The Central Intelligence Agency’s (CIA) zeal to build cyber weapons at the cost of failing to secure its own cybersecurity defenses led to the spy agency’s loss of top secret hacking tools in 2016, a newly unclassified report said.
According to the internal CIA report, compiled by the CIA’s WikiLeaks Task Force in 2017, an employee allegedly snuck behind the agency’s lax cybersecurity barricades to pilfer some 34 terabytes of classified information, roughly 9,000 documents or more than two billion pages of Microsoft Word documents. Senator Ron Wyden (D-OR), a member of the Senate Intelligence Committee released the report to the public on June 16, 2020.
The cyber safe cracker subsequently sold the data to WikiLeaks, the self fashioned anti-secrecy group. WikiLeaks followed by publishing what it called “Vault 7,” an embarrassment to the CIA so disarming as to cause the agency to shut down some operations. Surveillance operations such as monitoring conversations and worming into targets’ web behavior through their mobile devices were revealed, reports said.
In some ways, the CIA caught a break when WikiLeaks published its haul. Had WikiLeaks not made public the stolen data, the U.S. surveillance crowd might never have known of the heist. “Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss,” the task force’s report said.
As for the hacking tools, some were not developed solely by U.S. technicians. Others were built in collaboration with foreign allies and from re-engineering kits constructed by Russian cyber mechanics and bad actors, the report said.
“Most of our cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls and historical data was available to users indefinitely,” Wyden wrote in a letter to National Intelligence Director John Ratcliffe in prefacing the report. “The shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security.”
Cybersecurity limitations were apparently not limited to one part of the intelligence community. In a 2019 report from the Office of the Inspector General of the Intelligence Community, cybersecurity “deficiencies” were found in a number of other departments. At this point, those lapses remain classified. More than 20 security-related recommendations from earlier audits still remain unattended, Wyden said. For example, the intelligence community’s classified computer network for top secret information does not use multi-factor authentication nor have anti-phishing protections been installed despite adoption by many federal agencies, he said.
“The intelligence community is still lagging behind and has failed to adopt even the most basic cybersecurity technologies in widespread use elsewhere in the federal government,” Wyden wrote. Exactly when does Director Ratcliffe intend to implement the necessary changes to shore up the CIA’s cyber defenses, he said.