Sen. Ron Wyden, D-Ore., pressed new Director of National Intelligence John Ratcliffe to detail security measures taken to safeguard sensitive intelligence after an internal CIA report said “woefully lax security” at the Center for Cyber Intelligence led to the “largest data loss in CIA history” – the leak of hacking tools to WikiLeaks.

Wyden had obtained a copy of the nearly three-year-old report on the 2017 “Vault 7” leak that occurred a year after hackers stole what could be as much as 34 TB of data.

“We failed to recognize or act in a coordinated fashion on warning signs that a person or persons with access to CIA classified information posed an unacceptable risk to national security,” the WikiLeaks Task Force report said, noting that “in a press to meet growing and critical mission needs, CCI had prioritized building cyber weapons at the expense of securing their own systems.”

The information released by WikiLeaks over time offered insight into the “CIA’s tradecraft in cyber operations.”

The findings of the report appears to show “that there was a lack of IT and cybersecurity governance that led to a lax adoption of security controls,” said Fausto Oliveira, principal security architect at Acceptto. “It is not an operational matter, it is a matter of the agency’s management not setting the right goals to manage the risks associated with operating an organization, specifically an organization that is a desirable target for all kinds of attackers.”

While nothing is infallible, “there are some basic things and some basic attack vectors that we all know understand and recognize in our industry, and when those basics are not followed, or red tape gets in the way of sensible decisions, that’s when mistakes happen, and adversaries or bad actors/internal threats can take advantage of a situation,” said Chris Roberts, hacker in residence at Semperis. Working to close security holes down, “again, all basic, but if you’re not focusing on them you can pretty much drive the dump truck up to the data center and walk off with everything.”

In a June 16 letter, Wyden demanded that Ratcliffe explain why the intelligence community hasn’t protected its .gov domains with multifactor authentication, despite a 2019 emergency directive by CISA to implement the measure after reports that Iranian hackers were engaged in a Domain Name System infrastructure hijacking campaign. The IC’s Joint Worldwide Intel Communications System (JWICS) also hasn’t adopted DMARC, the senator wrote.

He also pressed for answers as to why the DNI, the CIA and the National Reconnaissance Office have failed to enable DMARC, asking Ratcliffe to provide “an estimate for when you expect to have implemented this cybersecurity best-practice across the intelligence community.”

Wyden wants a timeline for adoption of the IC Inspector General’s 22 cybersecurity recommendations.

“It is now clear that exempting the intelligence community from baseline federal cybersecurity requirements was a mistake,” Wyden said.

Sen. Wyden “is quite right in asking why what amounts to standard security practices in the industry are not being adopted by the CIA,” said Oliveira. “Afterall, they are in the business of acquiring intelligence often through cyber offensive methods and are technically aware of how to exploit vulnerable systems, such as those that are not protected by MFA.” 

The DNI has asked for $62.8 billion, according to public figures, which Olivera said “should allow them to carve out a slice of that money to address the questions posed by Sen. Wyden.”

Noting that “federal entities frequently must meet objectives critical to public safety with legacy processes and systems whose replacement and modernization are hampered by layers and layers of bureaucratic red tape,” Tim Wade, technical director, CTO Team, at Vectra, said, “Accepting the risk of continuing to operate such systems in a vulnerable state mitigates the greater risks associated with jeopardizing mission success.” 

Wade contended that “strategically, the solution involves revisiting and modernizing the failed process measures which allow these deficiencies to persist, and holding accountable any entities resistant to the faithful adoption of such measures.”