Skip to main content

"Woefully Lax" Security Procedures at CIA Led to Data Theft

by Chris Brook on Wednesday June 17, 2020

Contact Us
Free Demo

The CIA failed to install safeguards to prevent the theft of its most valuable cyber weapons in 2016.

It was a CIA employee - not attackers affiliated with a nation state or a hacking crew - that led to 2017's massive Vault 7 leak. The leak, widely believed as the largest disclosure of classified information in the agency's history, was first outlined on WikiLeaks

According to an internal report from the CIA’s WikiLeaks Task Force, originally published in October, 2017 but unknown of until yesterday, the agency wouldn’t have known about the leak if it wasn’t for the publicized leak.

“While CIA was an early leader in securing our enterprise information technology (IT) system, we failed to correct acute vulnerabilities to our mission IT systems. Because the stolen data resided on a mission system that lacked user activity monitoring and a robust server audit capability, we did not realize the loss had occurred until a year later, when WikiLeaks publicly announced it in March 2017,” the report reads.

The Washington Post broke the news in a bombshell story yesterday after it was given the report by Senator Ron Wyden (D-Ore.)

Ironically - especially given it took place years after Chelsea Manning and Edward Snowden - the CIA lacked the safeguards needed to defend against insider theft in the first place.

“CIA has moved too slowly to put in place the safeguards that we knew were necessary given successive breaches to other U.S. Government agencies … most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media [thumb drive] controls, and historical data was available to users indefinitely,” the report says.

Included in the data loss are cyber tools from the Center for Cyber Intelligence's (CCI) software development network, DevLAN

Many of these valuable tools were outlined in Vault 7, released by WikiLeaks back in March, 2017, including ways to scramble malware code, hack iPhones, smart TVs, and a litany of ways to infect machines and make them CIA listening posts. While these tools were no doubt state of the art, judging by the report, the agency put very little effort into securing them.

"CCI had prioritized building cyber weapons at the expense of securing their own systems. Day-to-day security practices had become woefully lax," the report reads, "... these shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security.

In its report, the task force said it couldn't pinpoint exactly how much data was taken because it didn't even monitor who used its network. Instead it could only say the employee stole as much as 34 terabytes of information, roughly 2.2 billion pages.

In a letter to the Director of National Intelligence John Ratcliffe on Tuesday, Sen. Wyden said that Congress' decision in 2014 to exempt spy agencies from adopting specific cybersecurity technologies and policies to safeguard federal systems was a mistake. The thinking at the time was that since these agencies already have access to sensitive data, state secrets and the like, that they'd protect them - this hasn't been the case as the Vault 7 leak demonstrated.

In the letter, which is available here, along with a redacted version of the CIA’s WikiLeaks Task Force report, Wyden pushed Ratcliffe to address cybersecurity recommendations from previous evaluations of the intelligence community.

The Task Force also pushed for change.

"This wake-up call presents us with an opportunity to right longstanding imbalances and lapses, to reorient how we view risk,” the report reads, “… we must recognize when we are taking smart risks and when operational shortcuts or waivers create unwarranted risk to our work and to the Agency."

The U.S. federal prosecutor's office previously accused Joshua Schulte, a former CIA employee, for leaking the Vault 7 tools. A jury in March failed to reach a verdict in that trial however, his attorneys - who asked for a mistrial - insisted that security was so poor at the CIA in 2016 that it would be too difficult to definitively pin the leak on him.

Tags:  Government Data Theft

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.