The breach — allegedly committed by a CIA employee — was discovered a year after it happened, when the information was published by WikiLeaks in March 2017. The anti-secrecy group dubbed the release “Vault 7,” and U.S. officials have said it was the biggest unauthorized disclosure of classified information in the CIA’s history, causing the agency to shut down some intelligence operations and alerting foreign adversaries to the spy agency’s techniques.
The October 2017 report by the CIA’s WikiLeaks Task Force, several pages of which were missing or redacted, portrays an agency more concerned with bulking up its cyber arsenal than keeping those tools secure. Security procedures were “woefully lax” within the special unit that designed and built the tools, the report said.
Without the WikiLeaks disclosure, the CIA might never have known the tools had been stolen, according to the report. “Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss,” the task force concluded.
The task force report was provided to The Washington Post by the office of Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, who has pressed for stronger cybersecurity in the intelligence community. He obtained the redacted, incomplete copy from the Justice Department. A version also was earlier obtained by an independent journalist, Matthew Russell Lee.
The breach came nearly three years after Edward Snowden, then a National Security Agency contractor, stole and disclosed classified information about the NSA’s surveillance operations.
“CIA has moved too slowly to put in place the safeguards that we knew were necessary given successive breaches to other U.S. Government agencies,” the report said, finding that “most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media [thumb drive] controls, and historical data was available to users indefinitely.”
The task force noted that it could not determine the precise size of the breach because the CIA hacking team did not require monitoring of who used its network, but it was concluded that the employee stole as much as 34 terabytes of information, or about 2.2 billion pages.
Timothy Barrett, the CIA press secretary, declined to comment directly on the report. “CIA works to incorporate best-in-class technologies to keep ahead of and defend against ever-evolving threats,” he said.
The hacking tools were developed by the CIA’s Center for Cyber Intelligence, where the agency’s most-sophisticated hackers devised ways to gain access to hard-to-penetrate networks, for instance, to secretly activate the camera and microphone on a foreign target’s tablet, or steal the design plans for a foreign adversary’s advanced weapons systems.
Those employees are under constant pressure to find vulnerabilities in commercial software and other technology, said a former senior intelligence official familiar with the task force’s findings.
The task force acknowledged the drive “to meet growing and critical mission needs,” which it blamed for the laxness in “day-to-day security practices.”
The report has been introduced as evidence in the criminal trial of Joshua Schulte, a former CIA employee who worked in the center and is accused of stealing the hacking tools and giving them to WikiLeaks.
Schulte has pleaded not guilty, and the task force’s findings have figured in his defense. His attorneys argued at a trial this year that security on the computer network was so poor that any one of hundreds of employees or contractors may have had access to the same information Schulte did.
A jury failed to reach a verdict in March on whether Schulte gave the tools to WikiLeaks. Prosecutors have said they intend to try Schulte again this year.
The report distinguishes between the CIA’s “enterprise information technology system,” which accounts for the vast majority of the agency’s computer network, and specialized “mission systems,” including the one that housed the hacking tools.
The former intelligence official, who, like others, spoke on the condition of anonymity because of the subject’s sensitivity, said the mission systems are segregated from the enterprise systems, which follow the “gold standard” for insider threat detection. The task force said the CIA had been “an early leader” in securing its enterprise system.
The former official said he agreed with most of the task force’s findings, but he objected to the assertion that the CIA hadn’t emphasized computer security or that the elite hacking unit was cavalier about protecting its secrets.
“The idea or the assertion that we weren’t working to get all of our systems to the highest level of cybersecurity would be a false claim,” said the former official who was familiar with the unit’s operations.
The center’s mission system was housed in a separate building not at CIA headquarters, and access was highly restricted, the former official said.
But the CIA hackers presumed that the ability to “audit” the network, to know who was logging on and doing what, was better and more detailed than it actually was, the former official said.
The computer network also was maintained by contractors, the former official added. “There was a misunderstanding between the people who ran the unit and people who ran and maintained the network.”
The breach occurred less than six months into a CIA reorganization that emphasized computer security, including for the mission center networks.
“The hardest thing to do is protect against your own people,” said another former intelligence official who is familiar with the breach.
Congress in 2014 gave the Department of Homeland Security the power to require federal agencies to meet minimum cybersecurity standards but exempted the spy agencies, reasoning that as guardians of the nation’s most valuable secrets, they would take extra care to secure their systems, Wyden said. “It is now clear that exempting the intelligence community from baseline federal cybersecurity requirements was a mistake,” Wyden wrote in a letter Tuesday to Director of National Intelligence John Ratcliffe.
Some analysts fault Congress as doing too little to hold intelligence agencies to account for their lapses. The 2017 breach of the Equifax credit reporting agency got far more scrutiny than breaches at the NSA and CIA, said Thomas Rid, an information security professor at Johns Hopkins University’s School of Advanced International Studies.
As more and more data was placed online and the barriers to sharing intelligence among agencies fell after the Sept. 11, 2001, attacks, breaches occurred more often.
In 2010, Chelsea Manning, then an Army intelligence analyst, gave hundreds of thousands of diplomatic cables and military files to WikiLeaks. In 2013, Snowden provided troves of data to journalists about sensitive surveillance programs.
“You’d think that these incidents would be major wake-up calls for the intelligence community and the entire American security establishment,” Rid said. “But it appears that the most powerful and best-funded intelligence agencies on the planet are unable to stop the bleeding of their own data.”
WikiLeaks apparently did not obtain even more sensitive information contained in a “Gold folder” that included “final versions” of the hacking tools, as well as source code, the task force found.