If revelations from Julian Assange’s WikiLeaks and Edward Snowden’s whistleblowing were not enough, a redacted report in a letter sent by US Sen. Ron Wyden confirmed the lax security practices present within some government agencies. At the forefront of the report was the largest data leak in the CIA’s history—34 terabytes worth—exposing some of the agency’s most sensitive secrets.
Vault 7 Leaks Expose Lagging CyberSecurity
WikiLeaks named the series of leaks “Vault 7,” and in 2017, began releasing a trove of confidential documents. Among the leaks were details about the CIA’s hacking commands, allowing researchers to tie the agency to a known hacking group called Longhorn.
The CIA responded to the leaks by creating the WikiLeaks Task Force and investigated the practices that led to the leak. The report that followed seven months later focused largely on the agency’s Center for Cyber Intelligence—CCI for short. The Task Force’s findings suggest a prioritization of ability over the security of its cyber capabilities. The report concluded that the proliferation of hacking capacity outweighed the security measures in place to protect that information.
Sharing is Not Caring
Among the issues cited by the report was a failure to “compartmentalize” systems involving the CCI’s cyber weapons. Systems were revealed to have been protected with shared administrator-level passwords, and historical data was available to those users indefinitely. These practices left tranches of information exposed and were ultimately part of the reason the leak was so massive.
Security Processes Have To Keep Pace With The Systems
The report went on to say, “Furthermore, CCI focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed. These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security.”
In addition, the report criticized the agency for failing to ensure the security necessary to prevent the sort of leak that occurred. It also indicated that their systems’ security was unable to keep pace with the growth of the systems themselves.
Within the stolen data is classified information about CIA collaboration, hacking tools, and a secret source code repository. The amount of leaked information—34 terabytes—is staggering. For perspective, that’s the equivalent of a document over two billion pages long. In short, it is fair to say that the CIA’s technological reach may have exceeded its security’s grasp.
Silver Lining to the WikiLeaks
Although the leaks were certainly large, the WikiLeaks Task Force has determined with “moderate confidence” that WikiLeaks never obtained the better-protected final versions of those hacking tools and source code. Housed within what the CIA calls the “Gold folder,” the final versions of this sensitive information are more recent, and thus easier to exploit than what appears to have been obtained by WikiLeaks. This presents a silver lining of sorts and indicates that better protections of data could have prevented the leak in the first place.
Going forward, better protection of cyber capabilities is necessary for the CIA and other agencies. While using the best available technology will be important for the continual securitization of data, some of the solutions can come organizationally. Senator Ron Wyden’s letter suggests that measures such as two-factor authentication and DMARC email validation should have been standard, but can be implemented as a simple protective measure.
People Failures Should Get Caught By Security Procedures
This isn’t the first time that the CIA has been in the crosshairs over lax security procedures. Earlier this year, ex-CIA employee Joshua Schulte’s lawyer argued that lax security procedures meant that any employee could have accessed the classified data in question to the WikiLeaks in 2016. Wyden states that security measures three years after the 2017 CIA report are still lagging the cybersecurity technologies that are in place elsewhere in the federal government. It’s clear that practices and procedures are important, but the people that access the information are a critical component to the equation. The hope is that where the people fail in the process, the policies and procedures should keep information secure.