Former CIA engineer Joshua Schulte convicted of spying over WikiLeaks dump
Trial revisited the same old issues for a new jury, including CIA’s atrocious infosec practices
Former CIA engineer Joshua Schulte was convicted on Wednesday of leaking classified information to WikiLeaks after a mistrial left him free of eight out of 10 charges in March 2020.
A federal jury in the Southern District of New York reached guilty verdicts on eight espionage charges and one obstruction charge after four days of deliberation. In the previous trial, Schulte was found guilty of contempt of court and making false statements to the FBI.
The files, referred to as Vault 7, gave details on the CIA’s ability to surveil people through means such as smartphones and connected TVs, as well as break into cars, smart web browsers, and more. Vault 7 and its details of US government malware, viruses, remote-control software, and other material is regarded as the biggest leak of classified information in the history of the CIA.
“Today, Schulte has been convicted for one of the most brazen and damaging acts of espionage in American history,” said US attorney Damian Williams in a statement released after the verdict.
In the retrial, which started last month, the prosecution painted Schulte as a traitor who sought revenge against his former employer and the government at large and the furthest thing possible from a concerned whistleblower.
“There was no misguided idealism here; he did it because he was angry and disgruntled,” said US Attorney David Denton in an opening statement last month.
- Alleged Vault 7 leaker trial finale: Want to know the CIA's password for its top-secret hacking tools? 123ABCdef
- UK Home Office signs order to extradite Julian Assange to US
- If you're despairing at staff sharing admin passwords, look on the bright side. That's CIA-grade security
- How data on a billion people may have leaked from a Chinese police dashboard
Schulte was said to have created the hacking tools he exposed, and used a backdoor password to access the cache on offline servers in circa 2016, the year he resigned from the CIA. Allegedly he then covered his tracks by editing and deleting digital activity logs.
Prosecutors next alleged his internet search history showed an obsession with WikiLeaks, as he refreshed the site repeatedly, waiting for the leaked documents to appear.
Denton also cited hand scribbled notes, which Schulte was fond of making, that included a personal reminder to “delete suspicious emails” as evidence of a coverup.
The prosecutor further alleged the defendant tried to leak additional classified materials from prison.
Schulte, who curiously chose this go-around to represent himself and even garnered praise from the judge for his performance, refuted the assertion. He painted himself as patriotic, and the CIA and FBI as embarrassed and in need of a patsy.
Similar to his first trial, in which he was represented by lawyer Sabrina Shroff, Schulte argued there was not enough evidence to prove he leaked the documents.
“Hundreds of people had access to (the information). … Hundreds of people could have stolen it,” Schulte reportedly said in his closing arguments.
In the March 2020 trial, Shroff leaned into the narrative that Schulte was talented but a horrible and petty coworker, hated by almost everyone, thereby making him the perfect person to pin the CIA’s security failures on.
And the security failures were plenty, starting with no limits on removable storage and pathetic passwords including 123ABCdef, as well as “mysweetsummer” as a root login for the main DevLan server, all of which were freely posted on the intranet to boot. But who really cares about password availability when the entire team who can access the intranet are members of the team that make the CIA’s hacking tools anyway?
The CIA’s failure to develop adequate infosec in favor of deployable zero-exploits and other offensive software was detailed in an internal CIA report confirming that the government lost control of 180 GB of hacking tools and documentation due to lax security.
“Most of our sensitive cyber-weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely,” said the report which said there was no mitigation measures in place in case of a leak.
Sentencing for Schulte has been delayed due to unrelated child sexual abuse material charges against the former CIA employee, to which he has pleaded not guilty. ®