CIA’s ‘Lax’ Security Led To Massive Theft of Hacking Tools, Internal Report Finds
Poor security culture at the Central Intelligence Agency’s hacking unit permitted the ‘largest data loss in CIA history’ in 2016, a report says. CIA’s ‘Lax’ Security Led To Massive Theft of Hacking Tools, Internal Report Finds
A “woefully lax” security culture within the Central Intelligence Agency’s elite hacking unit that favored building cyber weapons over protecting its own computer systems from intrusion allowed for the 2016 theft of top-secret hacking tools, according to an internal report written by the spy agency disclosed on Tuesday.
The hacking tools were published by the anti-secrecy group WikiLeaks in early 2017, a disclosure totaling more than 8,000 pages. The leak of the so-called Vault 7 documents was widely viewed as one of the most devastating security breaches in the CIA’s history. It included details about the agency’s playbook for hacking smartphones, computer operating systems, messaging applications and internet-connected televisions.
The internal audit, published in October 2017 by CIA’s WikiLeaks Task Force, described the theft as the “largest data loss in CIA history.” It said an employee stole anywhere from 180 gigabytes to 34 terabytes of information, a haul roughly equivalent to 11.6 million to 2.2 billion pages in Microsoft Word.
The report said it was possible the CIA may have never learned of the theft had the trove not been published by WikiLeaks.
“While CIA was an early leader in securing our enterprise information technology (IT) system, we failed to correct acute vulnerabilities to our mission IT systems,” said the report prepared for former CIA Director Mike Pompeo and Gina Haspel, the current director.
Timothy Barrett, a CIA spokesman, declined to comment on the specifics of the report. “CIA works to incorporate best-in-class technologies to keep ahead of and defend against ever-evolving threats,” Mr. Barrett said.
Sen. Ron Wyden (D., Ore.), who sits on the Senate Intelligence Committee, obtained the redacted version of the report from the Justice Department, and released it on Tuesday. The Washington Post first published details of it Tuesday.
In a letter Tuesday to Director of National Intelligence John Ratcliffe, Mr. Wyden asked for information regarding the steps being taken to improve the cybersecurity protections surrounding the intelligence community’s most sensitive secrets. He additionally said in a statement that Congress should reconsider a federal law making intelligence agencies exempt from federal cybersecurity standards.
“Congress did so reasonably expecting that intelligence agencies that have been entrusted with our nation’s most valuable secrets would of course go above and beyond the steps taken by the rest of the government to secure their systems,” Mr. Wyden said. “Unfortunately, it is now clear that exempting the intelligence community from baseline federal cybersecurity requirements was a mistake.”
A spokeswoman for Mr. Ratcliffe’s office said the letter from Mr. Wyden had been received and that the intelligence director would “respond accordingly.”
Earlier this year federal prosecutors in Manhattan tried Joshua Schulte, a former CIA software engineer, on charges he stole the Vault 7 documents when he was working with the agency unit that designed the hacking tools. One former top CIA official who testified called the leak of hacking tools “the equivalent of a digital Pearl Harbor.”
Mr. Schulte has pleaded not guilty, and his defense team argued that the security protocols in place at the CIA were so weak that it made it impossible to know who was responsible for the heist of classified information and whether it was the work of an employee or foreign actor. In March a jury failed to reach a verdict on whether he was responsible for the leak, but convicted him of making false statements and contempt of court.
Among the report’s critical assessments is that the CIA was too slow to put in place necessary cybersecurity measures “given successive breaches to other U.S. government agencies.” The theft took place about three years after former intelligence contractor Edward Snowden pilfered a massive trove of documents from the National Security Agency concerning its domestic and international surveillance operations.
“In a press to meet growing and critical mission needs, CCI had prioritized building cyber weapons at the expense of securing their own systems,” the report states, referring to the Center for Cyber Intelligence, the elite hacking unit at the CIA from where the tools were stolen. “Day-to-day security practices had become woefully lax.”
Most of the cyber weapons lacked segmented access protections, employees shared administrator-level passwords, and there existed no controls on using devices like thumb drives to remove files from internal systems, the report found.
While extremely sensitive material was compromised, the CIA task force concluded with moderate confidence that WikiLeaks didn’t obtain the “Gold folder” of its most sensitive files, containing final versions of all developed hacking tools and source code. That folder was better protected and so large it was harder to export, the report said.
CIA’s ‘Lax’ Security Led,CIA’s ‘Lax’ Security Led,CIA’s ‘Lax’ Security Led,CIA’s ‘Lax’ Security Led,CIA’s ‘Lax’ Security Led,CIA’s ‘Lax’ Security Led,CIA’s ‘Lax’ Security Led,