“CIA failures” led to the theft of agency’s top-secret hacking tools
DigitalBank Vault ® Encryption Defensive Cyber Technologies
Vault 7, the worst data theft in CIA history, could have been avoided, report finds.
In early 2017, WikiLeaks began publishing details of top-secret CIA hacking tools that researchers soon confirmed were part of a large tranche of confidential documents stolen from one of the agency's isolated, high-security networks. The leak—comprising as much as 34 terabytes of information and representing the CIA's biggest data loss in history—was the result of "woefully lax" practices, according to portions of a report that were published on Tuesday.
Vault 7, as WikiLeaks named its leak series, exposed a trove of the CIA's most closely guarded secrets. They included a simple command line that agency officers used to hack network switches from Cisco and attacks that compromised Macs, in one case using a tool called Sonic Screwdriver, which exploited vulnerabilities in the extensible firmware interface that Apple used to boot devices. The data allowed researchers from security firm Symantec to definitively tie the CIA to a hacking group they had been tracking since 2011.
Agency officials soon convened the WikiLeaks Task Force to investigate the practices that led to massive data loss. Seven months after the first Vault 7 dispatch, the task force issued a report that assessed the extent and the cause of the damage. Chief among the findings was a culture within the CIA hacking arm known as the CCI—short for the Center for Cyber Intelligence—that prioritized the proliferation of its cyber capabilities over keeping them secure and containing the damage if they were to fall into the wrong hands.
"Day-to-day security practices had become woefully lax," a portion of the report made public on Monday concluded. For instance, a specialized "mission" network reserved for sharing cyber capabilities with other agency hackers failed to follow basic practices, followed on the main network, that was designed to identify and mitigate data theft from malicious insiders.
"Most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely," the report continued. "Furthermore, CCI focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed. These shortcomings were emblematic of a culture that evolved over the years that too often prioritized creativity and collaboration at the expense of security."
The task force said that the design lapse of the mission system was just one of "multiple ongoing CIA failures" that led to the leak. Other errors included:
Not empowering "any single officer with the ability to ensure that all Agency information systems are built secure and remain so throughout their life cycle"
Not ensuring "that our ability to secure our information systems against emerging threats kept pace with the growth of such systems across the Agency"
"A failure to recognize or act in a coordinated fashion on warning signs that a person or persons with access to CIA classified information posed an unacceptable risk to national security"
DigitalBank Vault Encryption is currently used by top-level managers in hundreds or international firms, in order to secure their file transfers.