A US senator is demanding to know why the CIA is still not following the government’s advice on best practices after he obtained a 2017 report describing the agency’s day-to-day cybersecurity as “woefully lax.”
The internal report was written by the CIA’s WikiLeaks Task Force in the wake of the Vault 7 disclosures to the whistleblowing site, which amounted to the “largest data loss” in its history.
At least 180GB and potentially as much as 32TB of information, including data on a range of cyber-weapons, was stolen by an insider in 2016. The CIA said it didn’t know how much data was taken because there were no safeguards such as user monitoring on the Center for Cyber Intelligence software development network (CCI DevLAN), where much of it was stored.
Democrat senator Ron Wyden on Tuesday wrote to the director of national intelligence, John Ratcliffe, warning that the agency was still lagging behind on implementing even basic cybersecurity used widely elsewhere in federal government.
This includes DMARC to help prevent phishing and email impersonation, and multi-factor authentication for the CIA’s .gov domains and the Joint Worldwide Intel Communications System (JWICS), which is used for top secret comms in the US intelligence community.
According to the report, the CCI had for many years “prioritized building cyber-weapons at the expense of securing their own systems.
“Most of our sensitive cyber-weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls and historical data was available to users indefinitely,” it continued.
“CCI focused on building cyber-weapons and neglected to also prepare mitigation packages if those tools were exposed. These shortcomings were emblematic of a culture that evolved over the years that too often prioritized creativity and collaboration at the expense of security.”
The irony, said Wyden, is that the intelligence community was not formally required to implement specific security policies mandated to other federal agencies by the Department of Homeland Security (DHS), as it was assumed that it would go “above and beyond.”
Fausto Oliveira, principal security architect at Acceptto, argued that the Department of National Intelligence budget runs into the tens of billions, which should allow the CIA to address the concerns raised by Wyden.
“Based on the findings of the report, it appears that there was a lack of IT and cybersecurity governance that led to a lax adoption of security controls,” he added.
“It is not an operational matter, it is a matter of the agency's management not setting the right goals to manage the risks associated with operating an organization, specifically an organization that is a desirable target for all kinds of attackers.”