Shaun Nichols reports:
The CIA was so focused on developing whizzbang exploit code, it left any thought of basic computer security principles on the kitchen counter before dashing off to work each morning.
That oversight led to the super-agency inadvertently spilling its hacking tools ultimately into the hands of WikiLeaks, which duly disclosed details of the spies’ malware, viruses, remote-control software, and other materials under the Vault 7 banner in 2017.
Read more on The Register.
Obviously, there’s a ton of news coverage and commentaries on this particular news story. It became a matter of public knowledge yesterday when Senator Ron Wyden made it public. In a statement on his website, the Oregon senator explains:
Sen. Ron Wyden, D-Ore., today asked Director of National Intelligence John Ratcliffe to explain what steps he is taking to improve the cybersecurity of some of the nation’s most sensitive secrets, held by federal intelligence agencies, after Wyden obtained a damning CIA report on cybersecurity failures that led to “the largest data loss in CIA history.”
Wyden, a senior member of the Senate Intelligence Committee, obtained the unclassified, redacted excerpt of the CIA’s WikiLeaks Task Force report from the Department of Justice, after it was introduced as evidence in a court case earlier this year involving stolen CIA hacking tools.
The 2017 CIA report revealed lax cybersecurity measures across the agency, including “acute vulnerabilities” in critical IT systems. The security was so poor, according to the report, if these hacking tools had “been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss—as would be true for the vast majority of data on Agency mission systems.”
Wyden said it is time for Congress to reconsider a law that exempts intelligence agencies from federal cybersecurity requirements
“Congress did so reasonably expecting that intelligence agencies that have been entrusted with our nation’s most valuable secrets would of course go above and beyond the steps taken by the rest of the government to secure their systems,” Wyden wrote in his letter to Ratcliffe.“Unfortunately, it is now clear that exempting the intelligence community from baseline federal cybersecurity requirements was a mistake.”
Read Wyden’s full letter to Ratcliffe here.
###