The US intelligence community is failing to take basic cybersecurity steps needed protect highly sensitive systems, Senator Ron Wyden warned today in a scathing letter to John Ratcliffe, the Director of National Intelligence.
The warning comes four years after a CIA employee stole up to 34 terabytes of information and leaked it to Wikileaks without being noticed.
(The cache of cyber weapons was known as Vault 7).
Astonishingly, the colossal leak would not have been spotted if Wikileaks had not published the trove; the CIA lacked user activity monitoring tools on its cyber intelligence software development system, his letter reveals.
The revelation came today as the Senator published excerpts of a 2017 CIA report on the incident in his letter to Ratcliffe. (That 2017 report notes that the CIA leak was the equivalent to 2.2 billion pages of Word docs.)
CIA Data Breach: Lessons Not Learned?
Yet four years on, lessons have not been learned and intelligence agencies across the US are rife with poor cybersecurity practice, the Senator claimed.
“My staff verified, using publicly available tools, that the Central Intelligence Agency, the National Reconnaissance Office and your office, have all failed to enable DMARC anti-phishing protections”, the Oregon senator said.
Worse, despite a stark warning in January 2019 from the US’s Cybersecurity and Infrastructure Security Agency (CISA) over a global Domain Name System (DNS) hijacking attack, 15 months later, US intelligence agencies have failed to implement multi-factor authentication (MFA) for accounts on systems that can make changes to agency DNS records: a key CISA demand, he warned.
This failure comes “despite repeated requests from my office”.
The warnings cap a letter — first reported in the Washington Post — that reveals some startling revelations about the 2016 CIA data breach.
Among them, as the CIA’s own 2017 report noted: “Most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely…
It adds: “The Agency for years has developed and operated IT mission systems outside the purview and governance of enterprise IT, citing the need for mission functionality and speed. While often fulfilling a valid purpose, this ‘shadow IT’ exemplifies a broader cultural issue that separates enterprise IT from mission IT, has allowed mission system owners to determine how or if they will police themselves, and has placed the Agency at unacceptable risk.”