The Vault 7 leak, in which Wikileaks posted information about a large number of CIA hacking tools was possibly the worst national security compromise the Agency has ever seen.
Not only did it reveal our techniques for hacking foreign systems but the hackers repurposed those tools and hacked American and other friendly companies and governments.
The CIA had to create a whole new series of tools that used different exploits, assuming that is even completely possible.
While the Vault 7 leaks did not distribute source code, it did disclose Tactics, Techniques and Procedures (TTPs). This gives the other side all kinds of clues into our thinking, what software we think is vulnerable and our approach to hacking.
Joshua Schulte was arrested and tried for the leak but was only convicted on a few of the lesser charges. Why?
Because the CIA had horrible internal security practices.
An internal CIA report reviewing the breach said that bad cyber practices led to the disclosure of at least 180 GB of hacking tools and documentation.
The report said that the Agency shared administrative passwords and had no control of removable storage, for example.
While if you do that, it is a problem, if the CIA does that, well, it is a disaster.
The Intelligence Community has a historical love, maybe obsession is a better word, for OFFENSIVE security (hacking the bad guys) and not much interest in DEFENSIVE security.
A redacted, but still damning, version of the report has been released.
Following Tom Lehrer’s song of Wernher Von Braun’s thoughts about rockets (“Once the rockets are up, who cares where they come down”), the report says:
“Most of our sensitive cyber-weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely.
Furthermore, CCI focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed. These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security.”
The report also says that there were deficiencies in the Agency’s procedures for detecting rogue insiders, which allowed the insider to take all of the data out and give it to Wikileaks.
According to Senator Wyden, who released the redacted report, years later the Agency’s security is not a whole lot better.
So maybe your security is not so bad. At least when your stuff gets compromised, you aren’t helping the Russians and Chinese.
That is probably not the metric that you want to use for your security program.
And why did Schulte’s trial end in a mistrial for many of the charges? Because the CIA’s security was so bad that they could not convince the jury definitively that Schulte took the information.
Credit: The Register