Botched CIA Communications System Helped Blow Cover of Chinese Agents

>But the CIA’s interim system contained a technical error: It connected back architecturally to the CIA’s main covert communications platform. When the compromise was suspected, the FBI and NSA both ran “penetration tests” to determine the security of the interim system. They found that cyber experts with access to the interim system could also access the broader covert communications system the agency was using to interact with its vetted sources, according to the former officials.

>In the words of one of the former officials, the CIA had “fucked up the firewall” between the two systems.

If you read between the lines, this raises the suspicion that there's a common underlying infrastructure which handles the communications, with management front-ends for different users which are firewalled off from each other, and the security of the system relied upon the firewall between the different front-ends to prevent users from finding out about each other. However, an attacker who compromised the "less secure" front end, could use that as a launching pad to attack the underlying communication infrastructure, and if the attacker pwned the infrastructure, then he'd have a back entrance to the "more secure" front end.

If that's the case, then somebody was grossly incompetent, depending on the age of the system: if the system is old enough, then somebody running ops in the CIA is incompetent, for continuing to operate a system whose security model ("all you need is a strong enough firewall!") was obsolete; if the system is young enough, then either the original architects, or the security engineers who certified the architecture (if there were any), for proposing an architecture with an obsolete security model.

Arguably, that incompetence amounts to criminal negligence, since it resulted in the deaths of US agents, and somebody should be tried for it.

It took 8 years for the CIA to figure out what happened?? This certainly explains why China and Russia continue to conduct cyber operations basically at the same level of intensity they have been for years - US intelligence, despite its enormous, unaccountable budget is unable to stop them or even know where they are compromised. If there is an actual hot conflict between the US and either of these nations, I shudder to think what will happen.

I don't believe the US lacks in technical skill at the operational level. These failures are management and organizational failures.

"This didn't make it into the piece, but here's how the Chinese treated people working with the CIA: According to one source, one asset working at a state tech institutes, and his pregnant wife, were executed live on closed circuit TV in front of the staff."

https://twitter.com/zachsdorfman/status/1029861843521523712

This is why when you read memoirs of CIA officers they most always state human trade-craft will trump technical gadgetry all the time.

The CIA has a long and storied history of arrogance, incompetence, and letting down sources. The book, “Legacy of Ashes” provides an excellent readable, detailed history of the Agency since its creation, with tons of primary-source interviews and research.

(The title refers to a quote by Eisenhower, who left the Presidency disappointed at the “legacy of ashes” which was all he felt the CIA accomplished during his tenure.)

It seems that the CIA is more embarrassed that their IT has been breached by the Chinese than the death of people that trusted them.

This is a fascinating story. But I always think about what the motives are to reveal such information. What you read is always different than the actual...

In a separate note, I'm not sure technically what the right solution is, but I imagine an encrypted stenographic message on a popular peer to peer internet service would be the best way to avoid detection. ... When the entire web is being monitored.

Knowing how absurdly insecure any civilian consumer system is (laptop, smart phone, home assistant, self driving car), with zero day fire-and-not-a-drill-at-all advisories, pretty much every month, I don’t get how this sort of thing happens.

I also fail to see how a decision like this could be made:

  The CIA had imported the system 
  from its Middle East operations...

To China? The degree of technical differences between those two regions is so intuitively disparate, that without having been to either, I’d still never estimate that a game plan for one would work in the other.

Cell phones make sense in desert territories with good satellite coverage, and attacking, as much as operating those same cell phones makes sense too, in a volatile atmosphere.

Meanwhile, in China, with world class supercomputing facilities operated at scientific research institutions, one can only safely assume that no amount of cryptography or electronic transmission is safe. Not even one-time pads.

Each seems like it’s own game, with it’s own rules. What a mistake to not approach them differently. It’s like trying to steal cars from a suburban driveway at dinner time, versus a city parking garage during rush hour. A car is not simply a thing with wheels, that rolls away as soon as you can hop inside.

Other Dorfman articles https://foreignpolicy.com/author/zach-dorfman/

I treat any media 'story' about spooks with great suspicion, because it almost almost invariably winds up over time that there are far more layers to the onion than are revealed in these types of exposes.

I wonder what 'The disaster in China has led some officials to conclude that internet-based systems, even ones that employ sophisticated encryption, can never be counted on to shield assets' is going to lead to? Some sort of new infrastructure may even already be in use...

Maybe they should have used BBM/iMessage/WhatsApp - all the civilian gear governments are screaming they need backdoors into because they’re too tough to crack...

Yes I say this partly in jest and also partly as a ‘why didn’t they’. BBM Enterprise over a VPN service popular with movie streamers would have actually helped them blend in... digitally speaking.