Accountability — it’s a word you hear a lot in government. Like many in and out of government, the word has been in my head while trying to process the latest breach of trust — and of procedure, cybersecurity practice, and policy — involving classified documents.
The disclosure came a week before the Government Accountability Office published its biannual list of high risk federal programs, more than three dozen of them. Some programs have been on the list since its inauguration in 1990. It shows how poorly large bureaucracies can sometimes perform. Maybe GAO should add the whole apparatus around securing classified documents, on which so many threads come together, like security clearance, cybersecurity, and human capital management
We now know who copied the classified intelligence documents to the Discord site — a 22-year-old Air National Guardsman. He appears to be a sort of child in a man’s body, perhaps unable to distinguish reality, yet who had top secret clearance.
He differs from the highly intelligent, calculating Edward Showden, who had stated whistleblower motivations and fled to Russia. And from Chelsea Manning, beset by inner conflicts, and who pleaded guilty to half of the charges against her. Whatever, the results are the same: embarrassing damage to U.S. national security and prestige.
Each event like this prompts solemn pronouncements, investigations, lists of recommendations. But what about accountability? Air Force Secretary Frank Kendall has ordered his inspector general to look into the 102nd Intelligence Wing. Air Force officials said they suspended that wing’s activities. Defense Secretary Lloyd Austin last week ordered a “45-day review of DoD security programs, policies, and procedures…”
One is tempted to ask, what good are policies and procedures if the people brought into the circle of trust willfully violate them? If you could predict future actions of people like Snowden, Manning, and the Air Force’s alleged perp Jack Teixeira (and there are plenty to add to this list), you wouldn’t have put them in positions of trust in the first place.
This is where accountability comes in. By all means a perpetrator should be tried and punished if found guilty. But in a case like this, that doesn’t equal acountability.
The disturbing issue in these incidents is the organization failure to see and take immediate action on anomalous behaviors. This isn’t simply good practice, it’s also policy. Teixera apparently started posting the documents months ago.
Accountability questions will include:
Downloading, copying, printing — these are all observable activities down to who did it and when. Role-based and need-to-know access privileges form a basic element of cybersecurity. If they were in place, did anyone monitored them?
Despite his clearance, who decided Teixeira could freely access them?
Who supervised him day to day?
Did any reports come in about him, and to whom? If so, what happened then?
Did the wing conduct periodic training and reminders of policy?
Was Airman Teixeira under any sort of continuous vetting program that might have showed weird social media activity?
A common refrain in these incidents runs something like, “Somebbody should be fired.” That may be true, but catastrophic failures are typically the result of accumulating small failures throughout a system. That’s what investigators should be looking for.