CIA Report Prompts Call for DHS Cyber Authority Over Intelligence Agencies

Congress erred by exempting the intelligence community from laws that gave the Department of Homeland Security the authority to issue cybersecurity directives to federal government agencies, Sen. Ron Wyden, D-Ore., said highlighting failure to institute basic cybersecurity practices at the CIA and other intelligence agencies.

Wyden’s assertion came in a letter he sent to Director of National Intelligence John Ratcliffe Tuesday in which he attached a 2017 report produced from within the CIA showing “woefully lax” cybersecurity for systems the agency used to create cyber weapons.

Wyden said Congress made an exception in the law because it was “reasonably expecting that intelligence agencies that have been entrusted with our nation’s most valuable secrets would of course go above and beyond steps taken by the rest of the government to secure their systems.” 

“Unfortunately, it is now clear that exempting the intelligence community from baseline federal cybersecurity requirements was a mistake,” he said. 

Wyden, a member of the Senate Intelligence Committee, obtained the unclassified internal CIA report from the Department of Justice. The report is evidence in a court case involving stolen CIA hacking tools in 2017, according to a press release from the senator’s office. Though it is heavily redacted, the report warns of a culture that placed making the offensive cyber tools above measures to mitigate harm if they were ever exposed.

The CIA’s “[Center for Cyber Intelligence] had prioritized building cyber weapons at the expense of securing their own systems,” the report reads. “Day-to-day security practices had become woefully lax.”

In addition to the 2017 report, Wyden’s letter drew attention to 22 outstanding cybersecurity recommendations from the inspector general of the intelligence community. 

Wyden noted that intelligence agencies have yet to implement multifactor authentication for domain name system infrastructure or the Domain-based Message Authentication, Reporting and Conformance protocol, which helps to counteract email phishing attacks. Both of these actions were the subject of binding operational directives issued by DHS’ Cybersecurity and Infrastructure Security Agency and have been implemented throughout most of the rest of the federal government. 

In the case of DMARC—CISA issued a directive on this in 2017—nearly 80% of the .gov has implemented the protocol, according to a survey cited by the senator. By using publicly available tools, Wyden said his staff was able to determine this was not in place at the CIA, the National Reconnaissance Office, and the Office of the Director of National Intelligence itself.     

“Please explain the reasons why the intelligence community, and your office in particular, have not adopted DMARC and provide me with an estimate of when you expect to have implemented this cybersecurity best practice across the intelligence community,” Wyden wrote. 

He requested an unclassified response to his letter by July 17.