The Central Intelligence Agency may have lost some of its most sensitive cyber weapons because it prioritized the development of new capabilities over securing the ones that existed, a newly disclosed internal review has found.
A report compiled by the agency’s WikiLeaks Task Force in October 2017 said day-to-day security practices at the CIA’s Center for Cyber Intelligence (CCI), where many of the cyber tools resided, “had become woefully lax.”
CCI employees “focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed,” the task force said. “These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security.”
Details of the task force’s findings were first reported by the Washington Post.
The group’s report was submitted to then-CIA Director Mike Pompeo and then-Deputy Director Gina Haspel, who now heads the agency. It followed a series of disclosures by WikiLeaks in March of 2017 of some of the agency’s most prized hacking assets, a leak of historic proportions known as Vault 7.
CIA’s own investigators deemed the Vault 7 disclosures the “largest data loss in CIA history,” estimating that up to 34 terabytes, or 2.2 billion pages, may have been stolen and provided to Wikileaks by a CIA employee.
While the task force said it was unable to determine the “precise scope” of the data lost, it said it had assessed with “moderate confidence” that WikiLeaks had not gained access to a “Gold folder,” where the final versions of cyber tools and source codes were apparently stored. The Gold folder was “better protected,” the report said, and its multiple-terabyte size made it “harder to export.”
But it also said the CIA may not have learned of the theft of the tools if they had not been revealed by WikiLeaks.
“Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss—as would be true for the vast majority of data on Agency mission systems,” the audit said.
The CIA did not comment on the task force’s report, but spokesman Timothy Barrett said the agency “works to incorporate best-in-class technologies to keep ahead of and defend against ever-evolving threats.”
The 10-page, highly-redacted, declassified document appeared to be a small portion of a longer assessment of at least dozens more pages. It was released by Democratic Senator Ron Wyden, of Oregon, who said it had been provided to his office by the Department of Justice.
The report excerpts were among the evidence introduced in the criminal trial of Joshua Schulte, a former CIA software engineer accused of stealing classified documents that then appeared in WikiLeaks’ Vault 7 disclosures.
A jury failed to reach a verdict on whether Schulte disclosed classified information, but he was found guilty in March of making false statements to the FBI and contempt of court. He is expected to be tried second time on eight remaining counts.
In a letter accompanying the report excerpt, Wyden, a member of the Senate Intelligence Committee, questioned whether intelligence agencies’ exemption from federal cybersecurity requirements should continue and requested a series of answers from Director of National Intelligence John Ratcliffe about how intelligence agencies are protecting their digital assets.
“Three years after [the WikiLeaks Task Force] report was submitted, the intelligence community is still lagging behind, and has failed to adopt even the most basic cybersecurity technologies in the federal government,” Wyden wrote. “The American people expect you to do better, and they will then look to Congress to address these systemic problems.”
The task force issued an undisclosed number of recommendations in its report, and it acknowledged that improvements had to be made to how the CIA’s cyber weapons were protected, calling the breach a “wake-up call.”
“We must recognize when we are taking smart risks and when operational shortcuts or waivers created unwarranted risk to our work and to the Agency,” they wrote. “We must care as much about securing our systems as we care about running them if we are to make the necessary revolutionary change.”