Newly unclassified report finds CIA security failures led to massive 2017 breach

A newly unclassified internal CIA report found that a massive 2017 data breach of the agency that enabled classified information to be sent to WikiLeaks was caused by the CIA failing to secure its own systems.

The report, put together by the CIA’s WikiLeaks Task Force in 2017, is partially redacted and was released publicly on Tuesday by Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee. 

According to the report, a CIA employee was able to steal up to 34 terabytes of information, or around 2.2 billion pages in Microsoft Word, of classified data and leak it to WikiLeaks in the spring of 2017 due to major security lapses at the CIA’s Center for Cyber Intelligence (CCI). 

“In a press to meet growing and critical mission needs, CCI had prioritized building cyber weapons at the expense of securing their own systems,” the task force wrote in the report. “Day-to-day security practices had become woefully lax.”

The investigators added that “CCI focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed. These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security.”

The leak marked the largest data breach in the CIA’s history and included information on hacking tools used by the agency to break into smartphones and other internet-connected devices. 

The task force noted that due to failures to address vulnerabilities in IT systems, if WikiLeaks had not published the stolen information, the CIA “might still be unaware of the loss — as would be true for the vast majority of data on Agency mission systems.”

In a letter to Director of National Intelligence John Ratcliffe on Tuesday, Wyden criticized the intelligence community for its “widespread cybersecurity problems.”

Wyden specifically pointed to a 2014 move by Congress that required all federal agencies, with the exception of the intelligence community to adopt cybersecurity practices and protocols from the Department of Homeland Security (DHS). 

“While Congress exempted the Intelligence Community from the requirement to implement DHS’ cybersecurity directives, Congress did so reasonably expecting that intelligence agencies that have been entrusted with our nation’s most valuable secrets would of course go above and beyond the steps taken by the rest of the government to secure their systems,” Wyden wrote. “Unfortunately it is now clear that exempting the intelligence community from baseline federal cybersecurity requirements was a mistake.”

The 2017 CIA report vowed that the agency would take steps to address its cybersecurity failings, but Wyden noted that three years after the report was compiled, few security improvements have been made. 

Wyden asked Ratcliffe to provide answers on whether the intelligence community has implemented a range of cybersecurity updates recommended for federal agencies over the past three years. 

“The intelligence community is still lagging behind, and has failed to adopt even the most cybersecurity technologies in widespread use elsewhere in the federal government,” Wyden wrote. “The American people expect you to do better, and they will look to Congress to address these systematic problems.”

The CIA task force described the findings as part of the report as a “wake-up call” in 2017. 

“We must recognize when we are taking smart risks and when operational shortcuts or waivers create unwarranted risk to our work and to the Agency,” the task force wrote. “We must care as much about securing our systems as we care about running them if we are to make the necessary revolutionary change.”

The CIA did not immediately respond to The Hill’s request for comment on the newly declassified report.

Timothy Barrett, the CIA press secretary, told The Washington Post that the “CIA works to incorporate best-in-class technologies to keep ahead of and defend against ever-evolving threats,” declining to comment on the report itself.