Recently, independent reporting revealed that a contractor supporting the Cybersecurity and Infrastructure Security Agency had left a trove of sensitive credentials—AWS GovCloud keys, plaintext passwords, internal build-and-deploy files—in a public GitHub repository. Within 48 hours, members of the Senate Homeland Security and Governmental Affairs Committee and the House Homeland Security Committee had requested urgent briefings from CISA’s acting leadership, including a request for a classified briefing at the highest classification level necessary

Having served as Executive Director of the Cybersecurity and Infrastructure Security Agency, I know the talented and devoted men and women who carry that mission. They are operating against a set of adversaries that doesn’t pause for budget cycles, political transitions, or the disruptions that periodically reshape how government works.

This is not a column about institutional failure. It’s about something harder to confront: how cyber risk has changed beneath us while too much of our governance has not.

This moment should not be a witch hunt. It should be an effort to help an agency with a profoundly important mission do that mission better. Congressional oversight of a serious lapse at the agency charged with helping defend the nation’s networks is appropriate and necessary—and the right way to honor that oversight is to focus less on assigning blame for a single incident and more on the structural problem it illuminates.

>>> Iran Previews China’s Cyber Playbook

That problem extends well beyond CISA—and no single agency can solve it alone.

The traditional mental model of federal cybersecurity—agency networks defended at agency boundaries—no longer reflects how government actually operates. The federal mission today runs on a layered fabric of contractors, cloud providers, software vendors, identity platforms, and managed services. Many of these partners are not adjacent to federal work. They are inside it, building, deploying, and operating the systems on which agencies depend. The contractor in this case is not an outlier. It is the norm.

That shift carries consequences our governance models have been slow to absorb. When a developer pushes code to the wrong repository, when an access token is stored for convenience rather than security, when temporary credentials become permanent fixtures, the resulting exposure is not a contractor’s problem or a vendor’s problem. In a cloud-connected environment, it is the government’s problem within minutes. The seams between organizations have become the most consequential terrain in federal cybersecurity, and they are also the least governed.

Our adversaries see this clearly. In February 2024, CISA, NSA, and the FBI issued joint Cybersecurity Advisory AA24-038A, PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure, documenting that the People’s Republic of China actor known as Volt Typhoon had successfully infiltrated communications, energy, transportation, and water and wastewater networks across the United States and its territories—in some cases maintaining undetected access for at least five years.

They achieved this not through novel exploits, but by relying on valid accounts, living-off-the-land techniques, and the operational seams adversaries can count on us to leave open. Russian ransomware crews continue to extract tribute from hospitals and municipalities. Iranian actors grow bolder against operational technology. North Korean operators monetize intrusions to sustain a sanctioned regime.

The IBM Cost of a Data Breach Report 2025 underscores the price of these patterns. Stolen or compromised credentials accounted for 10 percent of breaches, at an average cost of $4.67 million each, and identifying and containing such intrusions took an average of 241 days across industries. Third-party supply chain compromises were among the most expensive vectors of all, averaging $4.91 million and 267 days to resolve.

Adversaries are not racing us. They are waiting us out—and we are giving them the time.

For more than a decade, the federal cybersecurity conversation has grown more sophisticated in its vocabulary: zero trust, secure-by-design, software bills of materials, AI-driven defense. The frameworks are sound. The intentions are serious. But frameworks are not protection. A signed policy does nothing to revoke a credential that should have expired 18 months ago, and a clean annual attestation does nothing to catch a repository that has been public since November.

>>> The AI Arms Race Has a Tracking Problem

The harder discipline—and the one we have under-invested in—is execution at the level of partnership. Continuous secrets scanning across every environment touching federal data, including contractor environments. Identity governance that enforces least privilege as a default. Repository monitoring that catches exposures in hours, not months. Contractor performance held to continuous operational assurance rather than periodic paperwork. None of this is exotic. Mature private-sector security organizations already do it, and many federal contractors are fully capable of meeting that bar—when their customers ask for it and verify it.

That is the constructive frame I would urge for the coming congressional briefings, and for the broader policy conversation they are likely to spark. Approximately 85 percent of America’s critical infrastructure is privately owned and operated. The federal government’s authority to help secure it rests far more on credibility and partnership than on regulation. When agencies and their contractors can demonstrate operational discipline together, that partnership strengthens. When they cannot, every defender in the country pays a small piece of the cost.

CISA’s mission is indispensable, and its workforce remains among the most committed in government. Helping the agency succeed—by holding its ecosystem, not just its employees, to the standard the threat requires—is in everyone’s interest. Our adversaries are patient enough to wait for us to do otherwise.