SoylentNews is people
SoylentNews
The theft of top-secret computer hacking tools from the CIA in 2016 was the result of a workplace culture in which the agency's elite computer hackers "prioritized building cyber weapons at the expense of securing their own systems," according to an internal report prepared for then-director Mike Pompeo as well as his deputy, Gina Haspel, now the director.
The breach — allegedly committed by a CIA employee — was discovered a year after it happened, when the information was published by WikiLeaks in March 2017. The anti-secrecy group dubbed the release "Vault 7," and U.S. officials have said it was the biggest unauthorized disclosure of classified information in the CIA's history, causing the agency to shut down some intelligence operations and alerting foreign adversaries to the spy agency's techniques.
The October 2017 report by the CIA's WikiLeaks Task Force, several pages of which were missing or redacted, portrays an agency more concerned with bulking up its cyber arsenal than keeping those tools secure. Security procedures were "woefully lax" within the special unit that designed and built the tools, the report said.
Without the WikiLeaks disclosure, the CIA might never have known the tools had been stolen, according to the report. "Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss," the task force concluded.
The task force report was provided to The Washington Post by the office of Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, who has pressed for stronger cybersecurity in the intelligence community. He obtained the redacted, incomplete copy from the Justice Department.
The breach came nearly three years after Edward Snowden, then a National Security Agency contractor, stole and disclosed classified information about the NSA's surveillance operations.
"CIA has moved too slowly to put in place the safeguards that we knew were necessary given successive breaches to other U.S. Government agencies," the report said, finding that "most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media [thumb drive] controls, and historical data was available to users indefinitely."
(Score: 5, Insightful) by ledow on Thursday June 18 2020, @11:18AM (2 children)
I would judge any intelligence agency that thought that just because they didn't KNOW something was stolen, that that could possibly mean that adversaries aren't aware of that procedure/process anyway.
They are, after all, a military agency in essence. It's like expecting your secret war plans to be secret just because you haven't heard that anyone on your side told them to the enemy. You can't operate on those kinds of assumptions.
You can assume they don't, and hope they don't, and act accordingly, but you can't ever KNOW for sure that your adversary had access or not.
In fact, such agencies have historically gone out of their way to never arouse suspicion among their enemies when they DID have access to that enemies data. Bletchley Park operated for years on the basis of knowing everything the Germans were saying and then *not* always acting upon it in case the Germans became suspicious, even if it mean sacrificing their own troops to keep that secret (their "blood-soaked calculus").
And like everything in security - if "how you operate" becoming public knowledge cripples you, then your operating processes are shite. Same way that if "how you encrypt files" becomes public, it shouldn't mean your files all become public. The processes involved, and the actual password/key/critical piece of information gathered that's then distributed according to those processes - yes, that needs to stay secret. But general operational methods? That should be able to be advertised in the Sunday newspaper and have no effect on how you use them or how effective they are.
(Score: 2) by hendrikboom on Thursday June 18 2020, @11:28AM
Sometimes your options are limited, as if, in your password analogy, your circumstances are such that your passwords are restricted to one ASCII character, and that character has to be a vowel. Then you'll have to hope your operational method remains secret, because keeping the passwords secret is hopeless.
(Score: 4, Interesting) by NotSanguine on Thursday June 18 2020, @04:03PM
I agree.
However, as an IT professional who has spent most of his career doing InfoSec, I find it ridiculous that those tasked with creating/using intrusion tools didn't implement the compartmentalization and access controls required to secure such information.
It's unclear (neither TFS nor TFA makes that clear) why they believe Shulte is the guilty party. Perhaps he did abscond with and release this stuff. Perhaps not.
Regardless, InfoSec best practices dictate that sensitive information like that involved here be secured with access controls, and access to that information must be logged and monitored. If those (InfoSec 101 type stuff) steps had been implemented, the CIA would have known almost immediately (alerts to be sent to closely monitored SIEM [wikipedia.org] platforms) and investigated post-haste.
Most large organizations that I've interacted with, even when they don't have any *classified* information, have implemented such policies, including compartmentalization, access controls and monitoring tools. That the CIA didn't do so shows a lack of care/due diligence and possibly incompetence.
Shulte (or whoever the leaker was) should never have been able to access such a broad set of stuff without setting off all sorts of alarms almost immediately. That the copying of such information was undetected until it was published by Wikileaks shows a serious lack of planning, security administration and professionalism.
No, no, you're not thinking; you're just being logical. --Niels Bohr