Senator Ron Wyden has raised concerns about the ability of U.S. intelligence agencies to protect what he describes as “some of the nation’s most sensitive secrets,” and he has sent a letter to the director of national intelligence asking for information on plans to improve cybersecurity.
Sen. Wyden sent the letter to Director of National Intelligence John Ratcliffe after obtaining an unclassified version of a 2017 report that analyzed the cybersecurity measures implemented by the CIA. The report was written after WikiLeaks started publishing information on many of the hacking tools created and used by the intelligence agency.
An investigation revealed that the files leaked by WikiLeaks, dubbed Vault7, were stolen from the CIA’s Center for Cyber Intelligence (CCI), which specializes in developing hacking tools and cyber weapons. Hundreds of gigabytes of information was taken in what has been described as the largest data loss in CIA history. A former employee was charged over the theft, but prosecutors failed to convince a jury, with the defense arguing that hundreds of people could have accessed the data.
The 2017 report, which was used as evidence in that court case, shows that the CCI focused on the tools it built and neglected the security of its own systems, failing to implement compartmentalization and access controls, and to prepare mitigations in case its tools got leaked.
Sen. Wyden has pointed to a report published last year by the Office of the Inspector General of the Intelligence Community, revealing significant problems in security practices and the failure to implement 20 recommendations made after previous evaluations.
“Three years after that report was submitted, the intelligence community is still lagging behind, and has failed to adopt even the most basic cybersecurity technologies in widespread use elsewhere in federal government,” Sen. Wyden wrote in his letter.
Federal agencies are required to implement certain technologies and policies to protect their systems, but Congress has exempted intelligence agencies.
“Congress did so reasonably expecting that intelligence agencies that have been entrusted with our nation’s most valuable secrets would of course go above and beyond the steps taken by the rest of the government to secure their systems,” Sen. Wyden wrote. “Unfortunately, it is now clear that exempting the intelligence community from baseline federal cybersecurity requirements was a mistake.”
The official has asked the director of national intelligence to answer four questions regarding the failure of intelligence agencies to implement multi-factor authentication (MFA) for website domains and classified computer networks, and failure to implement the DMARC protocol, which helps detect and prevent email spoofing. The letter also asks for information on plans to implement the recommendations made last year by the inspector general.