American intelligence agencies are still falling short on security, years after high-profile data leaks from Edward Snowden, Chelsea Manning and Joshua Schulte, according to a member of the US Senate Intelligence Committee. In a letter to Director of National Intelligence John Ratcliffe, Senator Ron Wyden uses a 2017 internal report from the CIA to detail the ways in which the intelligence community has continuously failed to protect itself. 

“The intelligence community is still lagging behind and has failed to adopt even the most basic cybersecurity technologies in widespread use elsewhere in the federal government,” Wyden wrote. 

The report, which was obtained in redacted form by the Washington Post, details how the agency favored building offensive cyber weapons while it failed at securing some of its most important systems, a pattern that led to the 2016 theft of hacking tools that were then published by WikiLeaks under the name “Vault 7.” American officials said it was the largest data loss in CIA history.

In his letter, Wyden claims that failures are ongoing, identifying three specific lapses as examples, and argues that Congress should force intelligence agencies to be subject to normal federal cybersecurity requirements.

“Unfortunately, it is now clear that exempting the intelligence community from baseline federal cybersecurity requirements was a mistake,” he wrote.

A storm of shortcomings

The 2017 CIA report documents an incident where WikiLeaks released over 8,000 pages of  “Vault 7” documents that gave an unprecedented view into the agency’s capabilities to hack various operating systems, mobile phones, and messaging apps. Former CIA employee Schulte was later charged and pleaded not guilty to stealing the trove of hacking tools and then handing them over to WikiLeaks to publish. In March, Schulte was found guilty of contempt of court and making false statements to the FBI, but the trial jury remained deadlocked on whether he had illegally gathered and transmitted national defense information. After a mistrial was declared, Schulte faces the prospect of a re-trial.

The theft targeted the CIA’s elite hacking unit, known as the Center for Cyber Intelligence, and the internal report said the agency might never have learned of the theft of up to 34 terabytes of data if it had not been published. In fact, the agency admits that it still doesn’t know the precise scope of the loss because the mission systems that were hit “did not require activity monitoring or other safeguards.”

The report says that cyber weapons were widely open to anyone with access to the mission network, and the network lacked normal monitoring and audit capabilities, a storm of “shortcomings” that led to security falling far down the list of priorities.

“While CIA was an early leader in securing our enterprise information technology system, we failed to correct acute vulnerabilities,” the report reads. “Day-to-day security practices had become woefully lax.”

The CIA did not respond to a request for comment.

Security failures

The comments show that even some of the world’s most well-funded and highly capable offensive hackers struggle mightily on defense.

For American spy agencies, the last decade has been punctuated by multiple high profile data breaches followed by repeated calls for systemic cybersecurity change. Spy agencies like the CIA and National Security Agency had been exempted from rules imposed by Congress on the rest of the federal government on the expectation that they would easily exceed those standards. That hasn’t happened.

In fact, a US intelligence community watchdog issued a report in 2019 urging the agencies to improve their controls on classified material—especially against the kind of insider threats that have punctuated the last decade, including Edward Snowden’s leak of NSA documents and Manning’s leak of classified American documents relating to the Iraq War.

Among those issues highlighted by Wyden is the intelligence community’s failure to adopt DMARC, an email authentication protocol that protects against highly common and effective phishing attacks, despite a 2017 directive that requires federal agencies to do so.

Meanwhile, intelligence agencies have also yet to secure .gov domains with multi-factor authentication, despite a warning in January 2019 from the Department of Homeland Security that the system was being targeted by Iranian hackers.

A report from the Intelligence Community Inspector General released in 2019 concluded that 20 security-related recommendations remain unaddressed by the agencies but that they remain classified.

If there is a modicum of good news for the CIA in the redacted report, it’s that the internal task force assessed that the “golden folder” of the agency’s most sensitive files—including all of the hacking tools and source code—was not stolen due to stronger protection, and the fact that it was too large to easily export.

The Director of National Intelligence has received Wyden’s letter and is currently working on a response but it’s ultimately up to Congress to decide if American intelligence agencies need new rules to be brought to the same cybersecurity standards as the rest of the federal government.