CIA Suffered Historic Data Loss From Lax Cybersecurity, Report Says

June 17, 2020by Gopal Ratnam, CQ-Roll Call (TNS)
The CIA seal is seen on the floor during a visit by President Donald Trump on Jan. 21, 2017, at the CIA headquarters in Langley, Va. (Olivier Douliery/Pool/Sipa USA/TNS)

WASHINGTON — In early 2017 the Central Intelligence Agency suffered a massive data loss when an agency employee stole vast quantities of information including some of its most secretive hacking tools because of lax cybersecurity measures, according to a redacted investigation report obtained by Sen. Ron Wyden, a senior member of the Senate Intelligence Committee.

The employee took away about 180 gigabytes to as much as 34 terabytes — or the equivalent of about 11.6 million to 2.2 billion pages of Microsoft Word documents — which included some of the agency’s most valuable hacking tools from its so-called Vault 7, according to the report. The employee later gave the data to WikiLeaks, which published it in a series of posts.

Citing the CIA’s task force report that examined the breach, Wyden said in a letter addressed to the newly installed Director of National Intelligence John Ratcliffe that the agency had “prioritized building cyber weapons at the expense of securing their own systems.”

In a statement accompanying the letter, Wyden said his office obtained the redacted investigative report after the Justice Department introduced the material as evidence in a court case. Federal prosecutors have charged former software engineer Joshua Shulte, but his family and lawyers have said he is not responsible, The New York Times reported in 2018.

The probe into the CIA leak found that the agency’s “day-to-day security practices had become woefully lax … most of our sensitive cyber weapons were not compartmented” and users shared their passwords with one another. The CIA’s Center for Cyber Intelligence had no plan on mitigation if its weapons were stolen, the investigation found.

The CIA’s hacking tools developed between 2013 and 2016 had been used by the agency to penetrate web browsers including Google Chrome, Microsoft Edge and Mozilla Firefox, as well as smart cars and smart TVs.

Wyden said that U.S. intelligence agencies must begin complying with U.S. law which requires federal agencies to comply with cybersecurity standards and technologies developed by the Department of Homeland Security. Congress had previously exempted U.S. intelligence agencies from that provision.

“It’s now clear that exempting the intelligence community from baseline cybersecurity requirements was a mistake,” Wyden said in his June 16 letter.

Wyden also asked Ratcliffe to answer in an unclassified report questions on how the intelligence agencies are addressing cybersecurity risks, including steps they have taken to secure their websites using multi-factor authentication, employing anti-phishing technologies, and steps the agencies would take to comply with the 22 recommendations made by the Inspector General of the Intelligence Community on tightening cybersecurity standards.

Wyden said U.S. intelligence agencies have yet to require multi-factor authentication on their websites as required by the Cybersecurity and Infrastructure Security Agency, which issued the recommendation in early 2019. The spy agencies also have failed to adopt anti-phishing technologies, another recommendation made by CISA in October 2017, Wyden said.

———

©2020 CQ-Roll Call, Inc., All Rights Reserved

Distributed by Tribune Content Agency, LLC.

In The News

Health

Voting

Cybersecurity

Government Takes Helm on Cybersecurity As Ransomware and Spying Threats Grow
Cybercrime
Government Takes Helm on Cybersecurity As Ransomware and Spying Threats Grow
July 20, 2021
by Tom Ramstack

WASHINGTON -- As the international blame game over ransomware heats up this week, the U.S. government is scrambling for solutions with increasingly combative strategies. Legislation that won tentative approval in Congress on Monday anticipates a bigger role for the U.S. government in overseeing cybersecurity of critical... Read More

China Rejects Hacking Charges, Accuses US of Cyberspying
Geopolitics
China Rejects Hacking Charges, Accuses US of Cyberspying

BEIJING (AP) — China on Tuesday rejected an accusation by Washington and its Western allies that Beijing is to blame for a hack of the Microsoft Exchange email system and complained Chinese entities are victims of damaging U.S. cyberattacks. A foreign ministry spokesman demanded Washington drop... Read More

Threats of Cyberattack Loom as Space Assets Not ‘Critical Infrastructure’
Think Tanks
Threats of Cyberattack Loom as Space Assets Not ‘Critical Infrastructure’
July 19, 2021
by Kate Michael

WASHINGTON — Despite our reliance on space technology for things like communication, transportation, food, and health care — not to mention national security — our national space assets aren’t officially designated as critical infrastructure. Humanity is already dependent on space, but neglecting to protect space technology... Read More

US, Allies Accuse China of Backing Cyber Attacks Worldwide
Cybercrime
US, Allies Accuse China of Backing Cyber Attacks Worldwide
July 19, 2021
by Dan McCue

The United States, NATO and several allies collectively called out China on Monday for a series of malicious cyber- and ransomware attacks, including a March attack that exploited a flaw in Microsoft's Exchange Server. Monday’s announcement, which followed a conference call with White House reporters Sunday... Read More

$10 Million Rewards Bolster White House Anti-Ransomware Bid
Cybersecurity
$10 Million Rewards Bolster White House Anti-Ransomware Bid

BOSTON (AP) — The State Department will offer rewards up to $10 million for information leading to the identification of anyone engaged in foreign state-sanctioned malicious cyber activity against critical U.S. infrastructure — including ransomware attacks — and the White House has launched a task force... Read More

Biden: US Damage Appears Minimal in Big Ransomware Attack
Cybercrime
Biden: US Damage Appears Minimal in Big Ransomware Attack

WASHINGTON (AP) — President Joe Biden said Tuesday that damage to U.S. businesses in the biggest ransomware attack on record appears minimal, though information remained incomplete. The company whose software was exploited said fewer than 1,500 businesses worldwide appeared compromised but cybersecurity experts caution that the... Read More

News From The Well
scroll top