US Cybersecurity Agency Head Uploads Sensitive Files to Public ChatGPT
In the summer of last year, the acting head of the US Cybersecurity and Infrastructure Security Agency (CISA), Madhu Gottumukkala, uploaded documents marked 'For Official Use Only' to the public version of ChatGPT. CISA's cybersecurity sensors detected the uploads in August. While the documents were sensitive, they were not classified. This incident highlights the ongoing challenge of securing sensitive government data as powerful AI tools become more accessible.
Gottumukkala had only recently assumed his role at CISA in May. He had received special permission from the CISA Chief Information Officer's office to use ChatGPT, while the application was otherwise blocked for other employees of the Department of Homeland Security (DHS). During the first week of August, several alerts were triggered regarding the document uploads.
Following the discovery, DHS launched an internal review. Gottumukkala discussed the situation with senior DHS officials, including CISA Chief Information Officer Robert Costello and Principal Legal Advisor Spencer Fisher. According to Marci McCarthy, Gottumukkala was authorized to use a DHS-controlled version of ChatGPT, and she noted that 'this use was short-term and limited.'
Concerns Over Sensitive Data Leaks
This event has raised concerns amid other recent high-profile leaks of sensitive information. For instance, on March 4, 2024, former Massachusetts Air National Guardsman Jack Teixeira pleaded guilty in the Pentagon secret documents leak case and agreed to a 16-year prison sentence. The Gottumukkala incident underscores the critical importance of adhering to security protocols when handling sensitive material.
The case may serve as a warning to other government agencies about the need for stricter controls on the use of technologies that can access sensitive data. In an era of escalating cyber threats, establishing clear procedures and training for employees on secure data handling is paramount. This incident could also prompt a broader review of policies governing the use of artificial intelligence within government structures.