Senate leader demands answers from CISA on Ivanti-enabled hack of sensitive systems

Sen. Charles Grassley (R-IA) on Wednesday sent Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly a stern letter seeking documentation and answers relating to a January hack of the agency’s Chemical Security Assessment Tool (CSAT) along with the breach of a second sensitive system.

Grassley noted that the cyberattack led to “malicious activity” potentially compromising some of the country’s most sensitive industrial and critical infrastructure information.

The breach, which was sourced back to vulnerabilities in Ivanti products, also led to an intrusion into the CISA Gateway, potentially revealing important details about U.S. infrastructure operations.

The incident was first reported by Recorded Future News in March, with CISA confirming an intrusion at the time but declining to reveal which systems were the subjects of the unauthorized access.

CISA did not publicly acknowledge that the highly sensitive CSAT program was breached until June 24. 

The agency also issued a February 29 advisory warning of Ivanti vulnerabilities, but did not reveal its own Ivanti-sourced hacks in that announcement despite having learned of them on Jan. 26.

“It appears that CISA hasn’t taken adequate steps to ensure the safety of its own systems, leaving the nation at risk,” the Grassley letter said. 

“These breaches of the agency tasked with the protection of our nation’s cybersecurity and infrastructure security is cause for serious concern.”

Grassley, who is the ranking member on the Senate Budget Committee, sent the letter in his capacity as the committee’s minority leader.

In its announcement that CSAT was hacked last week, the agency said the information stored in the system was encrypted and the encryption keys were "hidden from the type of access the +threat actor had to the system." 

The agency also said there is no proof that hackers extracted data from CSAT, but noted the incident “may have resulted in the potential unauthorized access” to site security plans, security vulnerability assessments (SVA) and user accounts within the system.

Grassley, a longtime advocate for government transparency, noted in his letter that he wrote to Easterly in March about “CISA’s prioritization of misinformation and disinformation over the protection of our nation’s critical infrastructure” and that the agency’s response “failed to fully answer all the questions.”

The letter also warned that Congress may initiate “objective and independent oversight concerning CISA’s efforts to address these recent cyberattacks.”

A spokesperson for CISA said the agency does not "comment on congressional correspondence and will respond to the Senator directly."

‘A tough pill to swallow’

A former official overseeing CSAT said the agency’s security lapse is concerning and serious.

“While the Ivanti breach is widespread, it’s a tough pill to swallow to have our cyber agency as an additional victim,” Brian Harrell, the former CISA assistant director for infrastructure security, through which he oversaw both chemical security and the IP Gateway, told Recorded Future News via email.

“Given that the CSAT tool was impacted, this obviously does not help CISA’s efforts to renew the CFATS [Chemical Facility Anti-Terrorism Standards’] regulation,” said Harrell, a former assistant secretary at the Department of Homeland Security who now works as an energy industry executive.

The CFATS program regulated high-risk facilities’ security measures, lessening the threat that terrorists could weaponize dangerous chemicals. Renewal of the program has been stalled in Congress since it was allowed to lapse in July 2023, sparking concern from law enforcement, the chemical industry and CISA itself.

Grassley has given CISA a July 17 deadline to provide a series of answers including:

• A complete accounting of all gateways, databases, tools and systems that were breached or potentially breached in the attack.

• A full list of all “facilities, organizations and individuals” who were impacted along with information about whether the groups were alerted that their data “could potentially be subject to misuse.”

• Whether CISA knew about the “exploitation” of Ivanti problems before the January attack and what specific steps it took to secure its gateways, systems and databases if so, along with records documenting its answers.

• If CISA undertook its own “independent risk assessment” of the Ivanti system prior to the attack.

• “Exactly when” CISA become aware of the breach.

• How the agency became aware of the hack, including documentation.

• Number of records available during the cyberattack and how many were accessed along with supporting documentation.

• What steps the agency is taking to avoid a repeat incident accompanied by related records.