The CIA's massive 'Vault 7' leak resulted from 'woefully lax' security protocols within the agency's own network, an internal report found
- The theft of highly classified cyberweapons from the CIA in 2016 resulted from the agency's elite hacking unit's failure to secure its own systems from intruders, according to an internal report obtained by The Washington Post.
- The CIA discovered the breach when the radical pro-transparency group WikiLeaks published the information in a release dubbed "Vault 7." US officials say the breach was the largest unauthorized disclosure of classified information in CIA history.
- Security protocol within the hacking unit that developed the cyberweapons, housed within the CIA's Center for Cyber Intelligence, was "woefully lax," the report found.
- Moreover, the CIA may never have discovered the breach in the first place if WikiLeaks hadn't published the documents or if a hostile foreign power had gotten a hold of the information first, according to the report.
The Central Intelligence Agency's elite hacking team "prioritized building cyber weapons at the expense of securing their own systems," according to an internal agency report prepared for then-CIA director Mike Pompeo and his deputy, Gina Haspel, who is now the agency's director.
The Washington Post first reported on the document, which said the hacking unit's failure to secure the CIA's systems resulted in the theft of highly classified cyberweapons in 2016.
In March 2017, US officials discovered the breach when the radical pro-transparency group WikiLeaks published troves of documents detailing the CIA's electronic surveillance and cyberwarfare capabilities. WikiLeaks dubbed the series of documents "Vault 7," and officials say it was the biggest unauthorized disclosure of classified information in the agency's history.
The internal report was introduced in criminal proceedings against former CIA employee Joshua Schulte, who was charged with swiping the hacking tools and handing them over to WikiLeaks.
The government brought in witnesses who prosecutors said showed, through forensic analysis, that Schulte's work computer accessed an old file that matched some of the documents WikiLeaks posted.
Schulte's lawyers, meanwhile, pointed to the internal report as proof that the CIA's internal network was so insecure that any employee or contractor could have accessed the information Schulte is accused of stealing.
A New York jury failed to reach a verdict in the case in March after the jurors told Judge Paul Crotty that they were "extremely deadlocked" on many of the most serious charges, though he was convicted on two counts of contempt of court and making false statements to the FBI.
Crotty subsequently declared a mistrial, and prosecutors said they intended to try Schulte again later this year.
The report was compiled in October 2017 by the CIA's WikiLeaks Task Force, and it found that security protocol within the hacking unit that developed the cyberweapons, housed within the CIA's Center for Cyber Intelligence, was "woefully lax," according to the Post.
The outlet reported that the CIA may never have discovered the breach in the first place if WikiLeaks hadn't published the documents or if a hostile foreign power had gotten a hold of the information first.
"Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss," the internal report said.
It also faulted the CIA for moving "too slowly" to implement safety measures "that we knew were necessary given successive breaches to other U.S. Government agencies." Moreover, most of the CIA's sensitive cyberweapons "were not compartmented, users shared systems administrator-level passwords, there were no effective removable media [thumb drive] controls, and historical data was available to users indefinitely," the report said.
The Center for Cyber Intelligence also did not monitor who used its network, so the task force could not determine the size of the breach. However, it determined that the employee who accessed the intelligence stole about 2.2 billion pages — or 34 terabytes — of information, the Post reported.