In a letter to the Office of the Director of National Intelligence (ODNI), Sen. Ron Wyden, D-Ore., raised questions on cybersecurity issues across the intelligence community (IC), and suggested that the IC may need to fall under the purview of the Department of Homeland Security’s (DHS) authority of requiring all Federal agencies to adopt specific cybersecurity technologies and policies.
Congress granted that authority to DHS in 2014, following what Sen. Wyden called “a series of high-profile cybersecurity lapses.”
“While Congress exempted the intelligence community from the requirement to implement DHS’ cybersecurity directives, Congress did so reasonably expecting that intelligence agencies that have been entrusted with our nation’s most valuable secrets would of course go above and beyond the steps taken by the rest of the government to secure their systems,” Sen. Wyden wrote. “Unfortunately, it is now clear that exempting the intelligence community from baseline Federal cybersecurity requirements was a mistake.”
Sen. Wyden cited the publication by WikiLeaks of CIA hacking tools in early 2017, and a Department of Justice (DOJ) report – parts of which were provided to Sen. Wyden’s office – that he said reveals ongoing CIA security failures that allowed an agency employee to steal information that constituted “the largest data loss in CIA history.”
The senator requested answers from ODNI to questions about several other cybersecurity issues, including:
- DHS’ Cybersecurity and Infrastructure Security Agency not protecting its .gov domain with multi-factor authentication;
- The IC not adopting Domain-based Message Authentication, Reporting, and Conformance (DMARC) anti-phishing protections;
- The Joint Worldwide Intel Communications System not currently utilizing multi-factor authentication; and
- Whether ODNI intends to adopt 22 recommendations made by the Inspector General of the IC for cybersecurity improvements.