Report slams CIA cybersecurity after hacking tool leak

CIA

Many of the CIA’s most sensitive hacking tools were so poorly secured that it was only when WikiLeaks published them online in 2017 that the agency realised they had been compromised, according to a new report.

KEY POINTS:

  • New report suggests many of the CIA’s hacking tools were so poorly secured that it was only when WikiLeaks published them that they realised they had been compromised
  • An internal report released by Senator Ron Wyden described security at the unit responsible for designing the tools as “woefully lax”
  • The digital tools provided a granular look at how the CIA conducts its international hacking operations

The secret-spilling site drew international attention when it dumped a vast trove of malicious CIA code on the internet in March 2017.

The digital tools, sometimes described as “cyber weapons,” provided a granular look at how the CIA conducts its international hacking operations. It also deeply embarrassed the US intelligence community, which has repeatedly been hit by large-scale leaks over the past decade.

Related Article:
EU chamber chief says a US-China tech war bigger risk than COVID-19

An internal CIA report dated October 2017 and released by Democratic US Senator Ron Wyden on Tuesday described security at the agency’s Center for Cyber Intelligence – the unit responsible for designing the tools – as “woefully lax.”

“Most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely,” the report said. It described the WikiLeaks disclosure as “the largest data loss in CIA history.”

The Central Intelligence Agency declined to comment specifically on the report, saying only that it “works to incorporate best-in-class technologies” to keep ahead of security threats.

The report, drawn up by the CIA’s WikiLeaks Task Force, was heavily redacted, but it called out failures at the Center for Cyber Intelligence, which the report’s authors said was too focused on building hacking tools rather than securing them.

Related Article:
US lawsuit claims Google, Facebook cooperated to undermine ad competition

In a letter accompanying the report, Wyden suggested that the weaknesses highlighted by the report “do not appear to be limited to just one part of the intelligence community,” which he said was “still lagging behind.”

Via our content partners at Reuters. Reporting by Raphael Satter. editing by Jonathan Oatis.

Share This Post