SecretsLawmaker Questions Intelligence Community Cybersecurity

Following damning CIA report on stolen hacking tools, Sen. Ron Wyden (D-Oregon) asked Director of National Intelligence John Ratcliffe to explain what steps he is taking to improve the cybersecurity of some of the nation’s most sensitive secrets, held by federal intelligence agencies, after Wyden obtained a damning CIA report on cybersecurity failures that led to “the largest data loss in CIA history.”

Wyden, a senior member of the Senate Intelligence Committee, obtained the unclassified, redacted excerpt of the CIA’s WikiLeaks Task Force report from the Department of Justice, after it was introduced as evidence in a court case earlier this year involving stolen CIA hacking tools.

The 2017 CIA report revealed lax cybersecurity measures across the agency, including “acute vulnerabilities” in critical IT systems. The security was so poor, according to the report, if these hacking tools had “been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss—as would be true for the vast majority of data on Agency mission systems.”

Wyden said it is time for Congress to reconsider a law that exempts intelligence agencies from federal cybersecurity requirements

“Congress did so reasonably expecting that intelligence agencies that have been entrusted with our nation’s most valuable secrets would of course go above and beyond the steps taken by the rest of the government to secure their systems,” Wyden wrote in his letter to Ratcliffe. “Unfortunately, it is now clear that exempting the intelligence community from baseline federal cybersecurity requirements was a mistake.”

The letter in full:

The Honorable John Ratcliffe Director
Office of the Director of National Intelligence
Washington DC, 20511

Dear Director Ratcliffe:

I write to seek information about widespread cybersecurity problems across the intelligence community.

After a series of high-profile cybersecurity lapses at federal agencies, Congress took action in 2014, and gave the Department of Homeland Security (DHS) the authority to require federal agencies to adopt specific cybersecurity technologies and policies to safeguard federal systems. While Congress exempted the intelligence community from the requirement to implement DHS’s cybersecurity directives, Congress did so reasonably expecting that intelligence agencies that have been entrusted with our nation’s most valuable secrets would of course go above and beyond the steps taken by the rest of the government to secure their systems. Unfortunately, it is now clear that exempting the intelligence community from baseline federal cybersecurity requirements was a mistake.