The 2017 report, whose findings were first reported by the Washington Post, examined the theft one year earlier of sensitive cyber tools the CIA had developed to hack into the networks of adversaries.
WikiLeaks had announced months earlier that it had obtained tools created by the CIA's specialised Centre for Cyber Intelligence, and the anti-secrecy website published comprehensive descriptions of 35 of them, according to the report.
The report describes the 2016 theft as the largest data loss in agency history — compromising at least 180 gigabytes to as much as 34 terabytes of information.
The agency did not realise the loss had occurred until the WikiLeaks announcement a year later, the report said, and identified as a prime suspect a CIA software engineer who officials said had copied the hacking arsenal without raising suspicion.
The former employee, Joshua Schulte, was charged by the Justice Department with stealing the material and providing it to WikiLeaks. But a jury was deadlocked on those charges and convicted him in March of more minor charges after a trial in Manhattan.
The CIA report revealed lax cybersecurity measures by the specialised unit and the niche information technology systems that it relies upon, which is separate from the systems more broadly used by everyday agency employees.
The report says that because the stolen data was on a system that lacked user activity monitoring, it was not detected until when WikiLeaks announced it in March 2017.
"Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss—as would be true for the vast majority of data on Agency mission systems," the report says.
The report, prepared in October 2017 by the CIA's WikiLeaks Task Force, suggests the CIA should have been better prepared in light of devastating information compromises at other agencies. The hacking tools compromise occurred almost three years after Edward Snowden, a former contractor for the National Security Agency, confiscated classified information about the NSA's surveillance operations, and disclosed it.
"CIA has moved too slowly to put in place the safeguards that we knew were necessary given successive breaches to other US Government agencies," the report said.
Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss
Among the problems the report identified: sensitive cyber weapons were not compartmented, passwords were shared and users had indefinite access to historical data.
CIA spokesman Timothy Barrett declined to comment on the report's findings, but said the "CIA works to incorporate best-in-class technologies to keep ahead of and defend against ever-evolving threats."
Sean Roche, former associate deputy director of digital innovation at the CIA, who testified at the Schulte trial, said that although the CIA did have a problem with one of its networks, "to say that the people at the CIA don't take security seriously is not accurate. It's completely inaccurate."
The disclosure of the hacking tools featured prominently in Shulte's trial, with prosecutors portraying him as a disgruntled software engineer who exploited a little-known back-door in a CIA network to copy the hacking arsenal without raising suspicion.
Ultimately, Schulte was convicted of contempt of court and making false statements after a four-week trial. The jury was unable to reach a verdict on the more significant charges.
- AP