The official report reveals a lack of security measures in the CIA’s operations and how it caused a leak of its hacking tools.
Security agencies worldwide are usually on the hunting side, tracking down their version of the “bad guys”. However, sometimes, they happen to be the prey too with a famous example being the Edward Snowden Leaks against the NSA back in 2013.
A similar incident of a lower magnitude occurred back in March 2017 with the CIA too when Wikileaks published a trove of 34 GB worth of sensitive files equivalent to 2.2 billion pages pertaining to different hacking tools and techniques naming it as “Vault 7.”
It happened to be the largest breach that the organization had suffered resulting in a shut down of certain key operations.
Now, the leak is once again back in the news due to a report published on Tuesday along with a letter addressed to the director of National Intelligence by senator Ron Wyden (D-Ore.) which was prepared back then by the CIA’s WikiLeaks Task Force.
With it revealed, one can understand the underlying causes of what led to such an unauthorized disclosure attributing it to different reasons, all summed up under largely inadequate security measures.
To start with, Wyden describes the agency’s Centre for Cyber Intelligence (CCI) to have started working in a way that they “prioritized building cyber weapons at the expense of securing their own systems”.
This resulted in various standard practices being abandoned including but not limited to the sharing of administrator-level passwords between users, a lack of control of removable media usage, historical data being available forever, and sensitive cyber weapons not being “compartmented”.
Other security blunders found within the CIA’s report alongside include:
- No single officer was given the responsibility to ensure that all information systems were complying with security practices and are secure. Naturally, this resulted in a lack of accountability and hence measures were not taken to monitor flaws.
- No measures were built into these systems to ensure that users can be monitored and the servers could be audited in a proper fashion which may have acted as an effective deterrent for the one who stole the data.
- The recognition of the fact that someone with access to classified data could endanger national security was never made, hence the precautions didn’t follow too.
A range of recommendations has also been proposed within it albeit the majority of them have been redacted. One such point states:
We judge the vulnerability of and threat to this information is exceptional and warrants additional security protections, to include requiring segmentation of knowledge, tools, and people through physical and logical infrastructure, policy and procedural controls, and enforcing strict need-to-know access to the tools and exploits.
As for the one who was behind the leak in the first place, Joshua Adam Schulte, a former CIA employee was indicted in 2018 but pleaded not guilty. This turns the Wikileaks report in his favor as The Washington Post reports,
“His attorneys argued at a trial this year that security on the computer network was so poor that any one of hundreds of employees or contractors may have had access to the same information Schulte did.”
To conclude, the report mentions the notion that another folder referred to as “Gold” containing “final versions of all developed tools and source code” has not been leaked seeing that there have been no revelations of it in the whistleblower’s archives despite it containing newer tools.
A couple of reasons given are that it was better protected and also worth several terabytes which would have made it more difficult to steal.
On the other hand, it is important for lawmakers to move in the right direction now and make the spy agency step up its security practices. Reason for this is best left to words contained within the report itself which states that in the event that the leaked data had not been published, the CIA would have never come to know of the breach with any enemy being able to use the data which could have caused severe damage to the country’s security.