An internal CIA report released Tuesday found that the agency’s failure to secure its own systems led to the massive 2017 data breach that enabled classified information, including details on 35 CIA hacking tools, to be leaked to WikiLeaks.
A redacted version of the report, prepared by the CIA’s WikiLeaks Task Force in 2017, was released by Ron Wyden, D-Ore., a member of the Senate Intelligence Committee.
The report calls out the CIA’s Center for Cyber Intelligence for not prioritizing internal cybersecurity and focusing, instead, on developing offensive cyber weapons.
This lax attitude toward preventive cybersecurity measures within the CIA continued even after previous high-profile data breaches of the agency and other intelligence departments, the report states.
On Tuesday, Wyden wrote to John Ratcliffe, the director of national intelligence, demanding to know if the U.S. intelligence community planned to implement better cybersecurity practices and questioning why the CIA did not do more to protect its internal security operations from both outside attacks and internal threats.
“The lax cybersecurity practices documented in the CIA’s WikiLeaks Task Force report do not appear to be limited to just one part of the intelligence community,” Wyden writes. “The Office of the Inspector General of the Intelligence Community revealed in a public summary of a report it published last year that it found a number of deficiencies in the intelligence community’s cybersecurity practices.”
The WikiLeaks Task Force report was prepared after the leaking of the CIA hacking tools, which were referred to as “Vault 7” (see: WikiLeaks Dumps Alleged CIA Malware and Hacking Trove).
The theft of the hacking tools, which apparently happened sometime in 2016, was not discovered until WikiLeaks published the Vault 7 series in 2017. Later, the U.S. Justice Department brought charges against Joshua Schulte, a former CIA employee, who is suspected of stealing the CIA hacking tools and then giving them to WikiLeaks, according to the Washington Post, which first reported on the Wyden letter.
The WikiLeaks Task Force report is part of the Justice Department’s case against Schulte, who will be tried again for the Vault 7 leak later this year after his first trial ended in a hung jury in March, according to the Post.
In the report, investigators describe how an unnamed former CIA employee managed to take between 180 GB and 34 TB of highly classified agency information and data.
The report describes a CIA culture that only focused on developing offensive cyber weapons and ignored basic security procedures, which led to multiple breaches.
“Day-to-day security practices had become woefully lax. … Most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely,” according to the CIA report.
The Vault 7 hacking tools came from an isolated, high-security network situated inside the CIA’s Center for Cyber Intelligence in Langley, Virginia, according to WikiLeaks.
Difficulties Preventing Leaks
Thomas Rid, a professor at the John Hopkins School of Advanced International Studies who has studied cybersecurity issues, wrote on Twitter that the U.S. intelligence community has had a difficult time stopping leaks, including Vault 7 as well as disclosures from former Army Private Chelsea Manning and former National Security Agency contractor Edward Snowden.Thomas Rid✔@RidT · Replying to @RidT
Imagine for a moment the logistics of physically getting that amount of data out
Seven years after Manning.
Three years after Snowden.
About a year after Shadow Brokers.
Jake Williams, president of cybersecurity consultancy Rendition Infosec and a former NSA staffer, noted that the Vault 7 disclosures, along with the release of NSA hacking tools in 2016 by the group known as the Shadow Brokers, show that the U.S. intelligence community did not take its cybersecurity responsibilities seriously.
“In at least two of these cases – Vault 7 and Shadow Brokers – there is no indication that there was any detection ahead of the data being posted publicly,” Williams told Information Security Media Group. “If you compare the intelligence community to a commercial organization that had three major breaches over a few years and didn’t discover two of them until someone leaked data publicly, I’d have a hard time taking their security seriously.”
Security Improvements Needed
In his letter to Ratcliffe, the director of national intelligence, Wyden asked why various agencies failed to heed security guidance. This included:
- An Oct. 16, 2017 Cybersecurity and Infrastructure Security Agency notice requiring all federal agencies to protect their websites and email using encryption and domain-based message authentication as well as to conform with DMARC email authentication, policy and reporting protocols;
- A Jan. 22, 2019 emergency directive from CISA requiring agencies to implement multifactor authentication within 10 days to protect their .gov domains.
Wyden also questions why the Joint Worldwide Intel Communications System, the intelligence community’s classified computer network that handles top secret information, still has not implemented multifactor authentication to align itself with National Institute of Standards and Technology Special Publication 800-63B, despite the August 2019 statement by the Defense Intelligence Agency’s cyber and enterprise operations chief that the DIA was looking into this upgrade.
In the letter, Wyden asks Ratcliffe if he intends to implement numerous cybersecurity recommendations published by the office of the Intelligence Community Inspector General in November 2019.
“Do you intend to adopt each of the 22 cybersecurity recommendations of the Inspector General of the Intelligence Community?” Wyden asks. “If yes, please provide an estimate for when you expect to have implemented each of these recommendations. If no, please explain why.”
A CIA spokesperson told the Washington Post that the agency was not commenting on the 2017 report that Wyden released Tuesday.
Tim Wade, the technical director for the CTO team at security firm Vectra, and a former Air Force officer, notes that government agencies – and especially the intelligence community – need to follow cybersecurity guidelines.
“Accepting the risk of continuing to operate such systems in a vulnerable state mitigates the greater risks associated with jeopardizing mission success,” Wade says.