A massive leak on the CIA’s top-secret cyberespionage tools was able to occur because a top hacking team “prioritized building cyber weapons at the expense of securing their own systems,” an internal report said.
The October 2017 report by a CIA task force said security protocols were “woefully lax” within the unit that built the spy tools. The partial and redacted report was obtained by the Washington Examiner from the office of Sen. Ron Wyden, an Oregon Democrat who is a member of the Senate Intelligence Committee.
“CIA has moved too slowly to put in place the safeguards that we knew were necessary given successive breaches to other U.S. Government agencies,” the report said. “Most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media [thumb drive] controls, and historical data was available to users indefinitely.”
WikiLeaks released in 2017 a trove of documents, dubbed “Vault 7,” that revealed sensitive hacking tools that the CIA uses to spy on foreign targets. Joshua Schulte, a former CIA programmer, faces espionage charges for the leak, which has been described as the biggest theft of classified documents in the agency’s history.
Without the WikiLeaks disclosure, the CIA may have never known that the hacking tools had been stolen, the report said.
“Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss,” the task force said.
The task force acknowledged that the precise size of the breach was unknown because the hacking team did not require monitoring of who accessed its network, but it estimated that 2.2 billion pages of information was stolen.
“CIA works to incorporate best-in-class technologies to keep ahead of and defend against ever-evolving threats,” CIA press secretary Timothy Barrett told the Washington Post, which first reported on the task force’s findings. Barrett declined to comment specifically on the report.
Schulte’s legal team blamed the breach on the CIA having weak cybersecurity, and the report’s findings bolster that argument.
A jury was deadlocked earlier this year on whether Schulte leaked the spy tools to WikiLeaks. Federal prosecutors said they plan to retry the case later this year.
