Report: Lax cybersecurity at CIA unit led to Vault 7 leaks

An internal CIA report pins the theft of valuable hacking tools in 2016 in part on a workplace culture that didn't do enough to emphasize cybersecurity.

The heavily redacted assessment, first reported by the Washington Post, was written in the months following the "Vault 7" leaks, cites "woefully lax" procedures by the unit that developed them, the Center for Cyber Intelligence. The agency did not utilize network segmentation to segregate access to different tools, administrator-level passwords were shared among different employees, and there were no controls in place to restrict or limit the use of thumb drives.

"CIA has moved too slowly to put in place the safeguards that we knew were necessary given successive breaches to other US Government agencies," the report stated.

The agency wasn't monitoring its network and wasn't even aware the theft had occurred until Wikileaks published their documents and code on the internet in 2017. The Task Force set up to investigate the leak determined the unit was more concerned with developing hacking tools than securing them.

The investigation "brought to light multiple ongoing CIA failures" like not recognizing multiple "warning signs" about potential insider threats. The U.S. government charged former CIA employee Joshua Schulte with stealing the documents and tools and passing them to Wikileaks, but the case ended in a mistrial in March. Schulte was found guilty of making false statements to the FBI and contempt of court and is expected to be retried on espionage charges.

"We must recognize when we are taking smart risks and when operational shortcuts or waivers create unwarranted risk to our work and to the Agency," the report concluded.

The report was made public by Sen. Ron Wyden (D-Ore.) a member of the Senate Intelligence who has long focused on cybersecurity issues.

In a June 16 letter to Director of National Intelligence John Ratcliffe, Wyden published the redacted Task Force assessment and e lawmakers did not require intelligence agencies to comply with Department of Homeland Security cybersecurity requirements under the 2014 Federal Information Security Modernization Act because they "reasonably expect[ed] that intelligence agencies that have been entrusted with our nation's most valuable secrets would of course go above and beyond the steps taken by the rest of the government to secure their systems."

"Unfortunately, it is now clear that exempting the intelligence community from baseline federal cybersecurity requirements was a mistake," Wyden wrote.

Wyden asked Ratcliffe for unclassified answers to a number of questions, including when intelligence agencies plan to implement enhanced protections to guard against Domain Name System tampering mandated by DHS in 2019 and anti-phishing and spoofing controls mandated in 2017. He is also seeking to learn when and if the intelligence community's classified computer network for top secret information implemented multi-factor authentication and if Ratcliffe intends to adopt nearly two-dozen cybersecurity recommendations catalogued by the IC's Inspector General.