The infamous “Vault 7” theft of secret hacking tools and documents from the U.S. Central Intelligence Agency in 2016 resulted from lax cybersecurity practices at the agency, according to an inquiry in 2017 that has only now been partially published.

Information and tools stolen in the hack were published through 2017 by Wikileaks and included revelations that the CIA was using the tools to target more than a dozen countries and well as companies both domestic and international. The many revelations included tools used by the CIA to compromise Apple Inc. products, network switches from Cisco Systems Inc. and others.

The CIA created a Wikileaks Task Force to dig into how the breach occurred, finding that its Center for Cyber Intelligence was more interested in hacking others than in protecting itself. Some of the findings included a failure to detect security incidents rapidly, failing to act on warnings signs of potentially risky employees, moving too slowly to enact security safeguards, a lack of user activity monitoring and server monitoring, and no effective removable media controls.

The parts of the report were made public by Senator Ron Wyden in a letter Tuesday to the Director of National Intelligence.

“The 2017 CIA WikiLeaks Task Force report noted that, ‘This wake-up call presents us with an opportunity to right longstanding imbalances and lapses, to reorient how we view risk… We must care as much about securing our systems as we care about running them if we are to make the necessary revolutionary change,'” Wyden wrote. “Three years after that report was submitted, the intelligence community is still lagging behind and has failed to adopt even the most basic cybersecurity technologies in widespread use elsewhere in the federal government. The American people expect you to do better, and they will then look to Congress to address these systematic problems.”

Ilia Sotnikov, vice president of product management at data security firm Netwrix Corp., told SiliconANGLE that the problem is that the majority of organizations, especially smaller businesses, will never reach the level of protection against tools used by nation-state attackers.

“This puts incredible pressure on cybersecurity vendors and the industry, as well as cybersecurity professionals,” Sotnikov explained. “However, the main lesson we should all learn is that we shouldn’t ignore cybersecurity basics even if the budget and access to new technologies cannot be compared to what the CIA had.”

Sotnikov noted that given this is the CIA, it’s unlikely many details will be revealed. “We can expect a congressional investigation, but most likely a good part of that will be classified,” Sotnikov said. “This sets a challenge for all organizations to get ready for advanced attacks with no information on what to be beware of.”

Photo: Wikimedia Commons