After Intel Leak, Pentagon Launches Security Review
By David Roza
F
our days after a member of the Massachusetts Air National Guard was arrested and arraigned in connection with a massive leak of secret and sensitive information allegedly released online, Defense Secretary Lloyd J. Austin III directed a “comprehensive” review of the military’s security programs, policies, and procedures.
Initial findings are due around June 1, along with any recommendations to improve Pentagon policies and procedures related to the protection of classified information. The effort is being led by Undersecretary of Defense for Intelligence and Security Ronald S. Moultrie, in coordination with Chief Information Officer John Sherman and Director of Administration and Management Michael Donley.
Airman 1st Class Jack Teixeira, a cyber transport systems journeyman with the 102nd Intelligence Wing, is accused of illegally copying and distributing a trove of secret documents. The breech raised questions about whether security clearance processes are strong enough and whether existing insider threat programs set up in the wake of the Chelsea Manning and Edward Snowden leak cases more than a decade ago are stringent enough.
“I think we are pretty confident in how the FBI does conduct its background checks when it comes to somebody being able to obtain a security clearance,” said Deputy Pentagon Press Secretary Sabrina Singh. “That is why we are doing this process. If there is something that we feel that needs to be added to the background check process, I think that’s what this review will certainly lend itself to.”
The documents Teixeira allegedly released include classified details on Russia’s invasion of Ukraine and sensitive briefing materials and analysis on the Indo-Pacific and Middle East theaters. He is accused of sharing them on Discord, an online social media platform popular with video gamers.
“There’s an inherent risk that comes along with doing business,” Daniel Costa, technical manager of enterprise threat and vulnerability management at The National Insider Threat Center at Carnegie Mellon’s Software Engineering Institute, told Air & Spaces Forces Magazine. “What we’re talking about is human nature, and thinking about insider threats as an inherent risk to organizations requires real careful planning and organization-wide participation to reduce that risk to acceptable levels.”
Part of what makes insider threat prevention programs so difficult is that they require a “whole-of-enterprise” approach to be effective, Costa said. That can include involving management and human resources to monitor for warning signs such as policy violations, disruptive behavior, personal financial difficulty, or changes in working patterns.
“This is not a technology problem, it’s a people problem,” Costa said. “We use technology to help us manage those risks, but at the end of the day—especially in terms of making the organization less mistake-prone—that largely comes down to management-related and HR-related activities.”
Threats from trusted, cleared professionals pose the greatest risks and deepest challenges, because insiders like Teixeira already have security clearances and are therefore inherently trusted. The National Insider Threat Center at Carnegie Mellon’s Software Engineering Institute, where Costa works, was created to study and combat such threats.
“If there were a perfect solution for this, I’d be out of a job,” he said.
Pentagon Press Secretary Air Force Brig. Gen. Pat Ryder described the release as “a deliberate criminal act” by a service member.
“Each of us signs a nondisclosure agreement—anybody that has a security clearance,” Ryder said April 13. “And so all indications are, again, this was a criminal act, a willful violation of those, and again, another reason why we’re continuing to investigate and support [the Department of Justice’s] investigation.”
In the wake of the Snowden and Manning leaks, President Barack Obama’s Executive Order 13587, signed in 2011, required government agencies with access to classified computer networks to implement formal insider threat detection and prevention programs. But no program is 100 percent airtight.
“There’s an inherent risk that comes along with doing business,” said Costa. “What we’re talking about is human nature, and thinking about insider threats as an inherent risk to organizations requires real careful planning and organization-wide participation to reduce that risk to acceptable levels.”
The Insider Threat Detection Center at SEI maintains a database of more than 3,000 incidents where individuals with authorized access to an organization’s documents or other assets used trusted access to either maliciously or unintentionally affect the organization in a serious, negative way. Reducing risk within an organization starts with identifying the most critical assets, which is a challenge in institutions as large as the Department of Defense, Costa said. Once those assets are identified, the organization must strategize to protect and limit access to those crown jewels.
“One of the unique things about insider threat programs is that the threat actors that we’re talking about are our colleagues, our co-workers, our contractors, and other trusted business partners,” Costa explained. “The challenges lie within the fact that this is not a risk that you can buy down to zero, by the nature of that trust relationship you entered into by bringing an individual into your organization.”
