Cyber-security protections deployed for some of the nation’s most secret data was “woefully lax,” according to a 2017 intelligence brief that detailed cyber-security shortcomings at the Central Intelligence Agency (CIA) following the largest-ever data breach at the agency in 2016.
The redacted brief and accompanying letter from Sen. Ron Wyden (D-Ore.), released Tuesday, laid bare a culture at the CIA’s Center for Cyber Intelligence (CCI) that “prioritized building cyber weapons at the expense of securing their own systems.”
The intelligence brief had scrutinized the aftermath of a 2016 data breach, in which a rogue CIA employee downloaded and stole between 180 gigabytes to as much as 34 terabytes of information. “This is roughly equivalent to 11.6 million to 2.2 billion pages in Microsoft Word,” the brief notes. One of the system’s acute failings was that it was not able to track exactly what, and how much, data was downloaded and stolen.
The employee later shared the data with WikiLeaks, which published it in stages in 2017.
The brief said different sections of the CIA had different IT mission systems operating outside of the enterprise IT system, which were kept separate in the name of “mission functionality and speed.” However, some of these separate systems contained “acute vulnerabilities,” according to the report.
Many of the IT systems did not comply with federal cyber-security rules set by the Department of Homeland Security (DHS). These separate systems were often not monitored for possible intrusions, hacking attempts, or other incidents of potential data theft. The report concluded that had WikiLeaks not published the information, the agency may never have discovered the breach.
“Most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely,” the report said. “Furthermore, CCI focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed.”
The report concluded, “We must recognize when we are taking smart risks and when operational shortcuts or waivers create unwarranted risk to our work and to the Agency. We must care as much about securing our systems as we care about running them if we are to make the necessary revolutionary change.”
Wyden wrote in his letter to John Ratcliffe, director of the Office of National Intelligence, that Congress expected federal agencies like the CIA “to go above and beyond the steps taken by the rest of our government to secure their systems. Unfortunately, it is now clear that exempting the intelligence community from baseline cybersecurity requirements was a mistake.” Wyden recommended that Congress rescind any and all exceptions to the DHS cyber-security rules.
Since the intelligence brief was published, the federal government has taken steps to improve cyber-security among federal departments. On May 11, 2017, President Donald Trump issued an executive order on “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure,” which ordered all federal agencies to create an action plan to adopt the Framework for Improving Critical Infrastructure Cybersecurity created by the National Institute of Standards and Technology (NIST), a division of the Department of Commerce.