View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

US Intelligence Agencies Are Failing on Basic Cybersecurity Measures, Warns Senator

"Users shared systems administrator-level passwords"

By CBR Staff Writer

The US intelligence community is failing to take basic cybersecurity steps needed protect highly sensitive systems, Senator Ron Wyden warned today in a scathing letter to John Ratcliffe, the Director of National Intelligence.

The warning comes four years after a CIA employee stole up to 34 terabytes of information and leaked it to Wikileaks without being noticed.

(The cache of cyber weapons was known as Vault 7).

Astonishingly, the colossal leak would not have been spotted if Wikileaks had not published the trove; the CIA lacked user activity monitoring tools on its cyber intelligence software development system, his letter reveals.

The revelation came today as the Senator published excerpts of a 2017 CIA report on the incident in his letter to Ratcliffe. (That 2017 report notes that the CIA leak was the equivalent to 2.2 billion pages of Word docs.)

An excerpt from a report to the CIA’s Director in 2017, published today.

CIA Data Breach: Lessons Not Learned?

Yet four years on, lessons have not been learned and intelligence agencies across the US are rife with poor cybersecurity practice, the Senator claimed.

“My staff verified, using publicly available tools, that the Central Intelligence Agency, the National Reconnaissance Office and your office, have all failed to enable DMARC anti-phishing protections”, the Oregon senator said.

Content from our partners
Green for go: Transforming trade in the UK
Manufacturers are switching to personalised customer experience amid fierce competition
How many ends in end-to-end service orchestration?

Worse, despite a stark warning in January 2019 from the US’s Cybersecurity and Infrastructure Security Agency (CISA) over a global Domain Name System (DNS) hijacking attack, 15 months later, US intelligence agencies have failed to implement multi-factor authentication (MFA) for accounts on systems that can make changes to agency DNS records: a key CISA demand, he warned.

This failure comes “despite repeated requests from my office”.

The warnings cap a letter — first reported in the Washington Post — that reveals some startling revelations about the 2016 CIA data breach.

Among them, as the CIA’s own 2017 report noted: “Most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely…

It adds: “The Agency for years has developed and operated IT mission systems outside the purview and governance of enterprise IT, citing the need for mission functionality and speed. While often fulfilling a valid purpose, this ‘shadow IT’ exemplifies a broader cultural issue that separates enterprise IT from mission IT, has allowed mission system owners to determine how or if they will police themselves, and has placed the Agency at unacceptable risk.”

 

 

 

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU