The interim chief of the US’s high civilian cyber protection company uploaded delicate authorities contracting paperwork right into a publicly accessible model of ChatGPT.
This occurred final summer time, however got here to mild yesterday (Jan. 27) in a report by Politico. The occasion triggered inside cybersecurity alerts and a Division of Homeland Safety–stage assessment into whether or not federal info had been improperly uncovered, in line with 4 DHS officers conversant in the matter.
The incident concerned Madhu Gottumukkala, the performing director of the Cybersecurity and Infrastructure Safety Company, who’s at the moment the highest-ranking political official at CISA. The company is accountable for defending federal networks and significant infrastructure in opposition to cyber threats from refined adversaries similar to Russia and China.
Whereas not one of the paperwork uploaded have been labeled, the supplies have been marked “for official use solely,” a designation meant to limit delicate info from public dissemination. Such markings sometimes apply to paperwork that, if uncovered, may create safety, operational, or reputational dangers for the federal government.
A senior official’s exception to AI restrictions
The episode is notable as a result of Gottumukkala had personally requested particular permission to make use of ChatGPT shortly after arriving at CISA in Might, in line with three of the officers. On the time, the AI software was blocked for many DHS workers attributable to issues that delicate info could possibly be retained or reused outdoors federal techniques.
Cybersecurity sensors detected the uploads in August, producing a number of automated warnings designed to stop the loss or mishandling of presidency knowledge. One official mentioned a number of alerts have been triggered within the first week of August alone.
These alerts prompted senior DHS officers to launch an inside evaluation to find out whether or not the uploads brought on any harm to authorities safety or violated departmental insurance policies. Two officers mentioned the assessment rose to the DHS stage, underscoring the seriousness with which the division handled the incident. It stays unclear what conclusions, if any, the assessment in the end reached.
The dangers of public AI platforms
Any info uploaded right into a public model of ChatGPT is shared with OpenAI, the corporate that operates the platform, and could also be used to assist enhance responses for different customers. OpenAI has mentioned ChatGPT has greater than 800 million energetic customers worldwide, elevating issues inside authorities about how shortly delicate materials could possibly be disseminated or not directly referenced.
In contrast, DHS-approved AI instruments, such because the division’s internally developed chatbot DHSChat, are configured to stop consumer inputs from leaving federal networks. These instruments are designed to permit experimentation with synthetic intelligence whereas minimizing the danger of information leakage.
One official characterised Gottumukkala’s actions bluntly: “He pressured CISA’s hand into making them give him ChatGPT, after which he abused it.”
Official response and disputed timeline
In an emailed assertion, CISA Director of Public Affairs Marci McCarthy mentioned Gottumukkala “was granted permission to make use of ChatGPT with DHS controls in place,” describing the use as “short-term and restricted.” McCarthy added that the company stays dedicated to “harnessing AI and different cutting-edge applied sciences to drive authorities modernization and ship on” President Donald Trump’s govt order aimed toward eradicating boundaries to US management in AI.
McCarthy additionally disputed components of Politico’s reporting, stating that Gottumukkala final used ChatGPT in mid-July 2025 beneath “a certified short-term exception granted to some workers.” She emphasised that CISA’s default safety posture continues to dam ChatGPT except an exception is accredited.
Inside critiques and accountability
After the exercise was flagged, Gottumukkala met with senior DHS officers to assessment what he had uploaded, in line with two of the officers. DHS’s then-acting normal counsel, Joseph Mazzara, and the division’s chief info officer, Antoine McCord, have been concerned in assessing any potential hurt, officers mentioned.
Gottumukkala additionally held conferences with Costello and chief counsel Spencer Fisher to debate the incident and correct dealing with of “for official use solely” materials. Mazzara and Costello didn’t reply to requests for remark, and McCord and Fisher couldn’t be reached.
Beneath DHS coverage, exposures of delicate however unclassified info are speculated to set off an investigation into the trigger and impact of the incident, in addition to a dedication of whether or not disciplinary motion is suitable. Potential penalties can vary from retraining or formal warnings to extra extreme steps similar to suspension or revocation of safety clearances, relying on the circumstances.
A turbulent tenure at CISA
The ChatGPT episode provides to a sequence of controversies throughout Gottumukkala’s brief tenure on the company. He has served as performing director since Might, after being appointed deputy director by DHS Secretary Kristi Noem. Trump’s nominee to completely lead CISA, Sean Plankey, stays unconfirmed after being blocked final yr by Sen. Rick Scott (R-Fla.), leaving Gottumukkala in cost throughout a interval of heightened cyber threats.
As Politico beforehand reported, at the least six profession workers have been positioned on depart this summer time following an “unsanctioned” counterintelligence polygraph examination that Gottumukkala requested and failed, in line with DHS. Throughout congressional testimony final week, Gottumukkala mentioned he didn’t “settle for the premise of that characterization” when requested in regards to the take a look at.
Extra just lately, Gottumukkala tried to take away Costello as CISA’s CIO, a transfer that was blocked by different political appointees.
Collectively, the incidents have raised questions amongst profession officers and lawmakers about management, judgment, and governance at an company tasked with safeguarding the nation’s most delicate digital infrastructure at a time when the federal authorities is racing to undertake highly effective new applied sciences similar to AI.
Microsoft confirmed it may hand over BitLocker restoration keys saved within the cloud beneath warrant, reviving debate over who controls encrypted knowledge.
