The largest theft of data in CIA history happened because a specialized unit within the agency was so focused on building cyber weapons that an employee took advantage of “woefully lax” security and gave secret hacking tools to WikiLeaks, according to an internal report released on Tuesday.
The hacking tools stolen in the breach, which occurred in 2016, came from its clandestine Center for Cyber Intelligence (CCI). The amount of data stolen is unknown, the memo said, but could be as much as 34 terabytes of data – the equivalent of 2.2 billion pages of text.
The theft was revealed around a year later, in March 2017, when WikiLeaks published what it claimed was the largest trove of CIA documents, dubbed “Vault 7,” detailing some of the agency’s sophisticated cyber weapons, which was first reported by the Washington Post.
That incident prompted a review by the CIA WikiLeaks Task Force, which submitted its findings in an October 2017 report to then-Director Mike Pompeo and his deputy – who is now the director – Gina Haspel.
In a damning admission, its authors write: “We failed to recognize or act in a coordinated fashion on warning signs that a person or persons with access to CIA classified information posed an unacceptable risk to national security.”
While the CIA declined to comment on any specific report, agency spokesperson Timothy Barrett told CNN, “CIA works to incorporate best-in-class technologies to keep ahead of and defend against ever-evolving threats.”
The report released Tuesday is heavily redacted but clearly states that the breach came as a result of a series of security shortcomings “over years that too often prioritized creativity and collaboration at the expense of security.”
“In a press to meet growing and critical mission needs, CCI had prioritized building cyber weapons at the expense of securing their own systems. Day-to-day security practices had become woefully lax,” the report says.
The task force memo was released Tuesday by Sen. Ron Wyden, a Democrat from Oregon on the Senate Intelligence Committee, who obtained an incomplete, redacted version from the Justice Department. In a letter to the new Director of National Intelligence, John Ratcliffe, Wyden asked for more information about “widespread cybersecurity problems across the intelligence community.”
The CIA report released by Wyden emphasized the Agency didn’t know the full extent of the damage because the CCI system - unlike other parts of the Agency’s IT systems - “did not require user activity monitoring or other safeguards…”
“Most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely,” the report reads.
“Furthermore, CCI focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed,” it adds.
The material published by WikiLeaks in 2017 suggested that the CIA had become the globe’s pre-eminent hacking operation, sneaking into high-tech phones and televisions to spy on people worldwide.
Leaked information published by WikiLeaks as part of the “Vault 7” series contained notes about how the agency allegedly targeted individuals through malware and physical hacking on devices including phones, computers and TVs.
To hide its operations, the CIA routinely adopted techniques that enabled its hackers to appear as if they were Russian, according to the documents published by WikiLeaks.
US officials who previously spoke to CNN about the incident emphasized that any intelligence collection using the types of operations described in the documents is legal against overseas targets. The officials also cautioned that some of the material describes programs still under development by the intelligence community.
At the time, WikiLeaks claimed that nearly all of the CIA’s arsenal of privacy-breaching cyberweapons had been stolen, and the tools are potentially in the hands of criminals and foreign spies.
While the CIA task force responsible for the 2017 report made several recommendations to address these security failures, some lawmakers are still concerned that the intelligence community remains vulnerable to security breaches of this nature.
“The lax cybersecurity practices documented in the CIA’s WikiLeaks Task Force report do not appear to be limited to just one part of the intelligence community,” Wyden wrote, adding it called the breach a “wake-up call” that presented an “opportunity to right longstanding imbalances and lapses.”
“Three years after that report was submitted, the intelligence community is still lagging behind and has failed to adopt even the most basic cybersecurity technologies in widespread use elsewhere in the federal government,” he said.
Wyden requested that Ratcliffe provide him unclassified answers to a series of questions related to the implementation of cybersecurity practices within the intelligence community by July 17, 2020.
The CIA’s lax cybersecurity practices were also highlighted in federal court earlier this year during the trial of Joshua Schulte, the ex-CIA employee who is accused of handing over reams of classified data to WikiLeaks in 2016.
The October 2017 CIA report was introduced as evidence during the trial and Schulte’s attorneys argued that the system’s security was so poor that the information could have been accessed by a large number of employees.
In March, a federal grand jury in New York failed to reach a verdict on whether Schulte did, in fact, give the data to WikiLeaks.
Prosecutors have said that they intend to try Schulte again this year, according to the Washington Post.