Discord in the ranks: Lone Airman behind top-secret info leak on chat platform There was only one US Air National Guardsman behind the leak of top-secret US military documents on Discord, but his chain of command bears some responsibility for letting it happen on their watch. The US Air Force reached that conclusion in an August report [PDF] made public yesterday into the actions of Airman 1st Class Jack …
Somehow we assume that high-up people in spooky organisations [HEY REGISTER! STOP FORCING MY SPELLCHECKER TO en-US] are sharp. Of course not. They're box-tickers with confined roles that appeal to narrowly motivated people with both eyes on a clean record. Promotion for an actual achievement is unheard of. We all know what 'management' is so where it's institutionalised don't be shocked.
From the report: "IT specialists in the 102 ISS, including A1C Teixeira, were encouraged to receive weekly intelligence briefings to better understand the mission and the importance of keeping the classified networks operating. This “know your why” effort was improper in that it provided higher level classified information than was necessary to understand the unit’s mission and created ambiguity with respect to questioning an individual’s need to know."
This is an identical problem to that which allows Manning to exfiltrate sensitive information to Wikileaks.
Documented rules restricted users of SIPRNet from attaching removable drives or media, the policy states "Linking a computer with access to the SIPRNet to the Internet or to any other computer or media storage device that has not been approved for use with SECRET information is a serious security violation. Once any media storage device such as a CD or thumb drive has been connected to a computer with access to the SIPRNet, it becomes classified at the SECRET level. It must be protected accordingly and shall not be used on any unclassified computer.".
Nevertheless it emerged at the investigation that known staffers operated largely unmonitored and were allowed personal use of the supposedly secret system. I quote from the investigation transcript: "Defense (Coombs): How was it enforced? Lim: No. You trusted people.”.
People used to glue USB ports shut to stop them being used.
These days you can get something like Ivanti Device Control to control devices on a per-device basis if you like so you can authorize various pre-approved devices but block everything else.
No we wouldn't see improvement in security, because you're judging this case on a few isolated facts. If you think about the sort of work that an intelligence wing will be dealing with, then everyday, all day the hierarchy are having to make judgement calls on the basis of limited and unproven data, as well as all the drudgery of running any complicated organisation. Seen in hindsight and stripped of context it's a black and white case. In reality management will have been worrying about their intelligence "assets", whether they've been turned, whether incoming intel is fact or fiction, diversion or substance, what if anything merits escalation higher up the food chain, dealing with mundane workplace, management and leadership issues, that Airman A is accused of harassing Airman B, that the West Texas control room gets too hot because the air con doesn't work properly, that some civilian jerk is trying to hack or DDoS the units computers, dealing with staff hiring, training etc etc etc.
Maybe 102IW did have a bad culture and lax security. Or maybe they were reasonably competently run with a few mistakes (which I'll wager all intel organisations have) and their brass have simply been hung out to dry, partly so the Pentagon are seen to be doing something, partly as petty politics within the ranks. Either way we'll never know.
If firing or reassigning the entire command chain were the norm, then what we will see is thorough attempts by the entire hierarchy to cover up misdemeanours. Arguably would have been very difficult in Teixeira's case as he was caught from the outside, but in a total blame culture, all the prior evidence within 102IW would have been carefully destroyed, and after the event nobody would admit anything.
The US military in general has a penchant for firing commanders when something goes wrong in their commands. Look for example at Captain Crozier of USS Theodore Roosevelt who was relieved for notifying his superiors that COVID-19 was rampant on his ship and he wanted to take action about it.
https://en.wikipedia.org/wiki/COVID-19_pandemic_on_USS_Theodore_Roosevelt
The captain was accused of leaking the memo he sent to "20 or 30 others" however the one seen by the media suggests it was sent only to 3 Admirals including his direct superior.
The USN relieved him mainly because of the bad PR.
The salient question should be how nobody noticed until Teixeira posted the info to Discord, for bragging rights.
