“Woefully Lax Security” Led To CIA Cyber Weapons Being Stolen: Internal Report

Share on facebook
Share on twitter
Share on linkedin

The CIA is reeling after a cyber attack that saw cyber criminals steal a number of weapons from its network as a result of “woefully lax” security, according to an internal report. 

The report was released earlier this week, which detailed a 2016 breach on the Center for Cyber Intelligence (CCI), where an unknown amount of data was stolen, with estimates up to 34-terabytes, or around 2.2 billion pages of data. 

The specialised unit within the CIA was reportedly so focused on offensive tactics that it failed to adequately protect its networks from external threats, resulting in the largest theft of CIA data in recorded history. 

The CCI reported the data theft in March of 2017, coinciding with a release from Wikileaks dubbed “Vault 7”, which was eventually published by the Washington Post and detailed some of the CIA’s most high-tech cyber weapons. 

Shortly after, the CIA Wikileaks Task Force was established to create a report which would be submitted to Mike Pompeo, former CIA Director and current Director, Gina Haspel. 

Authors of the report noted that “we failed to recognise or act in a coordinated fashion on warning signs that a person or persons with access to CIA classified information posed an unacceptable risk to national security.” 

The authors made it clear that the security breach was the result of a lack of security protocols, stating that there was a number of “years that too often prioritized creativity and collaboration at the expense of security,” the agency said. 

“In a press to meet growing and critical mission needs, CCI had prioritized building cyber weapons at the expense of securing their own systems. Day-to-day security practices had become woefully lax,” the report notes. 

The agency remains unaware of the volume of data access by the unauthorised third-party due to the fact that its IT systems “did not require user activity monitoring or other safeguards.”

“Most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely,” the report said. 

Authors added that “furthermore, CCI focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed.” 

Timothy Barrett, a spokesman for the agency has said that the “CIA works to incorporate best-in-class technologies to keep ahead of and defend against ever-evolving threats.” 

Documents published in the “Vault 7” trove by Wikileaks stated that government agencies were targeting individuals through malware attacks, and physically hacking their computers, TVs and smartphones.

To disguise their presence, it is alleged that the agency would use tactics widely recognised as Russian techniques, to make it appear that a Russian hacker was responsible.  

Wikileaks also claims that close to all of the agency’s cyber weapons were stolen by the unauthorised third-party, and could now be in the possession of criminals, terrorists and foreign spies. 

U.S. Senator Roon Wyden who sits on the Senate Intelligence Committee stated that “the lax cybersecurity practices documented in the CIA’s Wikileaks Task Force report do not appear to be limited to just one part of the intelligence community,” adding that the breach represented a “wake-up call” and an “opportunity to right longstanding imbalances and lapses.” 

“Three years after that report was submitted, the intelligence community is still lagging behind and has failed to adopt even the most basic cybersecurity technologies in widespread use elsewhere in the federal government,” Wyden added. 

To learn more about ISO 27001 – Information Security Management Systems – or for your free ISO 27001 Gap Analysis Checklist, click here. 

Subscribe to our Newsletter

Share this post with your friends

Share on linkedin
Share on facebook
Share on twitter
Share on google