American intelligence agencies are still falling short on security, years after high-profile data leaks from Edward Snowden, Chelsea Manning, and Joshua Schulte, according to a member of the US Senate Intelligence Committee. In a letter to Director of National Intelligence John Ratcliffe, Senator Ron Wyden uses a 2017 internal report from the CIA to detail the ways in which the intelligence community has continuously failed to protect itself. 

“The intelligence community is still lagging behind and has failed to adopt even the most basic cybersecurity technologies in widespread use elsewhere in the federal government,” Wyden writes. 

The report, which was obtained in redacted form by the Washington Post, details how the agency's elite hacking unit favored building offensive cyber weapons while it failed to secure some of its most important systems, a pattern that led to the 2016 theft of hacking tools that were then published by WikiLeaks under the name “Vault 7.” American officials said it was the largest data loss in CIA history.

In his letter, Wyden claims that failures are ongoing, identifies three specific lapses as examples, and argues that Congress should make intelligence agencies subject to normal federal cybersecurity requirements.

“Unfortunately, it is now clear that exempting the intelligence community from baseline federal cybersecurity requirements was a mistake,” he writes.

A storm of shortcomings

The 2017 CIA report documents an incident in which WikiLeaks released over 8,000 pages of  “Vault 7” documents that gave an unprecedented view into the agency’s capabilities to hack various operating systems, mobile phones, and messaging apps. Former CIA employee Schulte was later charged and pleaded not guilty to stealing the trove of hacking tools and then handing them over to WikiLeaks to publish. In March, Schulte was found guilty of contempt of court and making false statements to the FBI, but the trial jury remained deadlocked on whether he had illegally gathered and transmitted national defense information. After a mistrial was declared, Schulte faces the prospect of a new trial.

The theft targeted the CIA’s elite hacking unit, known as the Center for Cyber Intelligence, and the internal report said the agency might never have learned of the theft of up to 34 terabytes of data if it had not been published. In fact, the agency admits that it still doesn’t know the precise scope of the loss because the mission systems that were hit “did not require activity monitoring or other safeguards.”

The report drew a contrast between profound security failures on the CCI hacking unit’s “mission systems” and general cybersecurity success on the CIA’s “enterprise” systems which account for the lion’s share of CIA’s computer network.  

The report says that unit's cyber weapons were widely open to anyone with access to the mission network, and the network lacked normal monitoring and audit capabilities. A storm of “shortcomings” allowed security to fall far down the list of priorities.

“While CIA was an early leader in securing our enterprise information technology system, we failed to correct acute vulnerabilities,” the report reads. “Day-to-day security practices had become woefully lax.”

Security failures

The comments show that even some of the world’s most well-funded and highly capable offensive hackers struggle mightily on defense.

For American spy agencies, the last decade has been punctuated by multiple high-profile data breaches followed by repeated calls for systemic cybersecurity change. Intelligence agencies like the CIA and National Security Agency had been exempted from rules Congress imposed on the rest of the federal government. The expectation was that they would easily exceed those standards, but that hasn’t happened.

In fact, a US intelligence community watchdog issued a report in 2019 urging the agencies to improve their controls on classified material—especially against the kind of insider threats that have punctuated the last decade, including Snowden’s leak of NSA documents and Manning’s leak of classified American documents relating to the Iraq War.

Among the issues highlighted by Wyden is the intelligence community’s failure to adopt DMARC, an email authentication protocol that protects against common and highly effective phishing attacks, despite a 2017 directive that requires federal agencies to do so.

Meanwhile, intelligence agencies have yet to secure .gov domains with multifactor authentication, despite a warning in January 2019 from the Department of Homeland Security that the system was being targeted by Iranian hackers.

A report from the Intelligence Community Inspector General released in 2019 concluded that 20 security-related recommendations remain unaddressed by the agencies but that they remain classified.

If there is good news for the CIA in the redacted report, it has to do with the “golden folder” of the agency’s most sensitive files, including all the hacking tools and source code. This material was not stolen the internal task force concluded, thanks to stronger protection and the fact that it was too large to easily export.

The Director of National Intelligence has received Wyden’s letter and is currently working on a response, but it’s ultimately up to Congress to decide if American intelligence agencies need new rules so that they can meet the same cybersecurity standards as the rest of the federal government.

The article was updated to clarify the distinction between security failures specifically at CCI, an elite hacking unit within CIA, in contrast to CIA's larger enterprise IT systems.