CIA Vault 7 leak blamed on "woefully lax" attitude to cyber security

Internal report reveals CIA division was ‘so focused on cyber weapons’ it neglected the security basics

The CIA was embedded with a workplace culture in which elite hackers were so preoccupied with building cyber weapons they neglected to secure their own systems, an internal report has suggested.

The theft of documents revealing hacking tools in March 2017, infamously publicised by WikiLeaks, was in-part the result of an agency more concerned with reinforcing its arsenal than securing those tools.

Dubbed Vault 7, the 2017 leaks outlined how the CIA could pretty much hack into any device with a suite of tools designed to read and copy data from electronic devices. The stolen documents detailed how, for example, authorities found a way to bypass encryption in a host of secure messaging apps such as WhatsApp and Telegram,

Several months later, the CIA’s WikiLeaks Task Force produced a report, now seen by the Washington Post, that revealed “woefully lax” security procedures within the team that developed those tools were partially responsible for the disclosure.

The leaked tools were developed by the Center for Cyber Intelligence, where the most sophisticated operatives devised methods of infiltrating hard-to-penetrate networks. Their security procedures were so lackadaisical, however, that without the WikiLeaks disclosure, the CIA may never have known the tools had been stolen, according to the report.

This particular section of the CIA’s “mission systems” division is distinct and segregated from the agency’s “enterprise information technology system”, which makes up the vast majority of the agency’s computer networks.

“CIA has moved too slowly to put in place the safeguards that we knew were necessary given successive breaches to other US Government agencies,” the report said. 

Related Resource

How enterprises are embracing cyber security challenges

Enterprises across Europe, the Middle East and Africa are undergoing a significant transformation

Download now

The research also found that “most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely”.

Prepared for the then director Mike Pompeo, and deputy Gina Haspel, who is now the CIA’s director, the report was introduced as evidence in the trial of Joshua Schulte. 

The former CIA operative is being accused of stealing the hacking tools on behalf of WikiLeaks. Schulte, however, has pled not guilty, with his lawyers arguing the security regime was so poor that hundreds of employees or contractors may have had access to the same information.

The task force reported that it could not determine the exact size of the breach because the hacking team did not demand the monitoring of who used its network. A rough estimate suggested that a CIA employee stole as much as 34TB of data.

Featured Resources

Become a digital service provider

How to transform your business from network core to edge

Download now

Optimal business results with the cloud

Evaluating the best approaches to hybrid cloud adoption

Download now

Virtualisation that enables choices, not compromises

Harness the virtualisation technology that's right for your hybrid infrastructure

Download now

Email security threat report 2020

Four key trends from spear fishing to credentials theft

Download now

Recommended

Hackers using COVID vaccine as a lure to spread malware
hacking

Hackers using COVID vaccine as a lure to spread malware

15 Jan 2021
Cyber criminals bypassing MFA to access cloud service accounts
two-factor authentication (2FA)

Cyber criminals bypassing MFA to access cloud service accounts

14 Jan 2021
Capcom data breach adds another 40,000 estimated victims
data breaches

Capcom data breach adds another 40,000 estimated victims

13 Jan 2021
Website problems slow coronavirus vaccine rollout
hacking

Website problems slow coronavirus vaccine rollout

6 Jan 2021

Most Popular

What is a 502 bad gateway and how do you fix it?
web hosting

What is a 502 bad gateway and how do you fix it?

12 Jan 2021
Can Pat Gelsinger get Intel back on track?
chief executive officer (CEO)

Can Pat Gelsinger get Intel back on track?

13 Jan 2021
150,000 arrest records accidentally deleted from police database
data management

150,000 arrest records accidentally deleted from police database

15 Jan 2021