The theft of a trove of highly classified data from the US Central Intelligence Agency (CIA) in 2016 happened because agency's specialised hacking unit failed to protect its own systems from hackers, an internal CIA report has found.
The Washington Post first reported on the document this week, which says that agency's elite unit was so focused on developing cyber tools that an employee was able to successfully steal CIA's secret hacking tools and offer them to pro-transparency group WikiLeaks.
The agency only came to know about the breach only in March 2017 after WikiLeaks published the information in a release dubbed "Vault 7". WikiLeaks described the release as the largest trove of CIA documents, revealing details of some of the agency's advanced cyber weapons.
The CIA's own investigators estimated that up to 34 terabytes of data may have been stolen in the leak.
The revelation also caused CIA to immediately stop some intelligence operations.
"We failed to recognise or act in a coordinated fashion on warning signs that a person or persons with access to CIA classified information posed an unacceptable risk to national security," the October 2017 report by the CIA's WikiLeaks Task Force states.
The report, which is heavily redacted, further states that the breach occurred due to security shortcomings that often prioritised collaboration and creativity at the cost of security. It stresses that the CIA had no idea about the full extent of the breach because the Centre for Cyber Intelligence (CCI), from where the secret documents were stolen, failed to implement user activity monitoring or other safety measures.
Security procedures within the elite unit that built the tools were "woefully lax," and CCI employees neglected to prepare "mitigation packages if those tools were exposed," the task force said.
The report excerpts were recent submitted as evidence in the criminal trial of Joshua Schulte, a former CIA employee accused of stealing CIA's hacking tools and giving them to WikiLeaks.
Schulte has pleaded not guilty in this case. His attorneys told the court at a trial this year that security on CIA's computer network was so poor that any one of the employees or contractors may have had the same access to the same documents as Schulte.
A jury failed to reach a judgement in March on whether Schulte provided CIA's tools to WikiLeaks. However, he was found guilty of making false statements to the Federal Bureau of Investigation and contempt of court.
Prosecutors have said that they plan to try Schulte again this year.
Home working shouldn't prioritise productivity at the expense of security, but in some cases this is exactly what's happening
Join us for our live virtual event on 18th June
A few steps leaders can take before, during or after an attack to protect their companies from phishing
'We want to work together with FBI, with local law enforcement in case some people use Zoom for a bad purpose' says CEO Eric Yuan