lax cybersecurity

CIA-developed hacking tools stolen in 2016 were compromised by an organizational culture of lax cybersecurity, according to an internal memo.

In a 2017 memo recently acquired by the Washington Post, a CIA task force attributed the exfiltration of critical hacking tools and data to “a culture… that too often prioritized creativity and collaboration at the expense of security.”   

The task force that issued the memo was created in response to the Wikileaks publication of “Vault 7,” a massive trove of classified CIA documents, among the largest unauthorized data disclosures in the agency’s history. The CIA didn’t know about the incident until Vault 7 was available to the public.

“Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss,” stated the memo.

The hacking tools and other data were developed by the Center for Cyber Intelligence (CCI), often referred to as the hacking arm of the CIA. 

“CCI had prioritized building cyber weapons at the expense of securing their own systems. Day-to-day security practices had become woefully lax,” the task force concluded, citing shared administrator passwords and a lack of user monitoring as leading to the loss of data.

U.S. Senator Ron Wyden (D-OR) has been outspoken about the need to improve cybersecurity at government agencies.

“Three years after that report was submitted, the intelligence community is still lagging behind, and has failed to adopt even the most basic cybersecurity technologies in widespread use elsewhere in the federal government,” wrote Wyden in a letter to Director of National Intelligence John Ratcliffe.