(Reuters) – Many of the Central Intelligence Agency’s most sensitive hacking tools were so poorly secured that it was only when WikiLeaks published them online in 2017 that the agency realized they had been compromised, according to a report released Tuesday.
The secret-spilling site drew international attention when it dumped a vast trove of malicious CIA code on the internet in March 2017.
The digital tools, sometimes described as “cyber weapons,” provided a granular look at how the CIA conducts its international hacking operations. It also deeply embarrassed the U.S. intelligence community, which has repeatedly been hit by large-scale leaks over the past decade.
An internal CIA report https://www.wyden.senate.gov/imo/media/doc/wyden-cybersecurity-lapses-letter-to-dni.pdf dated October 2017 and released by Democratic U.S. Senator Ron Wyden on Tuesday described security at the agency’s Center for Cyber Intelligence – the unit responsible for designing the tools – as “woefully lax.”
“Most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely,” the report said. It described the WikiLeaks disclosure as “the largest data loss in CIA history.”
The CIA declined to comment specifically on the report, saying only that it “works to incorporate best-in-class technologies” to keep ahead of security threats.
The report, drawn up by the CIA’s WikiLeaks Task Force, was heavily redacted, but it called out failures at the Center for Cyber Intelligence, which the report’s authors said was too focused on building hacking tools rather than securing them.
In a letter accompanying the report, Wyden suggested that the weaknesses highlighted by the report “do not appear to be limited to just one part of the intelligence community,” which he said was “still lagging behind.”
(Reporting by Raphael Satter; editing by Jonathan Oatis)