CIA unit that crafts hacking tools didn't protect itself
WASHINGTON (AP) — A specialized CIA unit that developed hacking tools and cyber weapons didn’t do enough to protect its own operations and wasn't prepared to respond when its secrets were exposed, according to an internal report prepared after the worst data loss in the intelligence agency’s history.
"These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security,” according to the report, which raises questions about cybersecurity practices inside U.S. intelligence agencies.
Sen. Ron Wyden, D-Ore., a senior member of the Senate Intelligence Committee, obtained the redacted report from the Justice Department after it was introduced as evidence in a court case this year involving stolen CIA hacking tools.
He released it on Tuesday along with a letter he wrote to new National Intelligence Director John Ratcliffe, asking him to explain what steps he’s taking to protect the nation’s secrets held by federal intelligence agencies.
The findings were first published by The Washington Post.
The 2017 report was produced one year after the theft of sensitive tools for hacking into adversaries' networks that were developed by the CIA's specialized Center for Cyber Intelligence. A former CIA employee was accused of stealing the information and providing it to WikiLeaks, but a jury deadlocked on those allegations.
The CIA report revealed lax cybersecurity measures by the specialized unit and the niche information technology systems that it relies upon, which is separate from the systems more broadly used by everyday agency employees. The security was so poor, according to the report, that if these hacking tools had “been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss.”
CIA spokesman Tim Barrett would not comment on the report, but said the “CIA works to incorporate best-in-class technologies to keep ahead of and defend against ever-evolving threats.”
The leak occurred almost three years after Edward Snowden, a former contractor for the National Security Agency, confiscated classified information about the NSA’s surveillance operations, and publicly disclosed it.
“CIA has moved too slowly to put in place the safeguards that we knew were necessary given successive breaches to other U.S. Government agencies,” according to the report prepared in October 2017 by the CIA's WikiLeaks Task Force.
The report said sensitive cyber weapons were not compartmented, users shared systems and administrator-level passwords, there were no effective controls for thumb drives and users had indefinite access to historical data.
The disclosure of the hacking tools featured prominently in the trial this year of Joshua Schulte, a former CIA software engineer accused of stealing a large trove of the agency’s hacking tools and handing it to WikiLeaks. He was convicted in March of only minor charges after a jury deadlocked on more serious espionage counts against him, including the theft of the hacking tools.
Prosecutors argued during the trial that the data dump had serious consequences, revealing CIA efforts to hack Apple and Android smartphones and efforts to turn internet-connected televisions into listening devices.
“These leaks were devastating to national security,” Assistant U.S. Attorney Matthew Laroche told jurors. “The CIA’s cyber tools were gone in an instant. Intelligence gathering operations around the world stopped immediately.”
Prosecutors portrayed Schulte as a disgruntled software engineer who exploited a little-known back door in a CIA network to copy the hacking arsenal without raising suspicion.
It was only after the anti-secrecy group WikiLeaks published the so-called Vault 7 leak in 2017 — nearly a year after the theft — that the agency scrambled to determine how the information had been stolen. It identified Schulte, 31, originally from Lubbock, Texas, as the prime suspect. Schulte had left the agency after a falling-out with colleagues and supervisors.
Prosecutors described the leak as an act of revenge. Defense attorney Sabrina Shroff argued that investigators could not be sure who took the data because the CIA network in question “was the farthest thing from being secure” and could be accessed by hundreds of people.