If you're despairing at staff sharing admin passwords, look on the bright side. That's CIA-grade security
Internal report confirms what we all feared: Lax controls led to WikiLeaks Vault 7 hack tools blab
The CIA was so focused on developing whizzbang exploit code, it left any thought of basic computer security principles on the kitchen counter before dashing off to work each morning.
That oversight led to the super-agency inadvertently spilling its hacking tools ultimately into the hands of WikiLeaks, which duly disclosed details of the spies' malware, viruses, remote-control software, and other materials under the Vault 7 banner in 2017.
If you followed our coverage of the trial of Joshua Schulte, the CIA sysadmin accused of passing the files to WikiLeaks, this much will already be known to you. The fact the virtual machine that held all of the tools apparently used 123ABCdef as its password is perhaps all you need to know. Schutle's trial ended with a hung jury, though he was found guilty of contempt and lying to FBI.
Don't just take our word for it. An internal CIA report into the embarrassing affair came to much the same conclusion: Uncle Sam's snoops lost control of at least 180GB of hacking tools and documentation, which ended up in the lap of WikiLeaks, due to lax security. From shared admin passwords to no limitations on removable storage, the agency broke or snubbed virtually every rule in the book.
Rather than take basic steps to secure its materials, the CIA's Center for Cyber Intelligence (CCI) was more interested in developing zero-day exploits and other offensive software. This focus on attack to the detriment of defense allowed the escape of its hacking tools.
A redacted version of the internal report [PDF] was shared with the world today by US Senator Ron Wyden (D-OR) in an open letter to Director of National Intelligence John Ratcliffe. Here's the nuts and bolts of the matter, direct from the CIA dossier:
Most of our sensitive cyber-weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely.
Furthermore, CCI focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed. These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security.
Amazing new WikiLeaks CIA bombshell: Agents can install software on Apple Macs, iPhones right in front of themREAD MORE
The report noted there were shortcomings in the CIA's procedures and mechanisms for detecting and thwarting rogue insiders, thus allowing, oh say, someone within the agency to walk off with the goods. "The WikiLeaks disclosures revealed gaps and weaknesses in CIA’s Insider Threat program, which has traditionally relied on close coordination between the Office of Security and [Counterintelligence Mission Center] CIMC," the report stated.
"Among the gaps are the seams in communication between components such as the Office of General Counsel, Medical Services, Human Resources, security, counterintelligence, and line management that have sometimes prevented us from connecting the dots to corporately detect and address Insider Threat issues."
Wyden is seeking answers from Ratcliffe as to why the CIA's internal security is so lacking, even years after the Vault 7 scandal, especially when the intelligence agency was trusted to shore up its computers and networks to a level higher than what's expected of the federal government as a whole.
"While Congress exempted the intelligence community from the requirement to implement the Department of Homeland Security's cybersecurity directives, Congress did so reasonably expecting that intelligence agencies that have been entrusted with out nation's most valuable secrets would of course go above and beyond the steps taken by the rest of the government to secure their systems," Wyden said.
"Unfortunately, it is now clear that exempting the intelligence community from baseline federal security requirements was a mistake." ®