Report Says CIA Was More Focused on Cyber Offense Than Protecting Its Assets

By Scott Briscoe

16 June 2020

In March 2017, WikiLeaks published a trove of information on tools the U.S. Central Intelligence Agency (CIA) used to hack computer systems. Today, The Washington Post is reporting the results from the CIA’s internal investigation of the leak.

NEW: Elite CIA unit that developed hacking tools failed to secure its own systems, allowing massive "Vault 7" leak, an internal report found. My latest with @shaneharris https://t.co/pY8VE0gJJk
— Ellen Nakashima (@nakashimae) June 16, 2020

The CIA’s WikiLeaks Task Force report says the information was compromised because CIA experts “prioritized building cyber weapons at the expense of securing their own systems.”

“The October 2017 report by the CIA’s WikiLeaks Task Force, several pages of which were missing or redacted, portrays an agency more concerned with bulking up its cyber arsenal than keeping those tools secure,” the Post reports. “Security procedures were 'woefully lax' within the special unit that designed and built the tools, the report said.

“Absent WikiLeaks’s disclosure, the CIA might never have known the tools had been stolen, according to the report. Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss.”

The release of the documents pointed a bright spotlight on cybersecurity vulnerabilities as they described hacking tools that targeted almost anything that connected to the Internet from smartphones to antivirus software to televisions. At the time, major tech companies including Apple and Microsoft had to address how their offerings were affected. Approximately one month after the information was published on WikiLeaks, then CIA Director and current U.S. Secretary of State Mike Pompeo called Wikileaks a “non-state hostile intelligence service.”

The event also reignited a debate in the cybersecurity sector: If a government agency uncovers a serious security vulnerability, should it alert the technology provider and work with it to close the vulnerability, or should it try to exploit the vulnerability in the interest of national security? These documents showed that the CIA seemed to practice the former.

Security Management has reported on this debate at least a couple of times. In “The Zero Day Problem” from November 2017, Security Management examined an NSA program that leaked, saying “The leaks prompted renewed debate on whether the NSA should change its vulnerabilities equities process (VEP) to disclose cyber vulnerabilities to the private sector more frequently to prevent future cyberattacks.” Earlier this year, Megan Gates also reported on “Prioritizing a Patch: How the NSA Pushed Microsoft to Address a Major Flaw.”

In other recent, related news, ex-CIA employee Joshua Schulte was charged and tried in relation to the information leak. Earlier this year, he was convicted of lying to the FBI and contempt of court, but a jury did not reach a verdict in the other, more serious charges. Prosecutors indicated they would retry Schulte on the charges for which no verdict was reached.

For additional reading on government and cybersecurity, see Security Management articles “Cyber as Statecraft” from May 2018 and “How to Use the Attacker Mentality for Good” from September 2019.