‘Woefully lax’ security enabled leak of CIA cyber weapons

An internal report has concluded that a 2016 breach which compromised a huge trove of the CIA’s cyber weapons occurred due to “woefully lax” information security within the agency.

The tools acquired in the breach were developed by the CIA’s Center for Cyber Intelligence (CCI) between 2013 and 2016 and included a range of sophisticated cyber weapons. Up to 34TB of material (equivalent to 2.2 billion pages of information) was acquired and leaked.

A former CIA employee, Joshua Schulte, has been accused of being behind the leak. However, a federal grand jury this year failed to reach a verdict on allegations of illegal gathering and transmission of national security information.

The breach was revealed in March 2017 when WikiLeaks published what it characterised as the largest-ever trove of acquired CIA documents, known as 'Vault 7'.

The leaked material attracted controversy, showing that the CIA had the capability to perform widespread electronic surveillance, including compromising individuals’ smartphones, cars, computers and smart TVs. Whistle-blower Edward Snowden criticised the CIA for intentionally maintaining vulnerabilities in US products.

“Recently, the CIA lost control of the majority of its hacking arsenal, including malware, viruses, trojans, weaponised 'zero day' exploits, malware remote control systems and associated documentation,” WikiLeaks wrote at the time of publication of the Vault 7 material. “This extraordinary collection, which amounts to more than several hundred million lines of code, gives its possessor the entire hacking capacity of the CIA.

“The archive appears to have been circulated among former US government hackers and contractors in an unauthorised manner, one of whom has provided WikiLeaks with portions of the archive.”

The breach prompted an internal review by the CIA WikiLeaks Task Force, which submitted its conclusions to then-director Mike Pompeo in 2017. A mostly redacted version of the report was acquired by Senator Ron Wyden of the Senate Intelligence Committee after he requested more information about “widespread cyber-security problems across the intelligence committee” from the CIA.

The Washington Post has reported on sections of the report, which reveals the scale of poor security practices at the CIA at the time of the breach. The report says that the CIA was not sufficiently vigilant about the risk posed by people with access to the classified data.

“We failed to recognise or act in a coordinated fashion on warning signs that a person or persons with access to CIA classified information posed an unacceptable risk to national security,” the report said.

The report said that the CIA had prioritised creativity in building new cyber weapons while neglecting to secure its existing assets.

“In a press to meet growing and critical mission needs, CCI had prioritised building cyber weapons at the expense of security of their own systems. Day-to-day security practices had become woefully lax,” it says. “Most of our sensitive cyber weapons were not compartmented; users shared systems administrator-level passwords; there were no effective removable media controls, and historical data was available to users indefinitely.”

“Furthermore, CCI focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed. These shortcomings were emblematic of a culture that evolved over years that too often prioritised creativity and collaboration at the expense of security.”

The Task Force report said that while it was uncertain of the scope of the data compromised, it was moderately confident that the final versions of cyber weapons and source codes (contained in a “Gold Folder”) had not been acquired, as this folder was larger and better protected than other locations.

The report also said that the CIA had been unaware of the 2016 breach until the documents were published by WikiLeaks the following year, due to the CCI not incorporating user-activity monitoring or other safeguards into its systems.

“Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss – as would be true for the vast majority of data on Agency mission systems,” the review said.

While the CIA WikiLeaks Task Force made several recommendations to tighten security measures at the agency, lawmakers like Wyden remain concerned that intelligence agencies may remain vulnerable to further breaches.

Sign up to the E&T News e-mail to get great stories like this delivered to your inbox every day.

Recent articles