A government inquiry concluded that “woefully lax” security practices at the Central Intelligence Agency played a major role in a massive 2017 leak of confidential documents, most of which ended up appearing on WikiLeaks. The leaks included information about the agency’s top-secret hacking tools.
Between 180 gigabytes and 34 terabytes of data were leaked in March 2017, which constitutes the biggest data loss in the CIA’s history. The leak became known on WikiLeaks as Vault 7, according to Ars Technica. Interestingly, the leak made it possible for researchers from security firm Symantec to connect the CIA to a hacking group they had tracked since 2011. Additionally, it revealed a simple command line that CIA officials used to launch attacks that compromised Macs and hack network switches from Cisco. One of the tools was able to exploit firmware on Apple devices.
In response to the leak, the CIA created the WikiLeaks Task Force to figure out how the breach occurred. The report wound up fingering the Center for Cyber Intelligence, or CCI, for allegedly focusing more on developing its cyber-capabilities than providing security and establishing methods of minimizing damage should sensitive information leak out.
Sen. Ron Wyden, D-Ore., wrote a letter to Director of National Intelligence John Ratcliffe on Tuesday noting that the CIA’s WikiLeaks Task Force report reveal “lax cybersecurity practices” that are not limited to a single part of the intelligence community.
“The 2017 CIA WikiLeaks Task Force report noted that, ‘This wake-up call presents us with an opportunity to right longstanding imbalances and lapses, to reorient how we view risk… We must care as much about securing our systems as we care about running them if we are to make the necessary revolutionary change,'” Wyden wrote to Ratcliffe. “Three years after that report was submitted, the intelligence community is still lagging behind, and has failed to adopt even the most basic cybersecurity technologies in widespread use elsewhere in the federal government. The American people expect you to do better, and they will then look to Congress to address these systematic problems.”
Cybersecurity experts agree that the report exposes serious problems for the CIA.
“It’s long past time for a national conversation on how we can better treat information as a critical resource and secure it appropriately,” Lindsay Gorma, Fellow for Emerging Technologies at the Alliance for Securing Democracy, told Salon by email. “The Cyberspace Solarium Commission, which released its report earlier this year, represented a first step in that discussion. As for the intelligence community, I hope they are conducting or have already conducted the needed reviews on day-to-day security practices across all of their activities to make sure this type of breach never happens again.”
She added, “Lax cybersecurity puts U.S. operations at risk and in the case of exposing vulnerabilities and offensive tools can enable foreign adversaries to further exploit U.S. and allied systems. The Task Force report indicates that a truly staggering amount of data was compromised.”
Salon also spoke with Brian Krebs, a former Washington Post journalist who specializes in covering profit-seeking cybercriminals.
“What surprised me most about reading this was that the CIA apparently did it didn’t anticipate some of these challenges at a high level,” Krebs told Salon. He added, “I think a great many of these challenges of securing systems from unauthorized access comes down to segmenting access to systems, in one form or another.” He compared it to how one might design a submarine: “If you have a leak somewhere, it doesn’t sink the whole ship, it just gets into one compartment. That’s really important for organizations of all sizes.”
“Most organizations, unless they are very big and wealthy, have not done that because it’s complex, it’s disruptive to do it right, and it’s easy to get it wrong,” he lamented.
Gorman echoed Krebs’ surprise at the CIA’s lax practices, telling Salon that “we certainly expect the guardians of our nation’s most sensitive secrets to maintain the utmost standards in protecting them – including because leaks like these can provide our adversaries with a leg up on understanding our capabilities and intentions.”
Cybersecurity experts have used the Vault 7 leak to create sophisticated digital espionage tools. White hat hacker Wayne Ronaldson studied the leaked documents and created a tool that allowed a hacker to remotely observe, monitor, and listen to the microphone on an infected computer. Likewise, black hat hackers have used tools that appear to have stemmed from leak, too. An international hacker group known as Longhorn employed malware that appears very likely to have been based on the CIA’s own tools, according to an Ars Technica report from 2017.
The nonprofit WikiLeaks became notorious for publishing classified information leaks without preference or censorship, including leaked media from corporations, individuals, nonprofits and world governments. The nonprofit’s impartiality and refusal to censor or moderate its leaks, even when they pose national security threats, has irked governments including the United States. Moreover, WikiLeaks has unwittingly been used as a middleman in releasing embarrassing confidential email leaks that were given to them by intelligence agencies’ hackers, most notably during the 2016 presidential election in the United States. During that electoral contest, the non-profit leaked private emails stolen from the Democratic National Committee and the campaign of Democratic nominee Hillary Clinton — actions that some believe may have played a role in helping swing the vote toward Republican candidate Donald Trump.