WASHINGTON — The 2016 theft of secret C.I.A. hacking tools by an agency officer, one of the largest breaches in agency history, was partly because of failures to install safeguards and officials who ignored the lessons of other government agencies that saw large breaches when employees stole secrets, according to an internal C.I.A. report released on Tuesday.
The C.I.A. fostered an innovative culture within its hacking team, which took great risks to create untraceable tools to steal secrets from foreign governments. But that team and its overseers were focused on building cutting-edge cyberweapons and spent too little energy protecting those tools, failing to put in place even common security standards like basic monitoring of who had access to its information, the report said.
The agency should have known better, the report concluded, given that the theft came years after highly public disclosures by the former Army intelligence analyst Chelsea Manning, who stole data from the Pentagon and State Department, and the former contractor Edward Snowden, who took information from the National Security Agency. Both helped expose those secrets.
In March 2017, WikiLeaks published some of the C.I.A.’s most valuable hacking tools, which it called Vault 7. The WikiLeaks disclosure revealed some of the ways that the C.I.A. could break into foreign computer networks or activate the camera or microphone on electronic devices to eavesdrop on adversaries.
In the wake of that breach, Mike Pompeo, then the C.I.A. director, ordered a secret review of the leak and why the agency had not detected it. The report said that because of a lack of safeguards or activity monitoring, the agency could not determine the precise scope of the loss.
The C.I.A.’s WikiLeaks task force, not the agency’s independent inspector general, compiled the report.
The report had been partially declassified for the trial this year of Joshua Schulte, a former C.I.A. officer accused of giving the information to WikiLeaks. During the trial, defense lawyers read excerpts from the report but were not allowed to release even the redacted pages. Senator Ron Wyden, Democrat of Oregon and a member of the Senate Intelligence Committee, made the report public on Tuesday, and The Washington Post first reported a fuller version of its findings.
The C.I.A. declined to comment directly on the report. Timothy L. Barrett, the agency spokesman, said the C.I.A. was working to “incorporate best-in-class technologies to keep ahead of and defend against ever-evolving threats.”
An agency employee was to blame for the theft of the data, the report said, without naming Mr. Schulte in the portions released publicly. Mr. Schulte’s trial ended with the jury divided on whether to convict him of the most serious crimes he was charged with, including illegal gathering and transmission of defense information. Mr. Schulte was convicted of contempt of court and making false statements to the F.B.I.
The government has said it intends to retry Mr. Schulte.
The report said the theft was the greatest data loss in the agency’s history. As much as 34 terabytes of information — up to 2.2 billion pages — were stolen, revealing the C.I.A.’s secret hacking methods.
Security on the elite hacking team was lax. Team members shared administrator passwords, and blocks on removable media, like thumb drives or writable discs, were ineffective. Those vulnerabilities made it easier for an insider to steal the C.I.A.’s data.
The loss to the agency was enormous. When WikiLeaks released the information, foreign governments were able to quickly fix vulnerabilities, kicking the C.I.A. out of their networks and cutting off its ability to listen surreptitiously to some devices.
But it is difficult to assess the precise loss to the C.I.A.’s hacking team. The report did say that the agency had moderate confidence that WikiLeaks did not get all of its hacking tools. Some were better protected on a so-called “Gold folder.”
The report was heavily redacted and had at least 30 missing pages. Mr. Schulte’s defense had to fight the government to see even a portion of the report and was not allowed to release the document during the trial, said Sabrina Shroff, his lawyer. Ultimately, she said, she saw only about a quarter of the report.
“From the beginning of this case, the government sought to hide this report,” she said. “We had to litigate and claw our way to get an extra word made available to the defense. To this day, I have not seen the entirety of the report.”
Insider threats are almost impossible to eliminate. But security measures can make it more difficult for disgruntled employees to steal classified information. By 2017, the threat of WikiLeaks should have been plain to anyone in an intelligence agency, the report said.
“For nearly a decade WikiLeaks has exploited the digital realm to profoundly reshape opportunities for individuals sworn to protect our nation’s secrets to leak classified or sensitive information,” the report said.
The report outlined a system where different arms of the agency developed their own information technology capabilities and systems of policing themselves. That culture of “shadow I.T.” created “unacceptable risk” for the C.I.A.
The hacking team’s tools were on computer systems that lacked the ability to audit the information stored on them. The C.I.A., according to the report, did not learn about the loss until a year after it occurred, when WikiLeaks announced in March 2017 that it had the Vault 7 data.
In a letter to John Ratcliffe, the director of national intelligence, Mr. Wyden said the report suggested that Congress’s decision to exempt intelligence agencies from federal cybersecurity requirements was a mistake.
Mr. Wyden said that vulnerabilities remained within the intelligence community’s information technology.
“The lax cybersecurity practices documented in the C.I.A.’s WikiLeaks task force report do not appear limited to just one part of the intelligence community,” Mr. Wyden wrote.
David E. Sanger contributed reporting.