A specialized CIA unit tasked with development of innovative hacking tools was so focused on creating cyber weapons that it failed to put in place even common security standards in order to protect its own operations, which led to “the largest data loss in CIA history,” according to an internal CIA WikiLeaks Task Force report released on Tuesday.
“The CIA’s [Center for Cyber Intelligence, CCI] had prioritized building cyber weapons at the expense of securing their own systems. Day-to-day security practices had become woefully lax… Most of our sensitive cyber weapons were not compartmented, users shared system administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely. Furthermore, CCI focused on building cyber weapons and neglected to also prepare mitigation packages if those tools are exposed. These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security,” the report said.
The CIA's lax cybersecurity practices were also highlighted in federal court earlier this year during the trial of Joshua Schulte, the ex-CIA employee who is accused of theft of classified data and providing it to WikiLeaks in 2016. In 2017, WikiLeaks released a series of leaks code-named Vault 7 exposing a trove of the CIA's confidential documents regarding the agency’s malware arsenal.
According to the task force, in the spring of 2016, the CIA employee behind the Vault 7 leaks stole at least 180 gigabytes of information. The task force said it was possible that the employee may have taken as much as 34 terabytes of data.
“This is roughly equivalent to 11.6 million to 2.2 billion pages in Microsoft Word. This data loss includes cyber tools that resided on the Center for Cyber Intelligence (CCI) software development network (DevLAN). We cannot determine the precise scope of the loss because, like other mission systems at that time, DevLAN did not require user activity monitoring or other safeguards that exist on our enterprise system,” the report said.
“Because the stolen data resided on a mission system that lacked user activity monitoring and a robust server audit capability, we did not realize the loss had occurred until a year later, when WikiLeaks publicly announced it in March 2017. Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss—as would be true for the vast majority of data on Agency mission systems.”