Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Senator Raises Concerns About Ability of U.S. Intelligence to Protect Secrets

Senator Ron Wyden has raised concerns about the ability of U.S. intelligence agencies to protect what he describes as “some of the nation’s most sensitive secrets,” and he has sent a letter to the director of national intelligence asking for information on plans to improve cybersecurity.

Senator Ron Wyden has raised concerns about the ability of U.S. intelligence agencies to protect what he describes as “some of the nation’s most sensitive secrets,” and he has sent a letter to the director of national intelligence asking for information on plans to improve cybersecurity.

Sen. Wyden sent the letter to Director of National Intelligence John Ratcliffe after obtaining an unclassified version of a 2017 report that analyzed the cybersecurity measures implemented by the CIA. The report was written after WikiLeaks started publishing information on many of the hacking tools created and used by the intelligence agency.

An investigation revealed that the files leaked by WikiLeaks, dubbed Vault7, were stolen from the CIA’s Center for Cyber Intelligence (CCI), which specializes in developing hacking tools and cyber weapons. Hundreds of gigabytes of information was taken in what has been described as the largest data loss in CIA history. A former employee was charged over the theft, but prosecutors failed to convince a jury, with the defense arguing that hundreds of people could have accessed the data.

The 2017 report, which was used as evidence in that court case, shows that the CCI focused on the tools it built and neglected the security of its own systems, failing to implement compartmentalization and access controls, and to prepare mitigations in case its tools got leaked.

Sen. Wyden has pointed to a report published last year by the Office of the Inspector General of the Intelligence Community, revealing significant problems in security practices and the failure to implement 20 recommendations made after previous evaluations.

“Three years after that report was submitted, the intelligence community is still lagging behind, and has failed to adopt even the most basic cybersecurity technologies in widespread use elsewhere in federal government,” Sen. Wyden wrote in his letter.

Federal agencies are required to implement certain technologies and policies to protect their systems, but Congress has exempted intelligence agencies.

“Congress did so reasonably expecting that intelligence agencies that have been entrusted with our nation’s most valuable secrets would of course go above and beyond the steps taken by the rest of the government to secure their systems,” Sen. Wyden wrote. “Unfortunately, it is now clear that exempting the intelligence community from baseline federal cybersecurity requirements was a mistake.”

The official has asked the director of national intelligence to answer four questions regarding the failure of intelligence agencies to implement multi-factor authentication (MFA) for website domains and classified computer networks, and failure to implement the DMARC protocol, which helps detect and prevent email spoofing. The letter also asks for information on plans to implement the recommendations made last year by the inspector general.

Related: Proposed Bill Seeks to Protect Researchers Disclosing Classified Government Backdoors

Related: U.S. Senators Want Transparency on Senate Cyberattacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.