Agency officials soon convened the WikiLeaks Task Force to investigate the practices that led to the massive data loss. Seven months after the first Vault 7 dispatch, the task force issued a report that assessed the extent and the cause of the damage. Chief among the findings was a culture within the CIA hacking arm known as the CCI—the Center for Cyber Intelligence—that prioritized the proliferation of its cyber capabilities over keeping them secure and containing the damage if they were to fall into the wrong hands.
ARS TECHNICAThis story originally appeared on Ars Technica, a trusted source for technology news, tech policy analysis, reviews, and more. Ars is owned by WIRED's parent company, Condé Nast.
Isolating one building I don't think is much of one." Cyber Command had, prior to the IRA's network shutdown, sent far more literal signals to the IRA staffers, as well as the hackers within the Russian military intelligence agency known as the GRU responsible for much of 2016's election interference.
"Day-to-day security practices had become woefully lax," a portion of the report made public on Monday concluded. For instance, a specialized "mission" network reserved for sharing cyber capabilities with other agency hackers failed to follow basic practices, followed on the main network, that were designed to identify and mitigate data theft from malicious insiders.
"Most of our sensitive cyber weapons were not compartmented, users shared systems-administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely," the report continued. "Furthermore, CCI focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed. These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security."
The task force said that the design lapse of the mission system was just one of "multiple ongoing CIA failures" that led to the leak. Other errors included:
- not empowering "any single officer with the ability to ensure that all Agency information systems are built secure and remain so throughout their life cycle"
- not ensuring "that our ability to secure our information systems against emerging threats kept pace with the growth of such systems across the Agency"
- "a failure to recognize or act in a coordinated fashion on warning signs that a person or persons with access to CIA classified information posed an unacceptable risk to national security."
Not Just the CIAThe redacted report was included in a letter that US senator Ron Wyden (D–Oregon) sent on Tuesday to John Ratcliffe, the director of National Intelligence.
"The lax cybersecurity practices documented in the CIA's WikiLeaks Task Force report do not appear to be limited to just one part of the intelligence community," Wyden wrote. He went on to ask Ratcliffe why the US authorities aren't mandating security measures such as two-factor authentication and DMARC email validation for US-operated networks.In mid-2018, federal authorities identified a former CIA employee as the suspect who leaked the Vault 7 data. Joshua Adam Schulte was later indicted.