Friday, January 30, 2026
Latest:

Threatshub.org sponsored-Post

The Register

Maybe CISA should take its own advice about insider threats hmmm?

TH Author

opinion Maybe everything is all about timing, like the time (this week) America’s lead cyber-defense agency sounded the alarm on insider threats after it came to light that its senior official uploaded sensitive documents to ChatGPT.

Or maybe it’s about hypocrisy.

Either way, on Wednesday, the US Cybersecurity and Infrastructure Security Agency (CISA) called insider threats “one of the most serious risks to organizational security.” It urged critical infrastructure entities to “take decisive action” to mitigate threats from both malicious insiders and honest mistakes, and to help them do that, CISA published an infographic [PDF] with guidance on how to assemble a multi-disciplinary insider threat management team.

The team should include subject-matter experts from across the organization, such as human resources personnel, legal counsel, security and IT leadership, and threat analysts, and should coordinate with external partners – including law enforcement and other risk and health professionals – as needed.

These team members run the organization’s insider threat program, monitor for potential threats, and intervene as needed to (hopefully) prevent any damage to the company’s people, data, reputation, and bottom line, the guide says.

Plus, CISA offers several other free resources on this topic, such as an insider threat mitigation guide, a workshop, and a program evaluation tool.

“Insider threats remain one of the most serious challenges to organizational security because they can erode trust and disrupt critical operations,” acting CISA Director Madhu Gottumukkala said in a statement announcing the guidance.

This is a topic that Gottumukkala knows well – one could even say he has insider knowledge about these types of threats.

Do as I say…

A day before CISA unveiled its how-to-build-multi-disciplinary-threat-management-teams infographic, Politico reported that Gottumukkala last summer uploaded sensitive CISA contracting documents into a public version of ChatGPT. His actions reportedly triggered automated security warnings intended to stop the theft or unintentional disclosure of government material from federal networks, according to four unnamed Homeland Security officials.

CISA Director of Public Affairs Marci McCarthy confirmed to The Register that the interim boss did use the AI chatbot, but told us he only used ChatGPT “with DHS controls in place.”

“This use was short-term and limited,” McCarthy said in a statement emailed to The Register. “CISA is unwavering in its commitment to harnessing AI and other cutting-edge technologies to drive government modernization and deliver on the President’s Executive Order, Removing Barriers to American Leadership in Artificial Intelligence.”

CISA’s security posture blocks access to ChatGPT by default – unless employees are granted an exception. Gottumukkala was authorized to use ChatGPT under a temporary exception, and the last time he used the chatbot was in mid-July 2025.

The Department of Homeland Security (DHS) oversees CISA, which acts as Homeland Security’s cyber arm. DHS also has its own internal chatbot for employee use, and this one is configured to prevent sensitive government documents from leaving federal networks.

Documents uploaded into a public AI tool like ChatGPT, however, can leave the user’s control and may be retained or used by the service, depending on the provider’s policies and account settings. So this action seems to be a fairly big security snafu for the leader of the federal government’s top cybersecurity agency to make.

Plus, while insider threats pose a huge risk for critical organizations, and one that’s only getting bigger with the proliferation of AI agents connecting to sensitive information and servers, the timing of CISA’s guidance seems tone-deaf at best. Sadly, it’s not Gottumukkala’s – nor the Trump administration’s – first security slipup.

Gottumukkala also reportedly sought access to highly sensitive cyber intelligence over the summer, and then placed six staffers on leave after they administered a counterintelligence polygraph exam that he failed. 

Earlier this month, Gottumukkala reportedly tried to oust CISA’s Chief Information Officer Robert Costello.

Looking beyond CISA, who could forget last year’s security missteps by US Defense Secretary Pete Hegseth, national security adviser Michael Waltz, and others that put American critical infrastructure, national security, and troops’ lives in danger. 

These include Hegseth reportedly installing an insecure internet connection in his office so that he could use Signal on a personal computer, and using the encrypted messaging app on his personal phone to share sensitive details about military operations in Yemen among multiple Signal groups

Meanwhile, Waltz and other members of the US National Security Council reportedly used their personal Gmail accounts to exchange information about an unnamed military conflict in the spring.

All of these could be case studies for how not to best manage insider threats. 

Maybe that explains the timing of CISA’s guidance? Although in this case, it would have been smart to expand the intended audience. CISA says it’s “designed for critical infrastructure entities and state, local, tribal, and territorial governments.” But it seems the feds are the ones who need it the most. ®

READ MORE HERE