Report: CIA focused on the glamor of cyber weapons, ignored security
Do the basics first, before you even think about the fancy stuff.
Perhaps that should be the new motto of the U.S. Central Intelligence Agency (CIA) after its own internal investigation into the 2016 catastrophic data breach that led to WikiLeaks publishing thousands of classified documents, labeled Vault 7, stolen from the agency’s offensive cyber operations division.
The now-infamous trove — at least 180 gigabytes of information — was called “the single biggest leak in the history of the CIA” by U.S. Attorney David Denton.
Joshua Schulte, a former CIA employee charged with providing the information to WikiLeaks, was found guilty in March of contempt of court and lying to the FBI, but the jury deadlocked on eight much more serious counts, related to the theft of the data. Prosecutors said in May they intend to retry him on espionage charges.
His attorney told the jury at the beginning of the trial that the government networks Schulte worked on were so insecure that investigators would never know whether he or some other intruder committed the theft.
The CIA Wikileaks Task Force probably wouldn’t disagree. Its report on the breach called the agency’s security measures “woefully lax” — a massive understatement given the details that followed. Indeed, it acknowledged that the CIA never would have even known about the breach if WikiLeaks hadn’t begun to publish the data about its surveillance techniques and offensive cyber weapons.
Keep in mind that this isn’t coming from a hostile media outlet or even an inspector general. It’s coming from the agency’s own internal task force.
So, given that it’s four years since the breach, you might think the CIA had long since overhauled its security to make sure nothing like this could ever happen again. But you would be wrong.
Not even the basics
The report was completed three years ago, seven months after the WikiLeaks data dumps began. But it only recently came into public view — actually just a heavily redacted excerpt — when Sen. Ron Wyden (D-Ore.) attached it to a letter he wrote to John Ratcliffe, Director of National Intelligence, demanding to know why, three years later, “the intelligence community is still lagging behind, and has failed to adopt even the most basic cyber security technologies in widespread use elsewhere in the federal government.”
The task force had reported these security weaknesses at the agency, among others:
- The CIA Center for Cyber Intelligence (CCI) had prioritized building cyber weapons at the expense of securing its own systems.
- Most sensitive cyber weapons were not compartmented.
- Users shared systems administrator-level passwords.
- There were no effective removable media controls.
- Historical data was available to users indefinitely.
- There were no mitigation packages if those tools were exposed.
- The agency failed to detect security incidents rapidly.
- The agency failed to act on warning signs about potentially risky insiders.
- The agency failed to monitor user activity or to implement robust server audit capability.
In other words, there were multiple failures to do security basics that should be mandatory for any organization.
Among the conclusions of the task force was this: “We must care as much about securing our systems as we care about running them if we are to make the necessary revolutionary change.”
Wyden called the weaknesses “emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security.”
And apparently that is still the case. According to Wyden:
- The “intelligence community” has yet to protect its .gov domain names with multifactor authentication, even after an emergency directive 15 months ago from the Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA).
- Multiple intelligence agencies have failed to adopt DMARC [Domain-Based Message Authentication, Reporting and Conformance] and anti-phishing technologies to protect their websites and email, in spite of a directive from CISA to do so in October 2017.
- The inspector general (IG) of the intelligence community, in a public summary of a report published last year, found a number of deficiencies in the intelligence community’s cyber security practices. In addition to making two new recommendations, the IG noted that 20 security-related recommendations from prior evaluations remained unaddressed.
No outlier
Of course, the CIA is not an outlier. Don Davidson, director of cyber SCRM (supply chain risk management) programs at Synopsys, who spent a portion of his career at the Department of Defense (DOD), said there is plenty of room for improvement in security across government — and the private sector as well.
He noted that former Department of Homeland Security Secretary Kirstjen Nielsen, speaking at the RSA Conference in 2018, said that too often, “in a rush to be first-to-market, young companies are disincentivized to build security into their products.”
The goal, she said, should be to build security into products “with the goal of moving from ‘first-to-market’ to ‘first-to-market secure.’”
Just this past week, DOD News reported on Ellen M. Lord, undersecretary of defense for acquisition and sustainment, speaking at a forum about the U.S. military supply chain being vulnerable to foreign suppliers. This is especially true, she said, of nation-states like China, the source of much of the rare-earth mineral processing and microelectronics that are crucial to some military systems.
The security of the U.S., she said, depends on “reshor[ing] as much as possible.”
It is also ironic that the national focus on cybersecurity seems to be on everything but the basics. Presidents from Bill Clinton to Donald Trump have issued executive orders calling for massive, high-profile cybersecurity initiatives over the past quarter century. One of the latest — now more than 18 months ago — was Trump’s National Security Telecommunications Advisory Committee’s (NSTAC) proposed “Cybersecurity Moonshot,” echoing President John F. Kennedy’s 1961 challenge to put a man on the moon before the end of that decade.
Yet many government departments and systems don’t have the security to figuratively climb a ladder, never mind blast off for the moon.
Do the fundamentals
As Michael Fabian, principal consultant at Synopsys, put it when the “moonshot” was announced, “Information security across the board needs to do fewer ‘transformational’ things and more ‘fundamental’ things.”
Davidson said he thinks the lack of focus on basics is partially because of the natural human tendency to focus on things that are inspiring and visible.
“Offense is always more glamorous than defense,” he said. “Users traditionally want to build capabilities to attack and leverage state-of-the-art information technology.”
Indeed, building security into a system is much less glamorous. There is nothing flashy about preventing an attack. Instead of pointing to a grand event that happened, success means nothing happened.
But in a connected world, that is important — really important.
And Wyden’s letter, if his charges of continuing security failures are correct (he gave the DNI until Friday to respond to his allegations and questions) suggests that even after the Vault 7 breach, the agency hasn’t implemented security basics.
While the task force report called for the CIA to “care as much about securing our systems as we care about running them,” if caring doesn’t lead to doing, then it’s not worth much. And the failure to “do” may be in part because it is not clear that there is any direct accountability for doing security fundamentals. There is apparently no one who owns security — who has a mandate to deliver it — even within an international intelligence agency.
Of course, owning it also means suffering consequences for failure — getting fired or even going to jail. And those kinds of consequences are almost nonexistent in government.
After the catastrophic breach of the federal Office of Personnel Management (OPM) was discovered in 2014, the CIO retired, and the head of the OPM was “allowed to resign” about a year later. That means with benefits intact — and also with no danger of a class action lawsuit from the 22 million current and former federal employees whose information was compromised, since the federal government is protected from liability by sovereign immunity.
Davidson said the relative invisibility of good security makes it a tough sell for security executives. “It is difficult for the CISO [chief information security officer] or CSO [chief security officer] to gain support and resources to support defensive measures that do not immediately show return on investment,” he said. “But building cybersecurity in up front is much like building in quality, sustainability and safety upfront — it is a ‘pay me now’ or ‘pay me more later in the lifecycle.’”
Indeed, the task force report — even a heavily redacted excerpt — should be an exhortation to elevate the basics. Focusing on glamor can be both damaging and expensive.
