The classified document leak: let’s talk about Jack Teixeira’s need-to-know

The arrest of 21-year-old Airman First Class Jack Teixeira last week has inspired myriad reactions from armchair pundits declaring 21 is too young to be trusted with classified information to the need to reform the Department of Defense and the intelligence community to the US Speaker of the House calling for hearings on how the administration of President Joe Biden could have allowed such a breach to occur. In my opinion, the real concern is the need to reform policies and processes associated with how information is accessed by insiders.

As the case brought against Teixeira unfolds, one realization we don’t have to wait for is that the insider risk management program within the United States Air Force’s 102nd Intelligence Wing at Otis Air National Guard Base failed, and failed spectacularly. A reading of the Department of Justice affidavit in support of an arrest warrant provides a glimpse into Teixeira’s naivete and that his actions were malevolent from the get-go.

Teixeira’s access to secrets

When he enlisted, Teixeira was sent through basic training, completed entry-level cyber training, was subjected to the single-scope background investigation necessary to be granted top secret clearance and a sensitive compartmented information (SCI) level of access, and, over the course of two years, advanced in his military operational specialty — cyber defense operations — to the point where he was designated a journeyman.

The Washington Post reported that Teixeira had access to the Joint Worldwide Intelligence Communications System (JWICS) as a cyber defense operations journeyman (1D751, his area of expertise, could have been within any one of these specializations: network, systems, security, client systems, or software development operations).

Is age really a factor in security?

It is easy to say that 21 is too young. That raises the question of who is old enough to keep national secrets. I was 20 years old as a CIA file clerk with a top secret-plus codeword clearance and managed to keep the secrets to which I had access. I also know from my own VIP visit to the aircraft carrier USS John C. Stennis that the average age on the ship was 26; indeed, when an F-18’s engine caught fire on the launch catapult and the well-trained crew went into action, the first person to the pilot was an 18-year-old sailor. She had been on the ship for less than six weeks yet was trained and acted on that training, running straight into the fire to get that pilot out of the aircraft.

The US military by both design and necessity gives great responsibility and expects a tremendous amount of discipline and trust from their cadre, regardless of age. From the revelations on the depth of information he shared on Discord, it is clear the level of trust Teixeira enjoyed was inappropriate.

Access is paramount

Sticking to the revelations made by Teixeira within his Discord channel one must ask the question: did he have a need to know any of this information on the Joint Worldwide Intelligence Communications System (JWICS) to perform his duties as a cyber defense operations journeyman? Does reading assessments on Ukraine’s defense have any bearing on the defense of the specific network he was assigned to protect?

There is no doubt that there are processes and procedures in place which dictate how the different levels of classified information should be handled. In fact, for one to be allowed access to SCI materials, they are required to sign a statement attesting that they understand that the information is of a highly sensitive nature, is not to be shared, and inappropriate handling carries the potential for both jail time and monetary fines.

The access control processes and procedures which appear to be in place within the systems accessed by Teixeira were role-based. Is this a problem unique to military or government entities? Not by a long shot. It is seen in far too many organizations.

When the decision train surrounding access control is not based on need- or attribute-based access, one is guaranteed there will be oversharing of information. US Defense Secretary Lloyd Austin directed Undersecretary of Defense for Intelligence and Security Ronald Moultrie “to conduct a review of our intelligence access, accountability, and control procedures within the department to inform our efforts to prevent this kind of incident from happening again.”

Behavior as an indicator of trustworthiness

Do CISOs who have individuals in extraordinary positions of trust employ a mechanism to re-evaluate that trust? What type of access control process and procedures are in place? Do your system admins need to see content to know if a system is operating? Perhaps more importantly, is your system designed to remove access to information when the individual no longer has a need to know?

If not, then the CISO needs to rethink the access control process based on the need to know, then factor in the revelation contained within a 2022 study by Beyond Identity that a vast majority of former employees (83%) admitted to maintaining continued access to accounts from a previous employer. Now the scary part, more than half of those (56%) said they maintained the access with the very specific intent of harming their former employer.

The question that looms large is why the printing of classified documents was not viewed as an anomaly by the monitoring systems in place — they were present, right?

The affidavit shares how on the day that his having shared classified information inappropriately hit mainstream media he was searching the classified systems for any evidence that the Department of Defense was looking for a “leaker.” Why was there not an anomaly registered based on his behavior within the classified environment as he harvested information from here and there? Furthermore, was there a change in his behavior from when he enlisted until he was arrested?

The continuous evaluation system within the cleared government community is designed to reveal changes in an individual’s life which may indicate the individual’s personal situation presents a potential risk that should be addressed. Not automatically a suitability disqualifier, but one that warrants engagement and determination.

Make need to know a guiding principle for access

Malevolence is one of the prime vectors from which the most severe damage can and does occur. Frankly, we see in Teixeira yet another example of a preventable situation involving malicious behavior. He knew what he was doing was wrong. He knew what he was doing could damage United States national security. He knew that his actions flew in the face of established processes and procedures and he did it anyway because he wanted to be seen within his merry band of followers as what we used to call back in the day the “big man on campus.” He brought to the table information that others couldn’t and frankly didn’t need to see.

By the way, this syndrome isn’t unique to 21-year-old online gamers who have access to national security secrets. The former President of the United States also took documents out of their controlled environment and shared them with individuals who had no need to know. If need to know isn’t your guiding principle in asset/data protection, then you should not be surprised when individuals who don’t need to know end up knowing.