Grassley investigating hack of top U.S. cyber agency, says Americans at risk

Sen. Charles E. Grassley has opened an investigation into the hack of America’s top domestic cyberagency which exposed a tool the government used to maintain information from facilities with chemicals that terrorists could turn into weapons.

The Iowa Republican wrote to the Cybersecurity and Infrastructure Security Agency on Wednesday, demanding answers about the January breach of its systems that the agency revealed only last month.

“I’ve been conducting oversight of the departments with known cyber vulnerabilities in our critical infrastructure, but now we’re learning CISA — the agency whose sole responsibility is to protect U.S. cybersecurity — doesn’t even have its own house in order,” Mr. Grassley told The Washington Times in a statement. “CISA’s failure to safeguard its systems puts Americans at risk.”

CISA is the federal agency tasked with cybersecurity and coordinating security for America’s critical infrastructure, which includes such things as transportation, power, water systems, financial services and chemical facilities.

CISA officials said in June a hack of the agency’s systems exposed the personally identifiable information of personnel at chemical facilities and visitors to those facilities with access to restricted areas and high-risk chemicals.

Hackers targeted a Chemical Security Assessment Tool from Jan. 23 to 26, according to the agency, which said it subsequently notified participants in the Chemical Facility Anti-Terrorism Standards program about the potentially exposed information.

Many details about the cyberattack remain unclear, however, including who was responsible for the hack and fuller information on potential victims and damage. CISA said in June it found no evidence of stolen data, but also published notification letters warning prospective victims about the breach in English and translated the notification into nine additional languages.

Mr. Grassley wrote to CISA Director Jen Easterly on Wednesday demanding information about the cyberattack, including when the agency learned of the breach, who conducted it, and a full list of the victims.

A veteran of Senate investigations and the top-ranking Republican on the Senate Budget Committee, Mr. Grassley pointed to breaches of CISA’s systems as “cause for serious concern.”

He expressed frustration about CISA’s answers in April to his earlier questions about securing critical infrastructure and fretted that the cyber officials appeared to place the “prioritization of misinformation and disinformation over the protection of our nation’s critical infrastructure.”

CISA’s concern about misinformation is widespread and prompted the agency to publish graphic novels about misinformation, including a fictional story featuring a Russian-masterminded plot to spread false narratives about elections to American voters.

Mr. Grassley wants the cyber agency more squarely focused on factual accounts of cyber chaos, as he told Ms. Easterly it appears CISA has not taken adequate steps to ensure its own security.

CISA spokesman Scott McConnell declined to comment on Mr. Grassley’s letter and said the agency would respond directly to the senator. The agency is planning to hold a webinar for stakeholders next week to discuss the hack of its tool.

The January hack took advantage of appliances made by the software company Ivanti, according to CISA, including Ivanti Connect Secure. Cybersecurity firm Mandiant, owned by Google, linked problems with Ivanti Connect Secure in January to a “China-nexus espionage threat actor.”

U.S. officials warned earlier this year that they observed China’s “Volt Typhoon” cyberattackers pre-positioning in American systems for future attacks.

Heightened concerns about America’s cybersecurity have U.S. officials on edge. Mr. Grassley set a July 17 deadline for CISA to answer his questions.