Cyber War: The Next Threat to National Security and What to do About It:
“Access to these terminals is more restricted because of their location, but the information flowing on the network still has to go across fiber optic cables and through routers and servers, just as with any other network. Routers can be attacked to cut communications. The hardware used ... can all be compromised at the point of manufacture of later one. Therefore we cannot assume that even this network is reliable.”
They can't possibly monitor everyone's access to classified documents to determine if someone is accessing something that their clearance allows them to access but they don't have any need to access. Or that if they access something they do have a need to access that they are misusing it - until there is evidence of that misuse reported like happened when it was posted on Discord.
How do you expect them to have found out what he was doing before it was posted on Discord? Assign an agent to everyone with a security clearance to monitor every bit of information they access using that clearance? (Note: that may be feasible someday with 'AI', but not today...best they could do is a small random sampling)
Classified document control is broadly similar to anti cheat technology that online gaming uses.
It is fiddly, causes performance issues, can be buggy, but done properly can do the job.
File access counters, logging and authorisation checks.
Document render counters and logs.
Ensuring that every piece of software that is used to perform any data access function logs where, when, who and what and is itself digitally signed to make sure that only implementations of the software that have been appropriately built is is used is not hard.
Making sure that all of this is correctly implemented, deployed and monitored is what his superiors were responsible for. They failed to do so.
This was a failure at multiple levels and it is appropriate that the multiple levels were indeed disciplined for their failure.
This guy worked in IT. He would know his way around those systems far better than whoever is in command or in charge of base security. Same issue with Snowden.
It is really hard to police the guys who have the root/Administrator passwords unless you do all that stuff on "in the cloud" (i.e. in some file server located elsewhere that even the guys with root access don't have any control over) Maybe they do, but if they do it obviously wasn't working well enough to detect this guy - but I suppose instead of downloading 400 files himself he could have downloaded 400 files under the user IDs of 100 other people averaging four files each.
It has been about 15 years since I held a security clearance, and I never knew exactly what measures they took - and I wasn't about to screw around and find out the hard way! But based on the policies I saw, I can't imagine that if I had wanted to access a bunch of stuff I'm not supposed to that they would have had any clue. Hopefully post Snowden and now post this guy there have been some improvements.
Your answers, ChoHag, to questions surely well asked of consistent and constantly incrementally improving repeated security breakdowns/breakthroughs, suggest a endemic human weakness and systemic administrative failure easily enough rectified by intelligent machines.
Methinks for now that’s too much of an ask and present step and quantum leap still too far for current leaderships in all of their many disguises to make/take ........ to play human second fiddle in the orchestra pit whilst the maestro conducts the full awesome audience machine front and centre from the podium of an elevated stage position ..... and thus do they condemn themselves to stagnate and fester, both too petrified and too terrified to save themselves with anything newly uncovered/discovered and offered ‽
For example :-) ...
In Novel Noble Times and NEUKlearer HyperRadioProACTivated IT Spaces of War, Nation shall Speak Peace unto Nation and Dutifully Await for the Brain Dead to Reply ‽ .It is cyberspace and war in it about which I speak. On October 1, 2009, a general took charge of the new U.S. Cyber Command, a military organization with the mission to use information technology and the Internet as a weapon. Similar commands exist in Russia, China, and a score of other nations. These military and intelligence organizations are preparing the cyber battlefield with things called “logic bombs” and “trapdoors,” placing virtual explosives in other countries in peacetime. Given the unique nature of cyber war, there may be incentives to go first. The most likely targets are civilian in nature. The speed at which thousands of targets can be hit, almost anywhere in the world, brings with it the prospect of highly volatile crises. The force that prevented nuclear war, deterrence, does not work well in cyber war. The entire phenomenon of cyber war is shrouded in such government secrecy that it makes the Cold War look like a time of openness and transparency. The biggest secret in the world about cyber war may be that at the very same time the U.S. prepares for offensive cyber war, it is continuing policies that make it impossible to defend the nation effectively from cyber attack. ……… Cyber War/ The Next Threat to National Security and What to Do About It …… Richard A. Clarke and Robert K. KnakeCyber war is not some victimless, clean, new kind of war that we should embrace. Nor is it some kind of secret weapon that we need to keep hidden from the daylight and from the public. For it is the public, the civilian population of the United States and the publicly owned corporations that run our key national systems, that are likely to suffer in a cyber war.
