CIA blames spy-tool leak on lax security
"Woefully lax" security measures were responsible for WikiLeaks getting hold of up to 34 terabytes of stolen CIA computer hacking tools in 2016 — one of the largest data breaches in agency history — according to an internal 2017 CIA report that was released Tuesday in heavily redacted form.
The secret report was commissioned by the CIA's then-director, now Secretary of State Mike Pompeo, and his deputy — now CIA Director Gina Haspel — after WikiLeaks revealed that the agency's "Vault 7" malware was capable of infiltrating foreign computer networks and even turning on cameras and microphones built into computers, smartphones and even some smart TVs.
To cover its tracks, WikiLeaks reported, the CIA could use techniques designed to make its hacks appear to have originated in Russia.
Pompeo wanted to know why the agency had not detected the breach until WikiLeaks' revelations in March 2017 — a year after the theft occurred. The CIA's specially created WikiLeaks Task Force, not the agency's independent inspector general, compiled the report.
The report found that the CIA unit responsible, the Center for Cyber Intelligence (CCI), cared more about creating sophisticated hacking tools than in protecting them, often eschewing routine safeguards.
"In a press to meet growing and critical mission needs," the report says, "CCI had prioritized building cyber weapons at the expense of securing their own systems. Day-to-day security practices had become woefully lax."
"Intelligence agencies like the CIA and National Security Agency had been exempted from rules Congress imposed on the rest of the federal government," reported the magazine MIT Technology Review. "The expectation was that they would easily exceed those standards, but that hasn't happened."
A heavily redacted version of the report was released Tuesday by US Senator Ron Wyden, an Oregon Democrat who serves on the Senate Intelligence Committee, although a partially declassified version was used in the trial earlier this year of Joshua Schulte, a former CIA employee accused of giving stolen data to WikiLeaks.
Schulte's trial ended in a hung jury on the main charges, but he was convicted of contempt of court and giving false statements to the FBI. Prosecutors have said that they intend to try Schulte again this year, according to The Washington Post.
In a letter to newly named Director of National Intelligence John Ratcliffe, Wyden said the report showed that Congress' decision to exempt intelligence agencies from federal cybersecurity requirements was a mistake.
The 2016 breach seems especially egregious, said the task force report, as it came in the wake of well-publicized leaks of classified information to WikiLeaks by Chelsea Manning and Edward Snowden.
"For nearly a decade," the report said, "WikiLeaks has exploited the digital realm to profoundly reshape opportunities for individuals sworn to protect our nation's secrets to leak classified or sensitive information.
"We failed to recognize or act in a coordinated fashion on warning signs that a person or persons with access to CIA classified information posed an unacceptable risk to national security," the report said.
"Furthermore," the report adds, "CCI focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed."
"The lax cybersecurity practices documented in the CIA's WikiLeaks Task Force report do not appear to be limited to just one part of the intelligence community," Wyden said in his letter,.
Wyden gave Ratcliffe a July 17 deadline to provide unclassified answers to questions related to cybersecurity implementation by the intelligence community.
The task force report noted that it believed that the CIA's most highly sensitive hacking secrets had not been revealed to WikiLeaks because they were stored in a better-protected "Gold folder".
