Four days after a member of the Massachusetts Air National Guard was arrested in connection to a massive leak of secret and sensitive information online, Defense Secretary Lloyd J. Austin III has directed a “comprehensive” review of the military’s security programs, policies, and procedures, deputy Pentagon press secretary Sabrina Singh told reporters April 17.
The initial findings of the review are due in 45 days, along with any recommendations to improve Pentagon policies and procedures related to the protection of classified information. The effort is being led by undersecretary of Defense for intelligence and security Ronald S. Moultrie, in coordination with Chief Information Officer John Sherman and Director of Administration and Management Michael Donley.
Singh also said she was not aware of any investigation of the unit or supervisor for Airman 1st Class Jack Teixeira, the cyber transport systems journeyman who was arrested last week. Teixeira is a member of the 102nd Intelligence Wing.
The recent leak has raised questions and concerns about how the military can better protect itself from insider threats—individuals with authorized access to an organization’s assets who use that access to either maliciously or unintentionally hurt the organization. Asked if the Pentagon was reviewing its vetting process for individuals requesting a security clearance, Singh defended the system in place as “very robust,” noting that it includes an FBI background check and a review of family, friends, former coworkers, social media posts, and finances.
“I think we are pretty confident in how the FBI does conduct its background checks when it comes to somebody being able to obtain a security clearance,” Singh said. “That is why we are doing this process. If there is something that we feel that needs to be added to the background check process, I think that’s what this review will certainly lend itself to.”
Teixeira allegedly released a trove of classified details on Russia’s invasion of Ukraine, along with sensitive briefing materials and analysis on the Indo-Pacific and Middle East theaters, on Discord, an online social media platform popular with video gamers. Government agencies with access to classified computer networks are supposed to have insider threat detection and prevention programs, but no program is 100 percent airtight.
“There’s an inherent risk that comes along with doing business,” Daniel Costa, technical manager of enterprise threat and vulnerability management at The National Insider Threat Center at Carnegie Mellon’s Software Engineering Institute, previously told Air & Spaces Forces Magazine.
“What we’re talking about is human nature, and thinking about insider threats as an inherent risk to organizations requires real careful planning and organization-wide participation to reduce that risk to acceptable levels,” Costa said.
Part of what makes insider threat prevention programs so difficult is that they require a “whole-of-enterprise” approach to be effective, Costa said. That can include involving management and human resources to monitor for warning signs such as policy violations, disruptive behavior, personal financial difficulty, or changes in working patterns.
“This is not a technology problem, it’s a people problem,” Costa said. “We use technology to help us manage those risks, but at the end of the day—especially in terms of making the organization less mistake-prone—that largely comes down to management-related and HR-related activities.”
It may also take “right-sizing” who has access to sensitive assets, which is a challenging task in organizations as large as the Department of Defense, Costa said.
The military security clearance system is a frequent topic of study among national security experts, since it is often difficult to screen applicants for risk factors.
“Federal government security officers responsible for personnel vetting and insider threat detection may need to pay even closer attention to the answers to the questions of ‘associations’ now to assess the trustworthiness of current cleared employees and contractors who are continuously vetted as well as prospective clearance holders,” RAND researchers David Stebbins and Sina Beaghley wrote in a commentary piece after the Jan. 6, 2021, U.S. Capitol riots, where several rioters were also members of the military and police.
At the press briefing, Singh said the purpose of the new review is to identify better security practices.
“This is exactly what this effort internally here in the building is designed to look at,” she said. “Is there something else that we need to do to add on to a process when it comes to a background check and obtaining a security clearance?”