The CIA’s response to the largest data loss in the agency’s history revealed multiple internal security failures that let the leak go unseen, a government report showed Tuesday.
Written in October 2017, the newly released report was sent to CIA leaders several months after the agency first learned it lost classified cyber tools to the website WikiLeaks.
The CIA did not know the data loss occurred until WikiLeaks announced in March 2017 that it had the tools, dubbed “Vault 7,” and started publishing them online, the report notes.
An internal review conducted after the leak began “brought to light multiple ongoing CIA failures,” the agency’s WikiLeaks Task Force wrote in the newly released document.
The CIA’s Center for Cyber Intelligence, or CCI, the agency office from where the tools originated, “had prioritized building cyber weapons at the expense of securing their own systems,” the task force reported.
Security practices within the CIA had become “woefully lax,” and the leak served as a “wake-up call” to reassess how the agency safeguards its data, the task force reported.
“Most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely. Furthermore, CCI focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed. These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security,” it reported.
Sen. Ron Wyden, a senior member of the Senate Intelligence Committee, requested the task force’s findings from the U.S. Department of Justice after they were mentioned by federal prosecutors during the recent criminal case of Joshua Adam Schulte, a former CIA software engineer suspected of supplying to “Vault 7” material to WikiLeaks. He attached a redacted excerpt from the report in a letter he sent raising concerns with John Ratcliffe, President Trump’s newest director of national intelligence.
“Three years after that report was submitted, the intelligence community is still lagging behind, and has failed to adopt even the most basic cybersecurity technologies in widespread use elsewhere in the federal government,” wrote Mr. Wyden, Oregon Democrat. The American people expect you to do better, and they will then look to Congress to address these systematic problems.”
Schulte, 31, was tried in Manhattan earlier this year on criminal charges related to the “Vault 7” leak. His jury deadlocked on most counts, however, results in a mistrial and prompting the Justice Department to recently renew its case.