Alleged theft of CIA hacking tools by CIA officer exposed 'woefully lax' security, says report

Prepared by a CIA task force, the report was introduced as evidence in the trial of Joshua Schulte, a former employee of an agency hacking unit.
Image: CIA Headquarters
The lobby of the CIA Headquarters building in McLean, Va, on Aug. 14, 2008.Larry Downing / Reuters

Breaking News Emails

Get breaking news alerts and special reports. The news and stories that matter, delivered weekday mornings.
SUBSCRIBE
By Ken Dilanian

WASHINGTON — The alleged theft of CIA hacking tools by one of the agency's own officers — the worst data loss in CIA history — exposed a culture of "woefully lax" security around the agency's dangerous cyberweapons, according to an internal report made public Tuesday.

The report, first published by the Washington Post, was provided to reporters by Sen. Ron Wyden of Oregon, a Democrat on the Senate Intelligence Committee who frequently criticizes the CIA. Wyden said the report made clear that intelligence agencies should lose their current exemption from government-wide cybersecurity standards.

The October 2017 report examined what led up to the publication of some of the CIA's hacking tools by WikiLeaks in March 2017. Prepared by a CIA task force devoted to WikiLeaks, the report was introduced into evidence in the criminal trial of Joshua Schulte, a former CIA employee who worked in the agency's elite hacking unit center. Schulte faces a second trial after a jury in New York deadlocked in his case earlier this year.

The public version of the report went unnoticed in the court record until Wyden obtained a copy from the Justice Department and provided it to the Post.

The report paints a grim picture of an elite CIA hacking unit that was so focused on its offensive mission that defense was an afterthought. It chronicles the latest in a long line of CIA missteps leading to devastating intelligence losses, including the wholesale unraveling of spying networks in, Russia, Iran and China attributed to security breaches and disloyal insiders.

Timothy Barrett, the CIA's chief spokesman, declined to comment on the report, but said: "CIA works to incorporate best-in-class technologies to keep ahead of and defend against ever-evolving threats."

The material was stolen from the CIA's Center for Cyber Intelligence, which employed the agency's uber hackers, including Schulte. While the Pentagon's National Security Agency conducts the bulk of digital spying abroad, the CIA uses cyber tools to facilitate its mission of recruiting human spies, from stealing biographical information about foreign intelligence officers to hacking a biometric database so a U.S. spy can slip into a country under an alias.

The cyber center was tasked with finding vulnerabilities in software that facilitated the hacking.

The report says that in the spring 2016, "a CIA employee stole at least 180 gigabytes to as much as 34 terabytes of information," from the center. "This is roughly equivalent to 11.6 million to 2.2 billion pages in Microsoft Word."

But the agency could not "determine the precise scope of the loss," the report said, because the CIA hackers' network did not require basic user monitoring or other safeguards that exist in most major corporations and government agencies.

The documents leaked by WikiLeaks "reveal, to varying degrees, CIA tradecraft in cyber operations," the report says.

The report says that "in a press to meet growing and critical mission needs, CCI had prioritized building cyberweapons at the expense of securing their own systems. Day-to-day security practices had become woefully lax."

Most of the CIA's sensitive cyberweapons "were not compartmented," the report said, meaning they were open to anyone who had access to the network, a violation of the normal CIA protocol under which sensitive information goes only to those with an operational "need to know."

Users shared systems administrator-level passwords, there were no rules about thumb drives and other removable media, and historical data was available to users indefinitely, the report added.

The CIA "focused on building cyberweapons and neglected to also prepare mitigation packages if those tools were exposed. These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security."

Because the stolen data lived on a system that lacked user monitoring and robust auditing, "we did not realize the loss had occurred until a year later, when WikiLeaks publicly announced it in March 2017. Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss — as would be true for the vast majority of data on Agency mission systems."

Schulte has pleaded not guilty, and the report raises an issue that is part of his defense. His lawyers argue that CIA cybersecurity was so bad that hundreds of employees or contractors may have had access to the same information Schulte did.

Wyden said it is time for Congress to reconsider a law that exempts intelligence agencies from federal cybersecurity requirements.

"Congress did so reasonably expecting that intelligence agencies that have been entrusted with our nation's most valuable secrets would of course go above and beyond the steps taken by the rest of the government to secure their systems," Wyden wrote in a letter to Director of National Intelligence John Ratcliffe. "Unfortunately, it is now clear that exempting the intelligence community from baseline federal cybersecurity requirements was a mistake."