such a critical position filled with a foreign national?

> Cybersecurity monitoring systems then reportedly flagged the uploads in early August. That triggered a DHS-led damage assessment to determine whether the information had been exposed.

So it means, a DLP solution, browsers trusting its CA and it silently handling HTTP in clear-text right?

Chalaki

Well, at least there's gonna be a swift and appropriate punishment. LOL

From wikipedia:

He graduated from Andhra University with a bachelor of engineering in electronics and communication engineering, the University of Texas at Arlington with a master's degree in computer science engineering, the University of Dallas with a Master of Business Administration in engineering and technology management, and Dakota State University with a doctorate in information systems.

And he still manages to make a rookie mistake. Time to investigate Mr. Gottumukkala's credentials. I wouldn't be surprised if he's a fraud.

https://en.wikipedia.org/wiki/Madhu_Gottumukkala

He was the 'CTO' of South Dakota and later the CIO/Commissioner of the South Dakota Bureau of Information and Telecommunications under governor Kristi Noem.

Edit: (From a European perspective) it seems like the southern states really took over the US establishment. I hadn't really grasped the level of it, before.

> None of the files Gottumukkala plugged into ChatGPT were classified, according to the four officials, each of whom was granted anonymity for fear of retribution. But the material included CISA contracting documents marked “for official use only,” a government designation for information that is considered sensitive and not for public release.

Guys... we're talking about FOUO. Not even low-level classified. This is a nothingburger. The toilet paper you wipe with is FOUO, there is essentially no document in the government that isn't at least FOUO.

Leaked is not the correct word here. Generally as it's used, it implies some intent to disclose, the information for it's own purposes. You would call a disclosure to the war thunder forums a leak, because the intent was to use that information to win an argument. You wouldn't call Leaving boxes of classified information in a wearhouse where you'd normally read them a leak. (At least not as a verb). Likewise you wouldn't call it a leak if you mistakenly abandoned them in a park.

That said, IIRC For Official Use Only is the lowest level of classification (note not classified) it's not even NOFORN. It's even multiple levels below Sensitive But Unclassified.

So, who cares?

Much more significant is he failed the SCI/full poly... that means you lied about something. Yes I know polys don't work, but the point of the poly is to try to ensure you've disclosed everything that could be used against you, which ideally means no one could flip you or manipulate you. The functional part is to determine if you have anxiety about things you might try to hide, because that fear can be used against you. No fear/anxiety, or nothing you're trying to hide means you're harder to manipulate.

That feels bad even ignoring the whole hostile spys kinda thing.