[BreachExchange] CIA cyber weapons stolen in historic breach due to 'woefully lax security', internal report says
Destry Winant
destry at riskbasedsecurity.com
Wed Jun 17 10:14:00 EDT 2020
https://www.cnn.com/2020/06/16/politics/cia-wikileaks-vault-7-leak-report/index.html
Washington (CNN)The largest theft of data in CIA history happened
because a specialized unit within the agency was so focused on
building cyber weapons that an employee took advantage of "woefully
lax" security and gave secret hacking tools to WikiLeaks, according to
an internal report released on Tuesday.
The hacking tools stolen in the breach, which occurred in 2016, came
from its clandestine Center for Cyber Intelligence (CCI). The amount
of data stolen is unknown, the memo said, but could be as much as 34
terabytes of data -- the equivalent of 2.2 billion pages of text.
The theft was revealed around a year later, in March 2017, when
WikiLeaks published what it claimed was the largest trove of CIA
documents, dubbed "Vault 7," detailing some of the agency's
sophisticated cyber weapons, which was first reported by the
Washington Post.
Ex-CIA employee charged with leaking classified information
That incident prompted a review by the CIA WikiLeaks Task Force, which
submitted its findings in an October 2017 report to then-Director Mike
Pompeo and his deputy -- who is now the director -- Gina Haspel.
In a damning admission, its authors write: "We failed to recognize or
act in a coordinated fashion on warning signs that a person or persons
with access to CIA classified information posed an unacceptable risk
to national security."
While the CIA declined to comment on any specific report, agency
spokesperson Timothy Barrett told CNN, "CIA works to incorporate
best-in-class technologies to keep ahead of and defend against
ever-evolving threats."
The report released Tuesday is heavily redacted but clearly states
that the breach came as a result of a series of security shortcomings
"over years that too often prioritized creativity and collaboration at
the expense of security."
"In a press to meet growing and critical mission needs, CCI had
prioritized building cyber weapons at the expense of securing their
own systems. Day-to-day security practices had become woefully lax,"
the report says.
The task force memo was released Tuesday by Sen. Ron Wyden, a Democrat
from Oregon on the Senate Intelligence Committee, who obtained an
incomplete, redacted version from the Justice Department. In a letter
to the new Director of National Intelligence, John Ratcliffe, Wyden
asked for more information about "widespread cybersecurity problems
across the intelligence community."
The CIA report released by Wyden emphasized the Agency didn't know the
full extent of the damage because the CCI system - unlike other parts
of the Agency's IT systems - "did not require user activity monitoring
or other safeguards..."
"Most of our sensitive cyber weapons were not compartmented, users
shared systems administrator-level passwords, there were no effective
removable media controls, and historical data was available to users
indefinitely," the report reads.
"Furthermore, CCI focused on building cyber weapons and neglected to
also prepare mitigation packages if those tools were exposed," it
adds.
The material published by WikiLeaks in 2017 suggested that the CIA had
become the globe's pre-eminent hacking operation, sneaking into
high-tech phones and televisions to spy on people worldwide.
Leaked information published by WikiLeaks as part of the "Vault 7"
series contained notes about how the agency allegedly targeted
individuals through malware and physical hacking on devices including
phones, computers and TVs.
To hide its operations, the CIA routinely adopted techniques that
enabled its hackers to appear as if they were Russian, according to
the documents published by WikiLeaks.
US officials who previously spoke to CNN about the incident emphasized
that any intelligence collection using the types of operations
described in the documents is legal against overseas targets. The
officials also cautioned that some of the material describes programs
still under development by the intelligence community.
At the time, WikiLeaks claimed that nearly all of the CIA's arsenal of
privacy-breaching cyberweapons had been stolen, and the tools are
potentially in the hands of criminals and foreign spies.
Fate of ex-CIA employee charged with massive data leak in jury's hands
While the CIA task force responsible for the 2017 report made several
recommendations to address these security failures, some lawmakers are
still concerned that the intelligence community remains vulnerable to
security breaches of this nature.
"The lax cybersecurity practices documented in the CIA's WikiLeaks
Task Force report do not appear to be limited to just one part of the
intelligence community," Wyden wrote, adding it called the breach a
"wake-up call" that presented an "opportunity to right longstanding
imbalances and lapses."
"Three years after that report was submitted, the intelligence
community is still lagging behind and has failed to adopt even the
most basic cybersecurity technologies in widespread use elsewhere in
the federal government," he said.
Wyden requested that Ratcliffe provide him unclassified answers to a
series of questions related to the implementation of cybersecurity
practices within the intelligence community by July 17, 2020.
The CIA's lax cybersecurity practices were also highlighted in federal
court earlier this year during the trial of Joshua Schulte, the ex-CIA
employee who is accused of handing over reams of classified data to
WikiLeaks in 2016.
The October 2017 CIA report was introduced as evidence during the
trial and Schulte's attorneys argued that the system's security was so
poor that the information could have been accessed by a large number
of employees.
In March, a federal grand jury in New York failed to reach a verdict
on whether Schulte did, in fact, give the data to WikiLeaks.
Prosecutors have said that they intend to try Schulte again this year,
according to the Washington Post.
More information about the BreachExchange
mailing list