Many of the CIA’s most sensitive hacking tools were so poorly secured that it was only when WikiLeaks published them online in 2017 that the agency realised they had been compromised, according to a report released on Tuesday.
The secret-spilling site drew international attention when it dumped a vast trove of malicious CIA code on the internet in March 2017.
The digital tools, sometimes described as “cyberweapons”, provided a granular look at how the CIA conducts its international hacking operations. It also deeply embarrassed the US intelligence community, which has repeatedly been hit by large-scale leaks over the past decade.
An internal CIA report (PDF) dated October 2017 and released by Democratic US Senator Ron Wyden on Tuesday described security at the agency’s Center for Cyber Intelligence – the unit responsible for designing the tools – as “woefully lax”.
The CIA report revealed loose cybersecurity measures by the specialised unit and the niche information technology systems that it relies upon, which is separate from the systems more broadly used by everyday agency employees.
“Most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely,” the report said.
The security was so poor, according to the report, that if these hacking tools had “been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss.
“These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security,” the report continued, raising questions about cybersecurity practices inside US intelligence agencies.
It described the WikiLeaks disclosure as “the largest data loss in CIA history”.
The CIA declined to comment specifically on the report, saying only that it “works to incorporate best-in-class technologies” to keep ahead of security threats.
The report, drawn up by the CIA‘s WikiLeaks Task Force, was heavily redacted, but it called out failures at the Center for Cyber Intelligence, which the report’s authors said was too focused on building hacking tools rather than securing them.
Wyden, a senior member of the Senate Intelligence Committee, obtained the redacted report from the Justice Department after it was introduced as evidence in a court case this year involving stolen CIA hacking tools.
In a letter accompanying the report, Wyden suggested that the weaknesses highlighted by the report “do not appear to be limited to just one part of the intelligence community”, which he said was “still lagging behind”.