While it may appear to give America some sort of advantage, in fact cyber war places this country at greater jeopardy than it does any other nation. Nor is this new kind of war a game or a figment of our imaginations. Far from being an alternative to conventional war, cyber war may actually increase the likelihood of the more traditional combat with explosives, bullets, and missiles. If we could put this genie back in the bottle, we should, but we can’t. Therefore, we need to embark on a complex series of tasks: to understand what cyber war is, to learn how and why it works, to analyze its risks, to prepare for it, and to think about how to control it.
Just those three paragraphs from the “Introduction “ in “Cyber War/ The Next Threat to National Security and What to Do About It “…… by Richard A. Clarke and Robert K. Knake, tell you more than just enough about all of your problems and difficulties today and your future needs and their seeds to be fed tomorrow before the days after are evidenced with your being far too late to the party again and are now to suffer the consequences of your absence and ignorance of private secret party matters played out there to reverse and prevent any repetition of the past and the troubles with its so many pathetic recurrent mistakes.
Partly though it was fear of the security protocols which prevented the security protocols being used:
A smaller
number of unit members had a more complete picture of A1C Teixeira’s intelligence-seeking
behaviors and intentionally failed to report the full details of these security concerns/incidents as
outlined in DoD security policies, fearing security officials might “overreact.”
This is a long-standing problem in the security services where the official protocols are nasty enough that people avoid letting them be triggered even when they should. The context I'd read about it involved blackmail but I think Teixeira's treatment by his co-workers is the same problem exhibiting a different way. Probably there needs to be a middle ground where there are consequences enough to be useful (maybe moving him away from classified info for a start?), without years or even decades of imprisonment being likely.
Despite one of the most sophisticated data control regimes in the world, the US military can't prevent this sort of thing happening again and again. Meanwhile, Acme Paperclips plc spend hundreds of thousands on DLP "solutions". And people wonder why security people either get jaded and cynical, or (even more cynically) go along with such nonsense. I suppose it gets mortgages paid...
The much bigger spooky picture nowadays to recognise and accept may be exceptionally problematical, both physically and virtually practically impossible to prevent not being an alien existential threat event and a permanent persistent difficulty able to enable the presentation of a vast, resultantly negatively impacting global geo-political incident, or incidents as the case is most likely to be with a continuous series of such situations being the future norm, rather than not, is ...... the public release and private sharing of sensitive compartment information and top secret intelligence not yet known and classified, and presumed/assumed the exclusive proprietary intellectual property of an insecure national security apparatus.
And these quotes from a time before, and attributed to Donald Rumsfeld, Former US Secretary of Defense, are both an APT* and appropriate reminder of what's at stake here.
"Reports that say that something hasn't happened are always interesting to me, because as we know, there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns -- the ones we don't know we don't know." ..... "There's another way to phrase that and that is that the absence of evidence is not the evidence of absence. It is basically saying the same thing in a different way. Simply because you do not have evidence that something does exist does not mean that you have evidence that it doesn't exist."
And the cheapest way to deal with those situations/incidents/threats, which one does well to accept and realise may well be notoriously expensive to ensure are not catastrophically, irreversibly destructive to all major extant status quo global operations and their responsible and accountable operators/personified leaderships, is pay Unknown Sensitive Secret Resources such exceptional sums as be necessary to withhold/hold off for now any releasing of devastating disruptive secrets ..... thus allowing and providing time for changes to be made and put in place by status quo systems to render the public release and private sharing of sensitive compartment information and top secret intelligence not yet known and classified, a mutually beneficial, positively reinforcing creative and constructive Future ACT ..... Advanced Cyber Treat.
APT* ...... Advanced and Advancing Persistent Threat or Treat
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
