CIA Vault 7 leak blamed on "woefully lax" attitude to cyber security

Internal report reveals CIA division was ‘so focused on cyber weapons’ it neglected the security basics

The CIA was embedded with a workplace culture in which elite hackers were so preoccupied with building cyber weapons they neglected to secure their own systems, an internal report has suggested.

The theft of documents revealing hacking tools in March 2017, infamously publicised by WikiLeaks, was in-part the result of an agency more concerned with reinforcing its arsenal than securing those tools.

Advertisement - Article continues below

Dubbed Vault 7, the 2017 leaks outlined how the CIA could pretty much hack into any device with a suite of tools designed to read and copy data from electronic devices. The stolen documents detailed how, for example, authorities found a way to bypass encryption in a host of secure messaging apps such as WhatsApp and Telegram,

Several months later, the CIA’s WikiLeaks Task Force produced a report, now seen by the Washington Post, that revealed “woefully lax” security procedures within the team that developed those tools were partially responsible for the disclosure.

The leaked tools were developed by the Center for Cyber Intelligence, where the most sophisticated operatives devised methods of infiltrating hard-to-penetrate networks. Their security procedures were so lackadaisical, however, that without the WikiLeaks disclosure, the CIA may never have known the tools had been stolen, according to the report.

Advertisement - Article continues below

This particular section of the CIA’s “mission systems” division is distinct and segregated from the agency’s “enterprise information technology system”, which makes up the vast majority of the agency’s computer networks.

Advertisement - Article continues below

“CIA has moved too slowly to put in place the safeguards that we knew were necessary given successive breaches to other US Government agencies,” the report said. 

Related Resource

How enterprises are embracing cyber security challenges

Enterprises across Europe, the Middle East and Africa are undergoing a significant transformation

Download now

The research also found that “most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely”.

Prepared for the then director Mike Pompeo, and deputy Gina Haspel, who is now the CIA’s director, the report was introduced as evidence in the trial of Joshua Schulte. 

The former CIA operative is being accused of stealing the hacking tools on behalf of WikiLeaks. Schulte, however, has pled not guilty, with his lawyers arguing the security regime was so poor that hundreds of employees or contractors may have had access to the same information.

The task force reported that it could not determine the exact size of the breach because the hacking team did not demand the monitoring of who used its network. A rough estimate suggested that a CIA employee stole as much as 34TB of data.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now


ethical hacking

Mobile banking apps are exposing user data to attackers

26 Jun 2020

Most malware came through HTTPS connections in Q1 2020

25 Jun 2020

Phishing attacks target unsuspecting Wells Fargo customers

24 Jun 2020

Trump administration wants to enhance the security of .gov sites

24 Jun 2020

Most Popular

Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

Is it time to put Intel Outside?

10 Jul 2020