Senior Department of Homeland Security officials are working to determine whether a ransomware attack on government contractor Johnson Controls International has compromised sensitive physical security information such as DHS floor plans, according to internal DHS correspondence reviewed by CNN.
Johnson Controls, a major manufacturer of alarm and building automation systems, “holds classified/sensitive contracts for DHS that depict the physical security of many DHS facilities,” according to the internal memo.
The looming potential government shutdown – which could start on Sunday morning barring a deal struck in Congress – makes it “especially time sensitive” to determine which DHS offices might be affected by the ransomware attack, the memo said.
“Until further notice, we should assume that [the contractor] stores DHS floor plans and security information tied to contracts on their servers,” the memo said. But it was unclear whether the cybercriminal hackers accessed that information. “We do not currently know the full extent of the impact on DHS systems or facilities,” it states.
The incident is a stark reminder for US officials of the cybersecurity risks they take on by working with private contractors for key government services. The Biden administration has tried to tighten cybersecurity for government contractors by compelling them to meet a minimum set of security standards.