Senator Ron Wyden [D-OR] has urged US officials to outline steps to protect the data of US federal intelligence agencies in a letter to government officials on Wednesday.
Mr Wyden wrote in his letter to US director of national intelligence, John Ratcliffe, that the US intelligence community was "still lagging behind" and a failed to implement "even the most basic cybersecurity technologies in widespread use elsewhere in the federal government".
Congress should "reconsider" a law to exempt "intelligence agencies from federal cybersecurity requirements," he added.
“Congress did so reasonably expecting that intelligence agencies that have been entrusted with our nation’s most valuable secrets would of course go above and beyond the steps taken by the rest of the government to secure their systems. Unfortunately, it is now clear that exempting the intelligence community from baseline federal cybersecurity requirements was a mistake,” Wyden wrote.
The "damning" CIA report had also exposed the "serious lapses in the cybersecurity of the nation's top intelligence agencies", he tweeted on Wednesday.
— Ron Wyden (@RonWyden) June 16, 2020
"I'm pressing DNI John Ratcliffe on how he plans to better protect our country's most sensitive secrets. We've seen what happens when they're left vulnerable," he tweeted.
The letter cited a report from the CIA WikiLeaks Task Force (WTF) in 2017 stating that cybersecurity failures in the US government had led to "the largest data loss in CIA history", referring to the Vault 7 files published by WikiLeaks.
The redacted report, written by the US Department of Justice, found "woefully lax" cybersecurity measures at the CIA which exposed "acute vulnerabilities" in key IT systems.
“Had the data been stolen for the benefit of a state adversary and not published, we might still be unaware of the loss,” the report found.
The files, exposed by former software engineer Joshua Schulte, revealed 91 of around 500 malware and spyware tools used by the CIA's Center for Cyber Intelligence to hack into operating systems, browsers, messaging apps and devices such as mobiles, among numerous others. Schulte plead not guilty and faces 11 counts, including lying to the Federal Bureau of Investigation, a serious offence that could potentially carry a ten-year sentence.
"Year Zero", the first part of the Vault 7, disclosed 8,761 documents from the cybersecurity centre in Langley, Virginia, which found the CIA had targeted French political parties and candidates in the 2012 US elections. The CIA's arsenal of weaponised "zero day" malware and viruses held over "several hundred million lines of code" and was spread amongst former US government hackers and contractors "in an [unauthorized] manner", according to a WikiLeaks press statement.
Such programmes targeted products from numerous US and European companies, including Apple, Google, Samsung and Microsoft, converting devices into "covert microphones", the whistleblowing organisation added.