How do you stop a 21-year-old national guardsman like Jack Teixeira from leaking classified information? Wrong answers to this question have quickly become very popular. One theory is there are “too many [people] with access.” Another is that Teixeira was too young to have access. Or that the government needed to continuously monitor his social media accounts.
Yet Teixeira had the right level of access for someone doing his job. And monitoring his social media would have only turned up the leaks well after the documents were stolen.
The real priority for fighting leaks should be to monitor the behavior of cleared personnel on classified networks. Teixeira’s unusual use of printers should have been a red flag. Real-time monitoring of file transfer systems could also have exposed him. Real-time observation of such anomalies is the most effective way to catch the horse on its way out of the barn, not when it is already grazing in the neighbor’s pasture.
Teixeira was an IT specialist in the Massachusetts Air National Guard, who obtained a Top Secret security clearance in 2021. To gain clout with other users of the messaging platform Discord, Teixeira claimed that he could exfiltrate and publish classified information from the secure military networks he could access. As early as February 2022, according to press reporting, he began publishing classified information in chat groups, and later, on a Discord server that he led.
To exfiltrate classified information, Teixeira reportedly began by simply transcribing intelligence documents verbatim, stuffing them in his clothing and returning home where he took pictures of the information. Over time he began printing some of these documents, photographing them at home, and posting them on his Discord channel.
A New York Times investigation shows it took more than a year for the government to detect that classified documents were accessible on social media. However, even continuous social media monitoring would only have caught Teixeira after he had successfully exposed secret information. Though he posted small amounts of information at a time over the course of a year, a more malicious insider might have stolen far more data before leaving any trace of it on social media.
While classified networks have been a target of espionage since they first came online, it was only in 2011 that the United States began establishing governmentwide insider threat policies with the issuance of Executive Order (EO) 13587. The order created a task force under the attorney general and director of national intelligence which then issued an insider threat maturity model and a security systems directive. The former briefly discussed how organizations can “employ behavioral science methodologies to help identify indicators of potential insider threat” while the latter describes the minimum technical means to protect federal systems from insider threats. It requires keystroke monitoring, screen capture, tracking documents and collecting user data, including data import and export.
The Defense Department, meanwhile, expands on the EO with its own insider threat program which requires, among other things, the “monitoring of user activity on DoD information networks, and other sources as necessary and appropriate to identify, mitigate and counter insider threats.” Along the same lines, guidance from the National Institute of Standards and Technology recommends tracking and documenting incidents as well as monitoring and logging user activity. While such initiatives are well positioned to log abnormal network activity, what qualifies as an ‘incident’ is still something ill-defined by all the above policies.
The critical gap in the government’s insider threat policies is a lack of guidance on how to analyze and respond to the data agencies collect about user activity. First and foremost, agencies need a baseline of normal user behavior since they cannot detect anomalous activity without a benchmark against which to compare it.
In the case of Teixeira (and previous insider threats such as Edward Snowden, Chelsea Manning and Reality Winner) it appears security personnel were not effectively monitoring the Massachusetts Air National Guard’s file transfer/management system in real-time for anomalous activity, or the indications of insider threat activity dig not trigger a response. While Air National Guard security personnel likely have a record of Teixeira’s suspicious user activity, no one applied adequate behavior analytics to detect irregular use. The issue is not that too many users have access, but that effective indications of abnormal activity are not being flagged.
One specific activity that should have raised a red flag was Teixeira’s printer activity. While cleared personnel often have the ability to print the kinds of documents he did, he should not have been able to remove these printed documents so easily from secure facilities. It appears that network security personnel did not institute (or properly execute) guidelines around the access and use of printers in accordance with Defense Department policies. An effective system would have required supervisor authorization for printing classified material and notification to the facilities security officer that classified documents were printed, requiring storage in a safe or the need to be shredded. The Pentagon should therefore review the implementation of existing policies on printing or devise new ones. Outside of the Pentagon, the U.S. government should ensure the implementation of best practices which require a chain of custody throughout the lifecycle of classified material.
In today’s world, where sensitive data and valuable assets are increasingly vulnerable to insider threats, it is imperative that organizations take proactive measures to detect and prevent such attacks. While traditional security measures such as zero trust architectures and access controls are still necessary, they are not sufficient to protect against the threat posed by insiders. The use of user behavior analytics is a promising solution that can help organizations combine characteristics of people, processes and technology to better identify suspicious activities and patterns indicating an insider threat.
Dr. Georgianna Shea is the chief technologist of the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD). Logan Weber is a CCTI research analyst. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.