CIA Vault 7 leak blamed on "woefully lax" attitude to cyber security

The CIA was embedded with a workplace culture in which elite hackers were so preoccupied with building cyber weapons they neglected to secure their own systems, an internal report has suggested.

The theft of documents revealing hacking tools in March 2017, infamously publicised by WikiLeaks, was in-part the result of an agency more concerned with reinforcing its arsenal than securing those tools.

Dubbed Vault 7, the 2017 leaks outlined how the CIA could pretty much hack into any device with a suite of tools designed to read and copy data from electronic devices. The stolen documents detailed how, for example, authorities found a way to bypass encryption in a host of secure messaging apps such as WhatsApp and Telegram,

Several months later, the CIA’s WikiLeaks Task Force produced a report, now seen by the Washington Post, that revealed “woefully lax” security procedures within the team that developed those tools were partially responsible for the disclosure.

The leaked tools were developed by the Center for Cyber Intelligence, where the most sophisticated operatives devised methods of infiltrating hard-to-penetrate networks. Their security procedures were so lackadaisical, however, that without the WikiLeaks disclosure, the CIA may never have known the tools had been stolen, according to the report.

This particular section of the CIA’s “mission systems” division is distinct and segregated from the agency’s “enterprise information technology system”, which makes up the vast majority of the agency’s computer networks.

“CIA has moved too slowly to put in place the safeguards that we knew were necessary given successive breaches to other US Government agencies,” the report said.


How enterprises are embracing cyber security challenges

Enterprises across Europe, the Middle East and Africa are undergoing a significant transformation


The research also found that “most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely”.

Prepared for the then director Mike Pompeo, and deputy Gina Haspel, who is now the CIA’s director, the report was introduced as evidence in the trial of Joshua Schulte.

The former CIA operative is being accused of stealing the hacking tools on behalf of WikiLeaks. Schulte, however, has pled not guilty, with his lawyers arguing the security regime was so poor that hundreds of employees or contractors may have had access to the same information.

The task force reported that it could not determine the exact size of the breach because the hacking team did not demand the monitoring of who used its network. A rough estimate suggested that a CIA employee stole as much as 34TB of data.

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.