Updated with information from the White House about President Trump's commitment to cybersecurity.
WASHINGTON, D.C. — If this week’s claims from Wikileaks that it has disclosed “the largest ever publication of confidential documents” in CIA history are true, then the co-chair of the congressional cybersecurity caucus has one question: “How did it happen?”
Intelligence officials have yet to confirm the authenticity of the leaked documents. But Rep. Jim Langevin, D-R.I., co-founder of the caucus, said if a major breach did occur after agencies implemented new measures to stop people like Edward Snowden, the NSA contractor who obtained a trove of classified documents from the National Security Agency in 2013, it would be a troublesome sign.
“If it were just recent that it was taken, then clearly we have not learned any lessons in terms of security,” Langevin said. He also said that it appears “no one is in charge” of cybersecurity in the Trump administration, which only adds to his concern.
The CIA documents posted online Tuesday are only the first batch of what Wikileaks promised to be a “new series of leaks” on the CIA. Wikileaks says the leaks come from a high-security network situated inside the agency’s Center for Cyber Intelligence in Langley, Va.
The documents allegedly reveal a wide range of exploits used to hack into smartphones and other devices connected to the internet, such as Samsung smart TV’s. The documents reveal vulnerabilities in older versions of the Apple iOS and Google Android operating systems that could allow the agency to collect audio or text from messages before they reach popular apps such as WhatsApp or Signal, where encryption is applied.
In a statement Wednesday, the CIA declined comment on the authenticity of the documents but underscored its mission is to “aggressively collect foreign intelligence” from overseas to protect America from harm. The agency said it is “is legally prohibited from conducting electronic surveillance targeting individuals here at home, including our fellow Americans, and the CIA does not do so.”
White House press secretary Sean Spicer told reporters at a briefing Wednesday, “There should be a lot more coverage of this. This alleged leak should concern every single American in terms of the impact it has on our national security."
With respect to the specific WikiLeaks accusations, he said, "You know all of these occurred under the last administration. That is important. All of these alleged issues."
But Langevin expressed deep concern about the current administration’s lack of public direction on its cybersecurity policies. During the president’s recent prime-time address to a joint session of Congress, he did not mention cybersecurity at all while talking about his priorities for the coming year.
“I don’t even know who’s in charge over there right now on cybersecurity,” Langevin said. “I am certainly concerned that I haven’t heard anything coming out of the White House yet of any definitive nature about how the president and how the administration are going to further strengthen the country’s cyber defenses.”
Trump told reporters in late January his cybersecurity plan includes holding agency heads individually responsible for breaches that take place on their watch.
"I will hold my Cabinet secretaries and agency heads accountable, totally accountable for the cybersecurity of their organization," he said at the time.
The president was expected to sign an executive order on cybersecurity in late January but has yet do so.
Thursday afternoon, a White House official told Scripps News that President Trump is fully committed to cybersecurity and already has filled key cybersecurity and national security positions throughout his administration.
The official also said that going forward, certain agencies might need to be restructured in order to ensure that cybersecurity efforts are given the attention they deserve in an era where the threat level has increased. The official did not provide a timeline for how soon that would happen.
Langevin said he remains worried about the manner in which changes may be rolled out.
“I understand they are doing away with the cybersecurity coordinator’s position,” he said, referring to a position at the White House that has for years served in an advisory role to the president on government-wide cyber threats.
Langevin has long pushed to strengthen the position, which, under President Obama, lacked budgetary authority or policymaking ability, limiting the coordinator’s ability to compel agencies to act or penalize them when they didn’t. He has filed legislation that tried to give the position more power, similar to the nation’s drug czar, but says to date his efforts have stalled. Under Trump, he says, he expects the entire position to be eliminated.
“I find that troubling. That is not good news on the cybersecurity front.”
Langevin added, “We are also hearing they are going to be getting rid of the federal chief information security officer. We don’t know. That is a big question. That would be disappointing.”