An internal CIA report on what is believed to be one of the largest leaks in the history of U.S. intelligence found that lax internal security was partly to blame.
A redacted and incomplete copy of the report, given to the Washington Post by the office of Sen. Ron Wyden (D-Ore.), concluded that the 2016 theft of hacking tools from the CIA was linked to the agency’s prioritization of “building cyber weapons at the expense of securing their own systems.”
The documents detailing the CIA’s hacking tools, allegedly stolen by a former agency employee, came to be known as “Vault 7” after being published by anti-secrecy organization WikiLeaks.
The group behind the 2017 report, referred to as the CIA WikiLeaks Task Force, stated that security practices were so insufficient that the agency likely would have never known about the theft had it not become public.
“Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss,” the task force said.
Even after the immense disclosures from former NSA contractor Edward Snowden, the CIA “moved too slowly to put in place the safeguards that we knew were necessary given successive breaches to other U.S. Government agencies.”
The report further found that the CIA’s hacking tools, developed by the agency’s Center for Cyber Intelligence, were not properly isolated and that access was too widespread.
“Users shared systems administrator-level passwords, there were no effective removable media [thumb drive] controls, and historical data was available to users indefinitely,” the report stated.
Given that the CIA wasn’t monitoring access, it still to this day remains unclear how much data was actually stolen. The agency believes as much as 2.2 billion pages of classified information may have been taken in total.
The report’s findings are being used as evidence that anyone could have leaked the tools by the lawyers of Joshua Schulte, the former CIA employee accused of providing the data to WikiLeaks.
A previous attempt to charge Schulte with the disclosure in March led to a partial mistrial. The U.S. government is now seeking a new trial against the former employee.
Wyden is also pointing to the report as a clear indication that Congress must pass legislation requiring intelligence agencies to adopt minimum security standards.