pogonici - Fotolia
The CIA did not realize that the infamous Vault 7 hacking tools had been stolen until WikiLeaks published the cache in March 2017, a year after its theft, according to an internal task force report released Tuesday.
The WikiLeaks Task Force Final Report, which was dated October of 2017, was commissioned by the CIA to investigate the Vault 7 leak, which included nearly 9,000 documents and files for a variety of hacking tools and previously undisclosed vulnerabilities for Windows, iOS, Android and other widely-used software. A redacted copy of the report was published by the Office of Senator Ron Wyden.
"Because the stolen data resided on a mission system that lacked user activity monitoring and a robust server audit capability, we did not realize the loss had occurred until a year later, when WikiLeaks publicly announced it in March 2017," the report said. "Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss -- as would be true for the vast majority of data on Agency mission systems."
In addition, the agency failed to appropriately safeguard their data, despite the fact that the stolen tools were "sensitive cyber weapons."
"Most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely," it read. "Furthermore, CCI [the Center for Cyber Intelligence] focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed. These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security."
The report provided by Wyden is heavily redacted and incomplete, but it still paints a picture of an agency that had "woefully lax" day-to-day security practices.
In addition, the report notes the CIA missed specific "warning signs" about such tools and information falling into the wrong hands, but the examples were redacted. "We failed to recognize or act in a coordinated fashion on warning signs that a person or persons with access to CIA classified information posed an unacceptable risk to national security," the report said.
Jake Williams, founder of cybersecurity firm Rendition Infosec and former security engineer with the National Security Agency, said the report exposed inadequate security of crucial data within the CIA.
"The details of the internal audit report demonstrate a lack of monitoring that should give pause to anyone advocating for the government to have more access to data. In particular, it is hard to imagine trusting an intelligence or law enforcement organization with encryption backdoors if they've done such a poor job protecting this extremely sensitive data that they might not have even noticed the loss if it hadn't been posted on WikiLeaks," Williams told SearchSecurity. "Leaking an encryption backdoor could be trivially easy, while here the suspect may have leaked up to 34 TB without detection."
In a statement posted to Twitter, Wyden noted that the report exposes "serious lapses in the cybersecurity of our nation's top intelligence agencies," and that he's pressing director of national intelligence John Ratcliffe on "how he plans to better protect our country's most sensitive secrets."