U.S. Senator Ron Wyden has asked Director of National Intelligence John Ratcliffe to explain what steps he is taking to improve the cybersecurity of some of the nation's most most sensitive secrets, held by federal intelligence agencies, after Wyden obtained a "damning" CIA report on cybersecurity failures that led to “the largest data loss in CIA history" after a CIA employee stole "at least 180 gigabytes" of information and then provided that to WikiLeaks.
Wyden, a senior member of the Senate Intelligence Committee, obtained the unclassified, redacted excerpt of the CIA’s WikiLeaks Task Force report from the Department of Justice, after it was introduced as evidence in a court case earlier this year involving stolen CIA hacking tools.
The 2017 CIA report revealed lax cybersecurity measures across the agency, including “acute vulnerabilities” in critical IT systems. The security was so poor, according to the report, if these hacking tools had “been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss—as would be true for the vast majority of data on Agency mission systems.”
Wyden said it is time for Congress to reconsider a law that exempts intelligence agencies from federal cybersecurity requirements. "After a series of high-profile cybersecurity lapses at federal agencies, Congress took action in 2014, and gave the Department of Homeland Security (DHS) the authority to require federal agencies to adopt specific cybersecurity technologies and policies to safeguard federal systems. While Congress exempted the intelligence community from the requirement to implement DHS's cybersecurity directives, Congress did so reasonably expecting that Intelligence agencies that have been entrusted with our nation's most valuable secrets would of course go above and beond the steps taken by the rest of the government to secure their systems. Unfortunately, it is now clear that exempting the intelligence community from baseline federal cybersecurity requirements was a mistake," wrote Wyden in the letter.
In addition, Wyden asked Ratcliffe to provide him with unclassified answers to questions as to why the intelligence community has yet to implement the Cybersecurity and Infrastructure Security Agency's (CISA) cybersecurity best practices, including DMARC, anti-phishing technology, and the use of multi-factor authentication, industry-standard cybersecurity protection.
Fausto Oliveira, Principal Security Architect at Acceptto, a Portland, Oregon-based provider of Continuous Behavioral Authentication, says, “Senator Ron Wyden is correct in asking why what amounts to standard security practices in the industry are not being adopted by the CIA. Afterall, they are in the business of acquiring intelligence often through cyber offensive methods and are technically aware of how to exploit vulnerable systems, such as those that are not protected by Multi-Factor Authentication (MFA)."
"Based on the findings of the report, it appears that there was a lack of IT and cybersecurity governance that led to a lax adoption of security controls," adds Oliveira. "It is not an operational matter, it is a matter of the agency's management not setting the right goals to manage the risks associated with operating an organization, specifically an organization that is a desirable target for all kinds of attackers.”
Tim Wade, Technical Director, CTO Team at Vectra, a San Jose, Calif.-based provider of technology which applies AI to detect and hunt for cyber attackers, notes, “Federal entities frequently must meet objectives critical to public safety with legacy processes and systems whose replacement and modernization are hampered by layers and layers of bureaucratic red tape. Accepting the risk of continuing to operate such systems in a vulnerable state mitigates the greater risks associated with jeopardizing mission success. Strategically, the solution involves revisiting and modernizing the failed process measures which allow these deficiencies to persist, and holding accountable any entities resistant to the faithful adoption of such measures.”