Skip to main content

Theft of CIA hacking tools spotlights the spy agency’s “lax” security

American intelligence agencies are still falling short on security, years after high-profile data leaks from Edward Snowden, Chelsea Manning, and Joshua Schulte, according to a member of the US Senate Intelligence Committee. In a letter to Director of National Intelligence John Ratcliffe, Senator Ron Wyden uses a 2017 internal report from the CIA to detail the ways in which the intelligence community has continuously failed to protect itself. 

“The intelligence community is still lagging behind and has failed to adopt even the most basic cybersecurity technologies in widespread use elsewhere in the federal government,” Wyden writes. 

The report, which was obtained in redacted form by the Washington Post, details how the agency’s elite hacking unit favored building offensive cyber weapons while it failed to secure some of its most important systems, a pattern that led to the 2016 theft of hacking tools that were then published by WikiLeaks under the name “Vault 7.” American officials said it was the largest data loss in CIA history.

In his letter, Wyden claims that failures are ongoing, identifies three specific lapses as examples, and argues that Congress should make intelligence agencies subject to normal federal cybersecurity requirements.

“Unfortunately, it is now clear that exempting the intelligence community from baseline federal cybersecurity requirements was a mistake,” he writes.

A storm of shortcomings

The 2017 CIA report documents an incident in which WikiLeaks released over 8,000 pages of  “Vault 7” documents that gave an unprecedented view into the agency’s capabilities to hack various operating systems, mobile phones, and messaging apps. Former CIA employee Schulte was later charged and pleaded not guilty to stealing the trove of hacking tools and then handing them over to WikiLeaks to publish. In March, Schulte was found guilty of contempt of court and making false statements to the FBI, but the trial jury remained deadlocked on whether he had illegally gathered and transmitted national defense information. After a mistrial was declared, Schulte faces the prospect of a new trial.

The theft targeted the CIA’s elite hacking unit, known as the Center for Cyber Intelligence, and the internal report said the agency might never have learned of the theft of up to 34 terabytes of data if it had not been published. In fact, the agency admits that it still doesn’t know the precise scope of the loss because the mission systems that were hit “did not require activity monitoring or other safeguards.”

The report says that unit’s cyber weapons were widely open to anyone with access to the mission network, and the network lacked normal monitoring and audit capabilities. A storm of “shortcomings” allowed security to fall far down the list of priorities.

“While CIA was an early leader in securing our enterprise information technology system, we failed to correct acute vulnerabilities,” the report reads. “Day-to-day security practices had become woefully lax.”

Security failures

The comments show that even some of the world’s most well-funded and highly capable offensive hackers struggle mightily on defense.

For American spy agencies, the last decade has been punctuated by multiple high-profile data breaches followed by repeated calls for systemic cybersecurity change. Intelligence agencies like the CIA and National Security Agency had been exempted from rules Congress imposed on the rest of the federal government. The expectation was that they would easily exceed those standards, but that hasn’t happened.

In fact, a US intelligence community watchdog issued a report in 2019 urging the agencies to improve their controls on classified material—especially against the kind of insider threats that have punctuated the last decade, including Snowden’s leak of NSA documents and Manning’s leak of classified American documents relating to the Iraq War.

Among the issues highlighted by Wyden is the intelligence community’s failure to adopt DMARC, an email authentication protocol that protects against common and highly effective phishing attacks, despite a 2017 directive that requires federal agencies to do so.

Meanwhile, intelligence agencies have yet to secure .gov domains with multifactor authentication, despite a warning in January 2019 from the Department of Homeland Security that the system was being targeted by Iranian hackers.

A report from the Intelligence Community Inspector General released in 2019 concluded that 20 security-related recommendations remain unaddressed by the agencies but that they remain classified.

If there is a modicum of good news for the CIA in the redacted report, it has to do with the “golden folder” of the agency’s most sensitive files, including all the hacking tools and source code. This material was not stolen the internal task force concluded, thanks to stronger protection and the fact that it was too large to easily export.

The Director of National Intelligence has received Wyden’s letter and is currently working on a response, but it’s ultimately up to Congress to decide if American intelligence agencies need new rules so that they can meet the same cybersecurity standards as the rest of the federal government.



Udimi - Buy Solo Ads from MIT Technology Review https://ift.tt/3e7SopX
via IFTTT

Comments

Popular posts from this blog

9 VCs in Madrid and Barcelona discuss the COVID-19 era and look to the future

Spain’s startup ecosystem has two main hubs: Madrid and Barcelona. Most observers place Barcelona first and Madrid second, but the gap appears to close every year. Barcelona has benefitted from attracting expats in search of sun, beach and lifestyle who tend to produce more internationally minded startups. Madrid’s startups have predominantly been Spain or Latin America-focused, but have become increasingly international in nature. Although not part of this survey, we expect Valencia to join next year, as city authorities have been going all-out to attract entrepreneurs and investors. The overall Spanish ecosystem is generally less mature than those in the U.K., France, Sweden and Germany, but it has been improving at a fast clip. More recently, entrepreneurs in Spain have moved away from emulating success in pursuit of innovative technologies. Following the financial crisis, the Spanish government supported the creation of startups with the launch of FOND-ICO GLOBAL, a €1.5 billi

How to Stay Creative and Keep SEO in Mind

Information Technology Blog - - How to Stay Creative and Keep SEO in Mind - Information Technology Blog Search engine optimization (SEO) refers to customizing your website’s content to ensure that web browsers give your website a high SEO score. The sites with the highest SEO scores are featured on the search engine’s first page of search results for relevant searches.  71%  of the click-throughs happen with articles listed on the first page of results on the search engine. This means that if your website’s article is the second (or third, or fourth page), it’s less likely the search user will even see your article. You want your article to be ranking as close to the top of the first page of results as possible. In order to have a good SEO score your site’s content needs to feature keywords and relevant phrases. It must be optimized for easy navigation between pages. It also needs to be referenced via external links that drive traffic to your site. Incorporating all of these elem

Everything we know about HHS Protect, a secretive government project with Peter Thiel's Palantir that helps brief Trump's coronavirus task force

A secretive project at the US Department of Health and Human Services is working with technology companies to collect and analyze data related to the novel coronavirus .  Dubbed "HHS Protect," the effort tracks information from around the country about coronavirus case numbers, hospital capacity, and even supply chain issues.  HHS uses Palantir Technologies , a data firm cofounded by Peter Thiel, to distill that information for the White House coronavirus task force. Visit Business Insider's homepage for more stories . A secretive project at the US Department of Health and Human Services is working with technology companies to collect and analyze data related to the novel coronavirus.  Dubbed "HHS Protect," the effort includes roughly 2.5 billion pieces of data from healthcare providers, government officials, and labs around the country about coronavirus case numbers, hospital capacity, and even supply chain issues.  The goal is learn about the progress