June 16 (Reuters) - Many of the Central Intelligence Agency’s most sensitive hacking tools were so poorly secured that it was only when WikiLeaks published them online in 2017 that the agency realized they had been compromised, according to a report released Tuesday.
The secret-spilling site drew international attention when it dumped a vast trove of malicious CIA code on the internet in March 2017.
The digital tools, sometimes described as “cyber weapons,” provided a granular look at how the CIA conducts its international hacking operations. It also deeply embarrassed the U.S. intelligence community, which has repeatedly been hit by large-scale leaks over the past decade.
A report here dated October 2017 and released by Democratic U.S. Senator Ron Wyden on Tuesday described security at the CIA's Center for Cyber Intelligence - the unit responsible for designing the tools - as "woefully lax."
“Most of our sensitive cyber weapons were not compartmented, users shared systems administrator-level passwords, there were no effective removable media controls, and historical data was available to users indefinitely,” the report said. It described the WikiLeaks disclosure as “the largest data losss in CIA history.”
The CIA did not immediately return a message seeking comment.
The report, drawn up by the CIA’s WikiLeaks Task Force, was heavily redacted, but it called out a series of failures at the CIA that the report’s authors attributed to giving priority to building hacking tools over securing them.
In a letter accompanying the report, Wyden suggested that the weaknesses highlighted by the report went beyond the CIA.
“The lax cybsercurity practices documented in the CIA WikiLeaks Taskforce report do not appear to be limited to just one part of the intelligence community,” he said.
“The intelligence community is still lagging behind,” he said. (Reporting by Raphael Satter; eediting by Jonathan Oatisditing by Jonathan Oatis)