This article is more than 1 year old
Alleged Vault 7 leaker trial finale: Want to know the CIA's password for its top-secret hacking tools? 123ABCdef
Tales of terrible security, poor compartmentalization, and more, emerge from the Schulte hearings
Not well liked
The truth is that the sort of person who can write exploit code to infiltrate devices that many thousands of other engineers go to enormous lengths to make as secure as possible is not going to be your average federal staffer. But even within this group of difficult people, Schulte stood out as especially hard to deal with.
His feud with Amol was extraordinarily petty. It started with flicking rubber bands and, later, firing Nerf guns at his nemesis. He was furious when Amol was given a desk with a window and he wasn’t. In fact Schulte had a long stream of perceived slights that he stewed on, and which led him to behave appallingly to his colleagues. We know this because the FBI found reams of notes written by Schulte outlining his anger and his plans for retaliation against Karen, Jeremy, Matt, Dave, Tim… in fact just about anyone he ever worked with.
Some of those notes went back years. And the Feds found them when it went through his new apartment that was still full of unpacked boxes in the days immediately after the CIA files were put online by WikiLeaks. It didn’t find the notes in the boxes, however: Schulte had unpacked them and kept them in the headboard of his bed. Yes, he’s that guy.
And it is Schulte’s habit of writing down his darkest thoughts that may end up sending him to jail for the rest of his life. Because the truth is that despite a forensic study of every device he touched at the CIA and in his home, the US government was not able to find a piece of irrefutable proof that linked Schulte to the theft and disclosure of the hacking tools.
It has lots of logins and logouts, and plenty of circumstantial evidence of him being in the building when unusual things to backups happened but – assuming he did actually do it – Schulte is simply too good at his job to be caught accessing computer networks. It was why the CIA hired him in the first place, and why it continued to put up with his antics when anyone else would have fired the cranky techie long before.
He did not apply the same degree of information hygiene to written documents, however. So when the FBI raided his jail cell on a tip-off he was using a secret phone to send classified information and conduct an “information war,” they found a notebook [PDF] filled with his plans, in his handwriting, that included things like “ask WikiLeaks for my code,” angry rants about his family failing to publish articles he had written, and his willingness to cause severe embarrassment to the US government unless his case is dropped.
The prosecution made a big play of these notes and of scheduled tweets it found on his contraband Samsung phone (which, interestingly, he had obtained in exchange for an iPhone in prison because the Samsung let him download and install the apps he wanted to use.)
In the notebook, he wrote clear instructions to himself on how to get information out of jail without it being traced back to him: "Create new ProtonMail firstname.lastname@example.org; Migrate WordPress to ProtonMail; Clean up apps; Reset factory phone; Set up WhatsApp app, Signal, Telegram, all with different numbers; Research Gmail; delete deleted email."
And it may be this activity that leads the jury to decide, beyond a reasonable doubt, that Schulte is ultimately guilty of stealing and leaking the CIA hacking materials: he doesn’t exactly come across as an innocent man.
“The defendant did this because he was angry. The defendant did this because he wanted to punish the CIA. The defendant did this because he always has to win, no matter the cost,” the prosecution argued to explain his motivation. It made the same point later on: “We are here today because he is an angry and vindictive man. The evidence has shown in this case that the defendant is someone who thinks the rules do not apply to him. He thinks CIA's access rules don't apply to him. He thinks classification rules do not apply to him. He thinks prison rules do not apply to him. He even thinks that this court's own orders don't apply to him.”
As for Schulte’s lawyer, she argued that while his behavior was reprehensible, it is still far from proof that he actually stole and leaked the tools in question. “Compare his prison writings to the way he writes at the CIA, and you can see he's falling apart,” she argued. “But what does the government want you to believe about these writings? The government wants you to believe this is some kind of planned army-like information war against the United States.”
Later: “Look, I'm not going to stand here and tell you that using a cell phone in a prison is right. It's not. It's against the rules. It's not in keeping with the prison rules. Did he use a cell phone? Yes, he used a cell phone, but that's not what he's charged with. If he was charged with using a cell phone, sure, find him guilty of that. But that is not what he's charged with… They want you to focus on [that] conduct because that is the only way they can get you to think that he did the other crime.”
So who did do it?
Which leads to the question: OK, if it wasn’t Schulte, how did these top-secret exploits find their way out of the CIA and onto WikiLeaks?
His lawyer has two answers to this question. First is the frankly astonishingly lax security around the CIA’s system – something the CIA’s own internal reports acknowledge. Listing the various CIA witnesses who had been called in, Shroff noted: “Each one of them told you that DevLAN was wide open. There were no controls, there were no user controls, users shared passwords, passwords were weak, passwords were stored openly. There were no audit logs. There was no login activity checks. Anyone could connect the DevLAN workstation computer to the internet just by taking the Ethernet cable from one computer and plugging it into the other.”
She goes on: “These are not the defense's words. These are words out of the CIA. ‘Day-to-day security practice had become woefully lax. Most of our sensitive cyber weapons were not compartmented, the CIA admits users shared system administrator level passwords, there were no effective removable media controls, and historical data was available to users indefinitely.’ This is all in the exhibit. It goes on to tell you, ‘The stolen data resided on a mission system that lacked user activity monitoring, it lacked a robust server audit capability,’ and then it says ‘The CIA did not realize the loss had occurred until a year later, when WikiLeaks publicly announced it in March of 2017. Had the data been stolen for the benefit of a state adversary and not published, we would still be unaware of the loss.’”
Whichever way you cut it, that is a pretty damning assessment – from the CIA itself – of its own security standards. How can a jury convict a man based on evidence that doesn’t exist?
And then, just to add the exact kind of twist that you would expect in a story about the CIA and clandestine shenanigans, there is the case of “Michael.”