Lawmaker Questions Intelligence Community Cybersecurity
In the spring of 2017, WikiLeaks published a cache of Central Intelligence Agency (CIA) hacking tools. The CIA’s WikiLeaks Task Force investigated this incident, and submitted a report on its findings to the CIA Director in October, 2017. The Department of Justice (DOJ) made public an excerpt from the report in court filings this year, which DOJ subsequently provided to my office. According to the attached redacted excerpt from this CIA report, WikiLeaks’ publication “brought to light multiple ongoing CIA failures” that enabled a CIA employee to steal “at least 180 gigabytes” of information, “the largest data loss in CIA history,” which he allegedly then provided to WikiLeaks. The report’s findings include:
The CIA’s [Center for Cyber Intelligence (CCI)] had prioritized building cyber weapons at the expense of securing their own systems. Day-to-day security practices had become woefiilly lax….Most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely. Furthermore, CCI focused on building cyber weapons and neglected to also prepare mitigation packages if those tools were exposed. These shortcomings were emblematic of a culture that evolved over years that too often prioritized creativity and collaboration at the expense of security.
The lax cybersecurity practices documented in the CIA’s WikiLeaks Task Force report do not appear to be limited to just one part of the intelligence community. The Office of the Inspector General of the Intelligence Community revealed in a public summary of a report it published last year that it found a number of deficiencies in the intelligence community’s cybersecurity practices. In addition to making two new recommendations for improvements, the Inspector General noted that 20 security-related recommendations from prior evaluations remained unaddressed. According to the Inspector General’s report, the specific details of the intelligence community’s cybersecurity deficiencies and the Inspector General’s recommendations are classified.
The 2017 CIA WikiLeaks Task Force report noted that “This wake-up call presents us with an opportunity to right longstanding imbalances and lapses, to reorient how we view risk… We must care as much about securing our systems as we care about running them if we are to make the necessary revolutionary change.” Three years after that report was submitted, the intelligence community is still lagging behind, and has failed to adopt even the most basic cybersecurity technologies in widespread use elsewhere in the federal government. The American people expect you to do better, and they will then look to Congress to address these systematic problems. In order to help Congress and the American people understand the magnitude of the intelligence community’s cybersecurity lapses, please provide me with unclassified answers to the following questions by July 17, 2020:
1. On January 10, 2019, DHS’ Cybersecurity and Infrastructure Security Agency (CISA) issued a public alert regarding a global Domain Name System (DNS) infrastructure hijacking campaign, which cybersecurity companies attributed to hackers working for the Iranian government. On January 22, 2019, CISA followed up on this warning, and issued an emergency directive that required agencies, within 10 days, to implement multi-factor authentication to protect their .gov domain names. Fifteen months later, the intelligence community has yet to protect its .gov domain names with multi-factor authentication, despite repeated requests from my office. Please explain the reasons for this delay and provide me with an estimate for when you expect to have implemented this cybersecurity best-practice across the intelligence community.
2. On October 16, 2017, CISA issued a directive to federal agencies requiring them to protect their websites and email using encryption and other advanced cybersecurity technologies. This CISA directive included a requirement to adopt DMARC, an anti- phishing technology. The vast majority of federal agencies have complied with this directive and implemented DMARC — nearly 80 percent according to one recent survey. Unfortunately, the intelligence community has lagged behind the rest of the government in DMARC adoption. My staff verified—using publicly available tools—that the Central Intelligence Agency, the National Reconnaissance Office, and your office have all failed to enable DMARC anti-phishing protections which would prevent hackers from sending emails that impersonate your organizations. Please explain the reasons why the intelligence community, and your office in particular, have not adopted DMARC and provide me with an estimate for when you expect to have implemented this cybersecurity best-practice across the intelligence community.
3. According to media reports, the Joint Worldwide Intel Communications System (JWICS), the intelligence community’s classified computer network for top secret information, does not currently use multi-factor authentication, an industry-standard cybersecurity protection. In a presentation at the Department of Defense Intelligence Information System Worldwide Conference on August 20, 2019, Jean Schaffer, the Defense Intelligence Agency’s (DIA) cyber and enterprise operations chief, stated that DIA was looking to upgrade JWICS to support multi-factor authentication. Please explain why JWICS does not currently require multi-factor authentication and why this is consistent with federal cybersecurity best practices detailed by the National Institute of Standards and Technology in Special Publication 800-63B.
4. Do you intend to adopt each of the 22 cybersecurity recommendations of the Inspector General of the Intelligence Community? If yes, please provide an estimate for when you expect to have implemented each of these recommendations. If no, please explain why.
Thank you for your attention to this important matter. If you have any questions about this request, please contact Chris Soghoian in my office.
Sincerely,
Ron Wyden
United States Senator
