Report finds CIA security failures led to massive breach

A newly unclassified internal CIA report found that a massive 2017 data breach of the agency that enabled classified information to be sent to WikiLeaks was caused by the CIA failing to secure its own systems.

The report, put together by the CIA’s WikiLeaks Task Force in 2017, is partially redacted and was released publicly on Tuesday by Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee.

According to the report, a CIA employee was able to steal up to 34 terabytes of information, or around 2.2 billion pages in Microsoft Word, of classified data and leak it to WikiLeaks in the spring of 2017 due to major security lapses at the CIA’s Center for Cyber Intelligence (CCI).

“In a press to meet growing and critical mission needs, CCI had prioritized building cyber weapons at the expense of securing their own systems,” the task force wrote in the report. “Day-to-day security practices had become woefully lax.”

The investigators added that “CCI focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed. These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security.”

The leak marked the largest data breach in the CIA’s history and included information on hacking tools used by the agency to break into smartphones and other internet-connected devices.

The task force noted that due to failures to address vulnerabilities in IT systems, if WikiLeaks had not published the stolen information, the CIA “might still be unaware of the loss — as would be true for the vast majority of data on Agency mission systems.”

In a letter to Director of National Intelligence John Ratcliffe on Tuesday, Wyden criticized the intelligence community for its “widespread cybersecurity problems.”

Wyden specifically pointed to a 2014 move by Congress that required all federal agencies, with the exception of the intelligence community, to adopt cybersecurity practices and protocols from the Department of Homeland Security (DHS).

“While Congress exempted the Intelligence Community from the requirement to implement DHS’ cybersecurity directives, Congress did so reasonably expecting that intelligence agencies that have been entrusted with our nation’s most valuable secrets would of course go above and beyond the steps taken by the rest of the government to secure their systems,” Wyden wrote. “Unfortunately it is now clear that exempting the intelligence community from baseline federal cybersecurity requirements was a mistake.”