45 comments

[ 4.9 ms ] story [ 66.8 ms ] thread
The Dept of Homeland Security has had its own internal gen-AI chat bot since before Trump took office [0]. That this guy couldn’t make do with that, and didn’t think through the repercussions of uploading non-public documents to a public chatbot doesn’t bode well for his ability to manage CISA

[0] https://www.dhs.gov/archive/news/2024/12/17/dhss-responsible...

Isn't their internal chat bots provided by grok or Oracle AI?
Sounds about on par with what I would expect competence wise.
This administration's op-sec has been consistently "barney fife" levels of incompetence.
People were already careless with social media which was openly public. I imagine it’ll be worse with these LLMs for the average person.
This is a "Cybersecurity chief" causing an intern-level IT incident.

In many industries, this would be a rapid incident at the company-level and also an immediate fireable offense and in some governments this would be a complete massive scandal + press conference broadcasted across the country.

https://en.wikipedia.org/wiki/Madhu_Gottumukkala

He was the 'CTO' of South Dakota and later the CIO/Commissioner of the South Dakota Bureau of Information and Telecommunications under governor Kristi Noem.

Edit: (From a European perspective) it seems like the southern states really took over the US establishment. I hadn't really grasped the level of it, before.

(comment deleted)
From wikipedia:

He graduated from Andhra University with a bachelor of engineering in electronics and communication engineering, the University of Texas at Arlington with a master's degree in computer science engineering, the University of Dallas with a Master of Business Administration in engineering and technology management, and Dakota State University with a doctorate in information systems.

And he still manages to make a rookie mistake. Time to investigate Mr. Gottumukkala's credentials. I wouldn't be surprised if he's a fraud.

I wonder how far removed the interim director of the CISA is from any real world security. I bet they have not seen or solved any real security problems and merely are an executive looking over cybersec. This probably is another example of why you need rank and file security peeps into security leadership roles rather than some random exec.
Well, at least there's gonna be a swift and appropriate punishment. LOL
I adore that this guy had security clearance and I doubt I'd clear that bar. Last time I looked at the interview there was a question:

> have you ever misused drugs?

and I doubt I'd be able to resist the response:

> of course not, I only use drugs properly.

also I wouldn't lie, because that's would undermine the purpose. Still sad I can't apply for SC jobs because I'm extremely patriotic and improving my nation is something that appeals.

There have to be GovCloud only LLMs just for this case.

I swear this government is headed by appointed nephews of appointed nephews.

I keep thinking back about that Chernobyl miniseries; head of the science department used to run a shoe factory. No one needs to be competent at their job anymore

It’s absolutely necessary to have ChatGPT.com blocked from ITAR/EAR regulated organizations, such as aerospace, defense, etc. I’m really shocked this wasn’t already the case.
Its something I have been talking about. Going to be needed for everyone.
Sure. That doesn't mean denying access to ChatGPT though - the way I see it, the entire value proposition of Microsoft offering OpenAI models through Azure is to enable access to ChatGPT under contractual terms that make it appropriate for use in government and enterprise organizations, including those dealing with sensitive technology work.

I mean, they are all using O365 to run their day-to-day businesses anyway.

I used to work in a large technology multinational - not "tech industry", but proper industrial technology; the kind of corp that does everything, from dishwashers to oil rigs. It took nearly a year from OpenAI releasing GPT-4 to us having some form of access to this model for general work (coding and otherwise) internally, and from what I understand[0], it's just how long it took for the company to evaluate risks and iron out appropriate contractual agreements with Microsoft wrt. using generative models hosted on Azure. But they did it, which proves to me it's entirely possible, even in places where people are more worried about accidentally falling afoul of technology exports control than insider training.

--

[0] - Purely observational, I had no access to any insider/sensitive information regarding this process.

Where does this "cybersecurity monitoring" take place? On OpenAIs side? Or some kind of monitoring tools on the devices themself?
Leaked is not the correct word here. Generally as it's used, it implies some intent to disclose, the information for it's own purposes. You would call a disclosure to the war thunder forums a leak, because the intent was to use that information to win an argument. You wouldn't call Leaving boxes of classified information in a wearhouse where you'd normally read them a leak. (At least not as a verb). Likewise you wouldn't call it a leak if you mistakenly abandoned them in a park.

That said, IIRC For Official Use Only is the lowest level of classification (note not classified) it's not even NOFORN. It's even multiple levels below Sensitive But Unclassified.

So, who cares?

Much more significant is he failed the SCI/full poly... that means you lied about something. Yes I know polys don't work, but the point of the poly is to try to ensure you've disclosed everything that could be used against you, which ideally means no one could flip you or manipulate you. The functional part is to determine if you have anxiety about things you might try to hide, because that fear can be used against you. No fear/anxiety, or nothing you're trying to hide means you're harder to manipulate.

That feels bad even ignoring the whole hostile spys kinda thing.

It's bizarre that someone would choose to use the public, 4o bot over the ChatGPT Pro level bot available in the properly siloed and compliant Azure hosted ChatGPT already available to them at that time. The government can use segregated secure systems set up specifically for government use and sensitive documents.

It looks like he requested and got permission to work with "For Unofficial Use Only" documents on ChatGPT 4o - the bureaucracy allowed it - and nobody bothered to intervene. The incompetence and ignorance both are ridiculous.

Fortunately, nothing important was involved - it was "classified because everything gets classified" bureaucratic type classification, but if you're CISA leadership, you've gotta be on the ball, you can't do newbie bullshit like this.

today FOUO or CONFIDENTIAL, maybe tomorrow or next week SECRET and after that seemed fine maybe some TOP SECRET or throw in a SAP for fun! call it the maralago bathroom
It’s happening all across corporate too
If I did this with a banal internal documentation at work I would be written up and maybe fired over breaking known policy. This administration is so ridiculously incompetent, and interim head of cyber security.. leaks. The onion wouldn't write this.
I really enjoyed unchecking all those cookie controls. Of the 1668 partner companies who are so interested in me, a good third have a "legitimate interest". With each wanting to drop several cookies, it seems odd that Privacy Badger only thinks there are 19 cookies to block. Could some of them be fakes - flooding the zone?

Damn. I forgot to read the article.

BTW, what's the current status on LLMs and confidential documents ? Which license from which suppliers are fine and which aren't ?
My assumption is that it goes the other direction on a permanent basis.
the current united states government is staffed mostly with unserious people, or people who are serious about doing crimes against humanity. there's very little in between.
I’m a little surprised by the takes in the comments. Obviously, heads of departments or agencies, CEOs, or similar personnel are generally not in the same league as normal employees when it comes to compliance.

Productivity and efficiency are key for their work. I am sure there are lots of Sysadmins here, that had to disable security controls for a manager or had to configure something in a way to circumvent security controls from actually working. I have been in many situations where I have been asked by IT colleagues if doing something like that was fine, because an executive had to read a PowerPoint file NOW.

Once again, if you or I did this, it's federal crime and federal time.

But when the chief does it, it's an oopsie poopsie "special exemption".

    > Once again, if you or I did this, it's federal crime and federal time.
For a single incident? I doubt it. And, you need to show (criminal) intent. We still have no idea if this was accidental. To be clear, before this incident, he looked like just another senior IT admin. I still see it that way.