It was this week's bombshell cybersecurity news.
Some of the most secret parts of the CIA appear to have worse cybersecurity than a typical small or medium-sized business (SMB).
U.S. Senator Ron Wyden revealed that this has been known within the agency for years and well documented, yet "woefully lax" cybersecurity persists.
The new revelations became known to the rest of us this week as Wyden, who focuses on security and privacy issues, released a previously unseen cybersecurity report from within the Central Intelligence Agency.
The report was written by the agency's WikiLeaks Task Force to investigate how a CIA employee, an insider threat, could have exfiltrated at least 180GB of data without anyone noticing. That's the equivalent of 11.6 million pages in Microsoft Word.
That massive data theft is known as Vault 7 and WikiLeaks published it. Now the world can read about critical cyber weapons used by U.S. intelligence agencies.
And it appears that little has been done to keep this from happening again.
10 ways the CIA is failing at cybersecurity
The CIA's internal WikiLeaks report gives us a look inside at the lack of cybersecurity controls that led to the CIA's largest data loss in history.
It is more than 50 pages long and heavily redacted. And when you see what is now being publicly revealed, you may wonder what remains hiding under all those black boxes.
The page above reveals the bottom line of this report:
"This wake-up call presents us with an opportunity to right longstanding imbalances and lapses, to reorient how we view risk, ***redacted***...We must care as much about securing our systems as we care about running them if we are to make the necessary revolutionary change."
A reveloutionary change is needed in the CIA's cybersecurity? Is this being overly dramatic? Judge for yourself as you keep reading.
CIA cybersecurity controls are missing or surprisingly weak
The CIA's Center for Cyber Intelligence (CCI) operates a development network where it creates and validates secret cyber weapons the United States uses against its adversaries.
And this network appears to be a key source of WikiLeaks documents, for the following 10 reasons:
1. A rush to market, as if the Center for Cyber Intelligence (CCI) was making IoT devices instead of the world's most advanced cyber weapons. Says the report:
"...in a press to meet growing and critical mission needs, CCI had prioritized building cyber weapons at the expense of securing their own systems. Day-to-day security practices had become woefully lax."
2. Shared passwords and a failure to control access:
"Most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords..."
3. Lack of Data Loss Prevention (DLP) controls:
"...there were no effective removable media controls, and historical data was available to users indefinitely."
4. Lack of cybersecurity culture, in fact, just the opposite:
"These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security."
And this culture continues in the face of repeated data breaches:
"CIA has moved too slowly to put in place the safeguards that we knew were necessary given successive breaches to other US Government agencies."
5. A complete failure when it comes to network visibility:
"Because the stolen data resided on a mission system that lacked user activity monitoring and a robust server audit capability, we did not realize the loss had occurred until a year later, when WikiLeaks publicly announced it in March 2017.
Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss—as would be true for the vast majority of data on Agency mission systems."
6. Shadow IT is intentional and sanctioned by the CIA:
"The Agency for years has developed and operated IT mission systems outside the purview and governance of enterprise IT, citing the need for mission functionality and speed. While often fulfilling a valid purpose, this “shadow IT” exemplifies a broader cultural issue that separates enterprise IT from mission IT, has allowed mission system owners to determine how or if they will police themselves, and has placed the Agency at unacceptable risk."
Part of the blame for the CIA operating its cybersecurity (or lack thereof) in the shadows falls on Congress and can be traced back to 2014. Lawmakers gave certain agencies a pass on meeting Department of Homeland cybersecurity requirements.
However, Senator Ron Wyden says Congress never intended to allow what was and is happening:
"While Congress exempted the intelligence community from the requirement to implement DHS's cybersecurity directives, Congress did so reasonably expecting that intelligence agencies that have been entrusted with our nation's most valuabe secrets would of course go above and beyond the steps taken by the rest of the government to secure their systems.
Unfortunately, it is now clear that exempting the intelligence community from baseline federal cybersecurity requirements was a mistake."
7. Cybersecurity leadership and ownership are missing:
"We failed to empower any single officer with the ability to ensure that all Agency information systems are built secure and remain so throughout their life cycle. Because no one had that ability, no one was accountable—and the mission system in question, like others, lacked appropriate security."
8. Insider threat detection is dysfunctional:
"We failed to recognize or act in a coordinated fashion on warning signs that a person or persons with access to CIA classified information posed an unacceptable risk to national security."
9. Failure to work across silos, and communication failures, also sabotage insider threat efforts:
"The WikiLeaks disclosures revealed resource-driven gaps and weaknesses in CIA’s insider threat program. There have been seams in communication between components such as the Office of Medical Services, Human Resources, Security, Counterintelligence Mission
Center, and line management that have sometimes prevented us from connecting the dots to corporately detect and address insider threats."
10. A lack of multi-factor authentication on key systems:
The intelligence community's classified computer network for top secret information does not currently use multi-factor authentication (MFA), according to Senator Ron Wyden.
He wrote a letter to the CIA this week, which includes the WikiLeaks task force report, and he is asking why there is a lack of MFA:
"On August 20, 2019, Jean Schaffer, the Defense Intelligence Agency's (DIA) cyber and enterprise operations chief, stated that DIA was looking to upgrade the Joint Worldwide Intel Communications System to support multi-factor authentication. Please explain why this is consistent with federal cybersecurity best practices detailed by the National Institute of Standards and Technology...."
It seems like an educated guess that the CIA is not a NIST shop, doesn't it?
But there is a chance it will be in the future, if Senator Wyden makes good on a threat this week:
"The American people expect you to do better, and they will then look to Congress to address these systematic problems."
With all that's happening in the world right now, we'll see how that goes.
Related podcast: Pandemic is a cybersecurity wake-up call
The CIA Wikileaks task force report called the Vault 7 compromise a "wake-up call" and now the U.S. Cyberspace Solarium Commission is saying the same thing about the COVID-19 pandemic. Listen to our recent podcast and interview with the Commission's lead researcher: