In stunning display of stupid, secret CISA credentials found in public GitHub repo

URL SCAN: In stunning display of stupid, secret CISA credentials found in public GitHub repo
FIRST LINE: Security researcher Brian Krebs brings us the news that America's Cybersecurity & Infrastructure Agency (CISA) has had a large store of plaintext passwords, SSH private keys, tokens, and other sensitive CISA assets exposed in a public GitHub repo since at least November 2025.

THE DISSECTION

This is not a security incident. This is a public autopsy of the entire cybersecurity industrial complex. Let me be precise about what just happened:

CISA—the civilian agency's responsible for securing the government's digital crown jewels—has a contractor storing their crown jewels in a public repository with secret-scanning protections deliberately disabled for five-plus months. Those credentials then worked to access AWS GovCloud at high privilege. Meanwhile, six months earlier, CISA's own acting director uploaded classified materials to ChatGPT after securing a policy exemption.

The people tasked with protecting the system cannot operate the system.

THE CORE FALLACY

The assumption embedded in every congressional hearing, every FISMA report, and every federal cybersecurity mandate: that the problem is technical and solvable through process compliance. Enable these controls. File these reports. Hire these contractors. Check these boxes.

The actual problem is human and institutional, and it's unfixable within the existing framework. When GitHub's automated secret detection is turned off by the repo administrator, you have a human making a conscious choice to disable a safeguard. When a director uploads classified documents to an external AI service, you have a human overriding policy because they convinced themselves they were the exception.

This is not a tooling problem. This is a cognitive infrastructure problem—the humans at every node are incapable of the threat model their own agencies demand they implement.

THE HIDDEN ASSUMPTION

That the cybersecurity apparatus can function as designed: with compartmentalization, layered access controls, and humans reliably following complex security protocols across a sprawling contractor ecosystem.

That assumption died in a public GitHub repo named "Private-CISA."

THE VERDICT

CISA is not a cybersecurity agency. CISA is a cybersecurity theater company that occasionally causes real damage. The premier federal agency for defending digital infrastructure cannot secure its own secrets, has had its director personally violate the policies he oversees, and relies on contractors whose incompetence is now documented in public commit logs.

Under the Discontinuity Thesis, this is secondary to the main mechanical collapse—but it's not irrelevant. The institutional capacity to manage the transition is demonstrated here to be nonexistent. If the federal government cannot secure its own credential stores, it has no capacity to coordinate defense against AI-augmented threat actors. It cannot protect critical infrastructure. It cannot manage the transition.

The lag will compress. The attack surface will expand. The humans will keep failing.

LAG-WEIGHTED TIMELINE

VIABILITY SCORECARD

• 1 year: Terminal. Incident cleanup theater. No systemic fix possible with existing structure.
• 2 years: Fragile. Trust deficit cascades. Contractor ecosystem contracts.
• 5 years: Already restructured or bypassed. Either a new model emerges or CISA becomes a reporting agency with no operational authority.

SURVIVAL PLAN

Not applicable to CISA itself. Institutions this broken don't get survival plans; they get wind-downs.

For everyone else: Verification Arbitrage, full stop. Do not trust any federal cybersecurity guidance without independent validation. Do not assume credentials are rotated. Do not assume classified is classified. Assume the worst and build your own perimeter.