WASHINGTON (AP) – A specialized CIA unit that developed sophisticated hacking tools and cyber weapons didnâ€™t do enough to protect its own operations and wasn’t prepared to adequately respond when the secrets were stolen, according to an internal report prepared after the worst data loss in the intelligence agencyâ€™s history.
“These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security,â€ according to the report, which raises questions about cybersecurity practices inside U.S. intelligence agencies.
Sen. Ron Wyden, D-Ore., a senior member of the Senate Intelligence Committee, obtained the redacted report from the Justice Department after it was introduced as evidence in a court case this year involving the stolen CIA hacking tools.
He released it on Tuesday along with a letter he wrote to new national intelligence director John Ratcliffe, asking him to explain what steps heâ€™s taking to protect the nationâ€™s secrets held by federal intelligence agencies.
The October 2017 report, whose findings were first reported by The Washington Post, examined the theft one year earlier of sensitive cyber tools the CIA had developed to hack into the networks of adversaries.
The document is dated months after WikiLeaks announced that it had acquired tools created by the CIA’s specialized Center for Cyber Intelligence. The anti-secrecy website published comprehensive descriptions of 35 tools, including internal CIA documents associated with them, according to the report.
The report describes the spring 2016 theft as the largest data loss in agency history – compromising at least 180 gigabytes to as much as 34 terabytes of information, or the equivalent of 11.6 million to 2.2 billion pages in Microsoft Word.
The agency did not realize the loss had occurred until the WikiLeaks announcement a year later, the report said. As officials scrambled to pinpoint who was responsible, they ultimately identified as a prime suspect a CIA software engineer who they said had left the agency on stormy terms after falling out with colleagues and supervisors and had acted out of revenge.
The former employee, Joshua Schulte, was charged by the Justice Department with stealing the material and transmitting it to WikiLeaks. But a jury deadlocked on those charges and convicted him in March of more minor charges after a trial in Manhattan.
The CIA report revealed lax cybersecurity measures by the specialized unit and the niche information technology systems that it relies upon, which is separate from the systems more broadly used by everyday agency employees. The report says that because the stolen data was on a system that lacked user activity monitoring, it was not detected until WikiLeaks announced it in March 2017.
â€œHad the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the lossâ€ the report says.
The report, prepared by the CIAâ€™s WikiLeaks Task Force, suggests the CIA should have been better prepared in light of devastating data breaches at other intelligence agencies. The hacking tools compromise occurred about three years after Edward Snowden, a former contractor for the National Security Agency, confiscated classified information about the NSAâ€™s surveillance operations, and disclosed it.
â€œCIA has moved too slowly to put in place the safeguards that we knew were necessary given successive breaches to other U.S. Government agencies,â€ the report said.
Among the problems the report identified: sensitive cyber weapons were not compartmented, passwords were shared and users had indefinite access to historical data.
CIA spokesman Timothy Barrett declined to comment on the report’s findings, but said the â€œCIA works to incorporate best-in-class technologies to keep ahead of and defend against ever-evolving threats.â€
Sean Roche, a former associate deputy director for digital innovation at the CIA who testified at the Schulte trial, said that although the CIA did have a problem with one of its networks, â€œto say that the people at the CIA donâ€™t take security seriously is not accurate. Itâ€™s completely inaccurate.â€
Speaking Tuesday at a webinar hosted by the Cipher Brief, an online newsletter that focuses on intelligence, Roche likened the task force report to an after-accident report by the National Transportation Safety Board.
â€œThis broke. This is what happened,â€ Roche said. “We need to make sure this doesnâ€™t happen again. How is that not a healthy thing for an organization that doesnâ€™t have a public eye into what itâ€™s doing?â€
The disclosure of the hacking tools featured prominently in Shulte’s trial, with prosecutors portraying him as a disgruntled software engineer who exploited a little-known back-door in a CIA network to copy the hacking arsenal without raising suspicion.
â€œThese leaks were devastating to national security,â€ Assistant U.S. Attorney Matthew Laroche told jurors. â€œThe CIAâ€™s cyber tools were gone in an instant. Intelligence gathering operations around the world stopped immediately.â€
Defense attorney Sabrina Shroff argued that investigators could not be sure who took the data because the CIA network in question â€œwas the farthest thing from being secureâ€ and could be accessed by hundreds of people.
Ultimately, Schulte was convicted of contempt of court and making false statements after a four-week trial. The jury was unable to reach a verdict on the more significant charges.