For security professionals, the key to protecting those trusted relationships and at the same time reduce risk is monitoring that can help identify warning signs and enable leaders to intervene before individuals actually violate access rules, he said. Malicious insiders may use access for personal gain, such as financial fraud, intellectual property theft, cyber sabotage, espionage, or even notoriety. Unintentional insider incidents are also possible, where individuals can become victims of cyber phishing or other social engineering attacks, or where simple mistakes lead to substantial losses of data, funds, equipment, or information.
Monitoring for warning signs is the central function of an insider threat program, with indicators ranging from repeated policy violations, to disruptive behavior, personal financial difficulty, changes in working patterns, such as when and where individuals access files, or job performance problems, according to SEI research. Unintentional incidents are best prevented through training. Securing against insiders takes a “whole-of-enterprise” approach to be effective, Costa said.
Ryder said the military and the Intelligence Community routinely trusts young people with significant responsibilities, and they are often capable of handling it.
“Think about a young combat platoon sergeant and the responsibility and trust that we put into those individuals to lead troops into combat,” he said. “That’s just one example across the board. So you receive training and you will receive an understanding of the rules and requirements that come along with those responsibilities, and you’re expected to abide by those rules, regulations, and responsibility.”
But security clearances require background checks and include some level of continuous monitoring, processes that are limited and cannot unearth every possible motive or notion buried in individuals’ subconsciouses.
The more data that requires classification, the more people there will be who require security clearances. Leaks like these inevitably fuel debates over whether more or less information should be shared and whether more or fewer people should have access to different kinds of documents. Since 9/11, the government has sought to err on the side of sharing more, but that shifted after Snowden.
Some will inevitably talk about “right-sizing” who has access to sensitive assets, Costa said, which is a challenging task in organizations as large as the Department of Defense.
Security clearances are assessments, and no assessments can guarantee future activity, just as past performance of an investment cannot guarantee future success.
“Federal government security officers responsible for personnel vetting and insider threat detection may need to pay even closer attention to the answers to the questions of ‘associations’ now to assess the trustworthiness of current cleared employees and contractors who are continuously vetted as well as prospective clearance holders,” RAND researchers David Stebbins and Sina Beaghley wrote in a commentary piece after the Jan. 6, 2021, U.S. Capitol riots, where several rioters were also members of the military and police.
At the press briefing, Singh said the purpose of the new review is to identify better security practices. “Is there something else that we need to do to add on to a process when it comes to a background check and obtaining a security clearance?”
Malicious insiders may join organizations with malintent; such individuals tend to act early in their tenure, Costa said. Older employees may feel more comfortable with those policies and procedures, but personal, professional, or financial stressors might motivate them to carry out an attack.
SEI recommends organizations “right-size” who has access to valuable or sensitive assets and when, a means to reduce the opportunity and temptations, Costa said. Those with greater access may fall under greater scrutiny. But simply establishing rules is not enough; they must be enforced to be effective.
“Some of the challenges we see with really large organizations, is just maintaining complete situational awareness of their current risk posture,” Costa said. “It’s easy to say that these are the rules that govern what authorized access looks like. But to ensure a complete coverage across, you know, really complex organizations with lots of different moving parts and independent security operations can be a real challenge.”
Besides the ongoing criminal investigation of Airman 1st Class Jack Teixeira, the Air National Guardsman accused of leaking the documents, Kendall said the Department of the Air Force has initiated three efforts to get a better handle on its policies for protecting classified information:
First, the Air Force Inspector General is reviewing the Massachusetts Air National Guard’s 102nd Intelligence Wing, Teixeira’s unit, to see if anything went wrong in terms of following Air Force security policies. In the meantime, the 102nd Intelligence Wing “is not currently performing its assigned intelligence mission,” Air Force spokeswoman Ann Stefanek said. The 102nd’s mission has been temporarily reassigned to other Air Force organizations, she added.
Second, the department is conducting a “complete review of our policies themselves within the staff to make sure our policies are adequate,” Kendall said.
Third, units across the entire Air Force and Space Force will conduct a stand-down for Airmen and Guardians to review their security practices and conduct training as necessary. The stand-down is to be conducted in the next 30 days.
“Obviously we have got to tighten up our policies and our practices to make sure this doesn’t happen again,” the Secretary added.