Theft of CIA’s ‘Vault 7’ hacking tools in 2016 resulted from “woefully lax” security, new report says

Source: CIA.gov, public domain

“Prepared by a CIA task force, the report was introduced as evidence in the trial of Joshua Schulte, a former employee of an agency hacking unit”

The 2016 theft of top-secret hacking tools from the CIA resulted from a workplace culture in which hackers working for the agency “prioritized building cyber weapons at the expense of securing their own systems,” says an internal report prepared for then-director Mike Pompeo and his deputy, Gina Haspel, who is currently CIA director.

From reporting by Ellen Nakashima and Shane Harris at the Washington Post:

The breach — allegedly by a CIA employee — was discovered a year after it happened, when the information was published by WikiLeaks, in March 2017. The anti-secrecy group dubbed the release “Vault 7,” and U.S. officials have said it was the biggest unauthorized disclosure of classified information in the CIA’s history, causing the agency to shut down some intelligence operations and alerting foreign adversaries to the spy agency’s techniques.

The October 2017 report by the CIA’s WikiLeaks Task Force, several pages of which were missing or redacted, portrays an agency more concerned with bulking up its cyber arsenal than keeping those tools secure. Security procedures were “woefully lax” within the special unit that designed and built the tools, the report said.

Absent WikiLeaks’s disclosure, the CIA might never have known the tools had been stolen, according to the report. “Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss,” the task force concluded.

The task force report was provided to The Washington Post by the office of Sen. Ron Wyden (D-Ore.), a member of the Senate Intelligence Committee, who has pressed for stronger cybersecurity in the intelligence community. He obtained the redacted, incomplete copy from the Justice Department.

The breach came nearly three years after Edward Snowden, then a National Security Agency contractor, stole and disclosed classified information about the NSA’s surveillance operations.

Read more:
Elite CIA unit that developed hacking tools failed to secure its own systems, allowing massive leak, an internal report found

And related reporting at NBC News:
Alleged theft of CIA hacking tools by CIA officer exposed ‘woefully lax’ security, says report