The conclusions were part of an internal 2017 Department of Justice (DoJ) report on the CIA breach. On Tuesday, Sen. Ron Wyden released portions of the report (PDF)that were made public via recent DoJ court filings.
The report described the CIA as “focused more on building up cyber tools than keeping them secure.” Part of the investigation revealed sensitive cyber weapons were not compartmented and government cybersecurity researchers shared systems administrator-level passwords. Systems with sensitive data were not equipped with user activity monitoring and historical data was available to users indefinitely, the report stated.
“In a press to meet growing and critical mission needs, [the CIA’s Center for Cyber Intelligence (CCI) arm] had prioritized building cyber weapons at the expense of securing their own systems,” according to the report. “Day-to-day security practices had become woefully lax.”
At least 180 gigabytes (up to as much as 34 terabytes of information) was stolen in the breach, the report said – roughly equivalent to 11.6 million to 2.2 billion electronic document pages. The data stolen included cyber tools that resided on the CCI’s software development network (DevLAN). The mission of the CCI, which was targeted by the data breach, is to “transform intelligence” through cyber operations.
The report outlined various security issues discovered in the CCI. For instance, while CCI’s DevLAN network had been certified and accredited, CCI had not worked to develop or deploy user activity monitoring or “robust” server audit capabilities for the network, according to the report.
Because of that lack of user activity monitoring and auditing, “we did not realize the loss had occurred until a year later, when WikiLeaks publicly announced it in March 2017″ by leaking troves of stolen CIA hacking tools, according to the report. It said, if the data had not published, the agency might still be unaware of the loss.
“Furthermore, CCI focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed,” according to the report. “These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security.”
Another issue is that the agency lacked “any single officer” tasked with ensuring that IT systems were built secure and remained so throughout their lifecycle. Because no one had that task, no one person was held accountable for the breach, the report said. And, there was no lookout for “warning signs” that insiders with access to CIA data posed a risk.
According to The Washington Post, which broke news of the report, the task force’s report is being used as evidence in the trial of former CIA employee Joshua Schulte, who has been accused of stealing the CIA’s hacking tools and giving them to WikiLeaks.
The report outlined several (heavily redacted) recommendations for the agency to take to bolster its security. That includes enhancing its security guidelines and classified information handling restrictions for zero-day exploits and offensive cyber tools.
However, Sen. Wyden, a member of the Senate Intelligence Committee, said in a stinging public letter to John Ratcliffe, the director of National Intelligence, that even three years later the U.S. intelligence community still has a ways to go in improving its security practices.
For instance, he said, the intelligence community has yet to protect its .gov domain names with multi-factor authentication; and, the CIA, National Reconnaissance Office and National Intelligence office have yet to enable DMARC anti-phishing protections, he said.
“Three years after that report was submitted, the intelligence community is still lagging behind, and has failed to adopt even the most basic cybersecurity technologies in widespread use elsewhere in the federal government,” he said. “The American people expect you to do better, and they will then look to Congress to address these systematic problems.”
Fausto Oliveira, principal security architect at Acceptto, told Threatpost that Wyden is “quite right” in asking why standard security practices in the industry are not being adopted by the CIA.
“Based on the findings of the report, it appears that there was a lack of IT and cybersecurity governance that led to a lax adoption of security controls,” he said. “It is not an operational matter, it is a matter of the agency’s management not setting the right goals to manage the risks associated with operating an organization, specifically an organization that is a desirable target for all kinds of attackers.”
Insider threats are different in the work-from home era. On June 24 at 2 p.m. ET, join the Threatpost edit team and our special guest, Gurucul CEO Saryu Nayyer, for a FREE webinar, “The Enemy Within: How Insider Threats Are Changing.” Get helpful, real-world information on how insider threats are changing with WFH, what the new attack vectors are and what companies can do about it. Please register here for this Threatpost webinar.