from the no-one-would-dare-cross-the-CIA...-would-they? dept

More details about the leak of CIA hacking tools are coming to light. And they're not making the CIA look any more deserving of its "Intelligence" middle name.

The "Vault 7" leak detailed the CIA's exploits -- ones targeting cellphones and a variety of smart devices. Encryption still works, though, but devices have to remain uncompromised by exploits. Since they aren't, encryption won't stop agencies like the CIA from intercepting communications or inserting themselves into private conversations.

The prosecution of the accused Vault 7 leaker has been a nightmare of its own, with the government having difficulty pressing its case even as it uncovers evidence the leaker continued to leak sensitive information after being incarcerated.

The latest report, by Ellen Nakishima and Shane Harris of the Washington Post, shows the CIA was far more interested in developing tech weapons than ensuring its hoard of exploits remained in its possession.

The theft of top-secret computer hacking tools from the CIA in 2016 was the result of a workplace culture in which the agency’s elite computer hackers “prioritized building cyber weapons at the expense of securing their own systems,” according to an internal report prepared for then-director Mike Pompeo as well as his deputy, Gina Haspel, now the current director.

[...]

The October 2017 report by the CIA’s WikiLeaks Task Force, several pages of which were missing or redacted, portrays an agency more concerned with bulking up its cyber arsenal than keeping those tools secure. Security procedures were “woefully lax” within the special unit that designed and built the tools, the report said.

Information wants to be leaked, apparently. Maybe not innately, but when the culture says the best defense is a good offense, chances are sensitive tools and tech are going to go wandering off.

The CIA knows how exploitable pretty much everything is. That it deployed nearly no security measures to ensure its exploit stash remained on the premises is an indictment of every bureaucracy that thinks merely being a big government agency will deter people -- both on the inside and outside -- from screwing with it. According to this report, the CIA didn't even employ bush-league, mom-and-pop-store-level security measures. There was no compartmentalization of tech exploits, no prevention of sharing of administration-level passwords, and no controls placed on use of removable media. There was also no monitoring of this network, which has prevented the CIA from determining the size of the breach or enumerating what was actually taken.

This crucial job was outsourced, which apparently contributed to the problem. The job was too important to be left undone. But the CIA apparently didn't feel it was important enough to handle itself so it gave it to someone else, resulting in this:

The computer network was maintained by contractors, the former official added. “There was a misunderstanding between the people who ran the unit and people who ran and maintained the network.”

Give an agency more money than oversight and it can perform any task poorly. Exploits are truly useful but they're only useful if they remain undisclosed and unpatched. Treating security cavalierly has paid off about as well as anyone outside the agency would have imagined. The tools were leaked. Only after that did anyone decide to check the latches on the Vault's doors. Proactive is better than reactive, as any intel operative should know. While this may be a great way to inadvertently comply with the Vulnerability Equities Process, it's no way to run an intel agency's tech black ops program.

CIA report