FBI investigators, searching for the source of the latest leaks of the CIA’s secrets to Wikileaks, are focusing their investigation on CIA contractors working in a couple of offices in northern Virginia. These leaks revealed the extent to which the CIA can access mobile phones and internet-connected devices such as televisions and that the CIA maintained a list of vulnerabilities in these devices.
The FBI believes that the evidence points to a contract software developer within the CIA’s Engineering Development Group as being the source. This belief seems to be at least partially rooted in the fact that the documents provided to Wikileaks came, ironically, from an internal CIA wiki used by the group’s developers as part of their duties. This wiki is hosted on a Confluence server, presumably within the CIA’s facilities (a cloud-hosted option is also available, but it is doubtful that the CIA would utilize that option). Confluence is a widely-used tool in software development to host documents and integrates with another development tracking tool called Jira.
Thus, the irony is that the CIA developed the capabilities to hack vulnerable systems and then kept this information on a system which itself was vulnerable to being hacked, either externally or (as the FBI seems to believe in this case) internally by a disgruntled contractor who would have simply needed to download the documents from Confluence.
This demonstrates once again that security is only as strong as the weakest link in the chain. It also reveals that the world of CIA software development is much like the world experienced by developers in other industries, just with a different set of requirements.