According to TechCrunch, the U.S. Congressional Budget Office confirmed on Friday that it was hacked, with spokesperson Caitlin Emma stating the agency has identified the security incident and taken immediate containment actions. The breach was first revealed by The Washington Post on Thursday, reporting that unspecified foreign hackers were behind the intrusion. Security researcher Kevin Beaumont suspects hackers exploited the CBO’s outdated Cisco firewall, which hadn’t been patched since 2024 and remained vulnerable when the federal government shutdown took effect on October 1. Officials worry the hackers accessed internal emails, chat logs, and communications between lawmakers’ offices and CBO researchers. The Senate Sergeant at Arms office has warned congressional offices that compromised emails could be used to craft phishing attacks.
The outdated firewall problem
Here’s the thing about government cybersecurity – it’s often a game of catch-up that we’re losing. Beaumont noted last month that the CBO had a Cisco ASA firewall that was last patched in 2024 and remained vulnerable to newly discovered security bugs being exploited by suspected Chinese government-backed hackers. And get this – the firewall wasn’t patched before the October 1 government shutdown. Basically, we had a known vulnerability sitting there for weeks while foreign actors apparently walked right in.
I mean, think about it – these are the same firewalls protecting some of our most critical industrial infrastructure. When government agencies can’t keep basic network security updated, it raises serious questions about our broader cybersecurity posture. The firewall is now offline, but the damage is probably already done.
What they might have taken
This isn’t just about email access – we’re talking about the Congressional Budget Office. This agency handles economic analysis and cost estimates for every major piece of legislation moving through Congress. They see budget proposals before they’re public, economic projections that could move markets, and sensitive communications with lawmakers’ offices about upcoming bills.
Foreign intelligence services would kill for this kind of access. They could anticipate U.S. economic policy moves, understand legislative priorities, and potentially even influence budget decisions by leaking selective information. And let’s be real – if they got internal communications, they now have perfect templates for sophisticated phishing attacks against other government targets.
Why this matters beyond CBO
Look, this breach reveals a pattern we’ve seen before. Government agencies running outdated equipment, missing critical patches, and becoming easy targets for state-sponsored actors. The timing is particularly concerning – right before a government shutdown when security teams might be distracted or understaffed.
What’s frustrating is that Cisco had already published security advisories about these vulnerabilities. The tools and information were available, but the implementation apparently failed. And when Beaumont publicly noted the unpatched firewall last month, it didn’t trigger immediate action.
So we’re left wondering – how many other government agencies are running similarly vulnerable systems? And what’s the real cost when foreign actors get this level of access to our budget planning process? The CBO might be containing this specific breach, but the systemic issues remain wide open.
