The Teixeira leak: an ignoble betrayal of trust and an avoidable security failure

Trust is a word much bandied in information security, often it seems as a table stake in the cybersecurity game. We have zero trust, in which we create an environment and culture where the goal is to protect data in every instance. Then there’s insider trust, trusting colleagues to keep corporate secrets or to speak up when they see something awry.

When trust is broken, the consequences can be devasting.

The recent public release of the Air Force Inspector General’s report on the case of US Air Force Reserve Airman Jack Teixeira tells a tale of mishandled classified information, a breach of least privileged access, and colleagues who failed in the responsibility entrusted to them when they noticed Teixeira wandering outside the expected pattern of his life. The actions of 21-year-old Teixeira, a cyber defense operations specialist, in leaking classified documents related to the war in Ukraine on the social media platform Discord, highlight how easily trust can break down in even the strictest of environments.

Teixeira leak prompts quick change to DoD insider risk management

Lest we underestimate how damaging the leak was, after a 45-day security review of the unauthorized disclosure, US Secretary of Defense Lloyd Austin issued a memorandum creating a new entity, the Joint Management Office for Insider Threat, and Cyber Capabilities to address insider risk within the Department of Defense (DoD) and ensure user activity monitoring (UAM). In addition to addressing the insider risk issue, the memorandum spoke to the need for more attentiveness to the trust and responsibilities in the management of classified materials and those environments to include electronic devices within those classified spaces.

Even that may fall somewhat short of plugging all leaks, according to Rajan Koo, co-founder and CTO of DTEX Systems. “The requirements for UAM were created over a decade ago and focus on user surveillance, where the data captured is only useful after a data leak has occurred,” Koo says. “In other words, most UAM tools capture reactive data that can’t be actioned to stop leaks occurring in the first instance.”

It is often said the weakest link in the protection of information is the individual. I have long advocated that the individual is the linchpin that holds the entire protection schema together and thus should be the strongest link. The actions by those in Teixeira’s chain of command clearly demonstrated that my point of view, while perhaps correct most of the time, is not an absolute as the Air Force inspector general noted both a “lack of supervision” and a “culture of complacency.”

When those who should care don’t, the chain of security breaks

The report notes as a “computer/IT specialist in the 102d Intelligence Support Squadron (102 ISS), A1C Teixeira had access to numerous classified systems, including the Joint Worldwide Intelligence Communications System (JWICS), a TS/SCI platform, to perform system maintenance.” To be blunt, Teixeira was swimming outside of his lane when he began his forays to obtain and then post classified information within the Discord chat room. The report continues how there were “at least four separate instances of his questionable activity” of which members of his reporting chain and leadership were aware.

The report notes that the 102 ISS included individuals with job responsibilities like those of Teixeira so they might better understand the mission and the importance of keeping the network operating. The inspector general continues that these briefings exceeded the “need to know.” This is important: He was an IT specialist whose duties were to keep the system up, not perform intelligence analysis on the classified information which was being passed through the network. And those above him were aware.

His notetaking on classified content was observed; his asking pointed and specific questions on classified information was also noted and questioned. These anomalies were noted in “memorandum for the record” and his colleague/supervisor admonished him, but the buck stopped there, far from where it needed to. These incidents “were not reported to the proper security official.” Those within the 102 ISS kept the incidents in-house at the squadron level, as if no one outside of their office needed to know that classified materials, materials for which these individuals were not the originators, had potentially been compromised.

Air Force report finds a cascade of security failures at every level

The Air Force report is scathing in its findings:

“The primary cause of the unauthorized disclosure is the alleged deliberate actions of one individual, A1C Teixeira. However, there were also a number of contributing factors, both direct and indirect, that enabled the unauthorized disclosures to occur and continue over an extended period of time.”

“The preponderance of the evidence shows three individuals in A1C Teixeira’s supervisory chain had information about as many as four separate instances of security incidents and potential insider threat indicators they were required to report. Had any of these three members come forward and properly disclosed the information they held at the time of the incidents, the length and depth of the unauthorized disclosures may have been reduced by several months.”

The Washington Post reports that 15 individuals within the Air National Guard received disciplinary reprimands as a result of the IG inspection.

At the recent DoDIIS Worldwide conference hosted by the Defense Intelligence Agency (DIA), I had the opportunity to query Douglas Cossa, the agency’s CIO, on how the update of JWICS may help within the counterintelligence/counterespionage effort to detect anomalous behavior by users and alert staff via the use artificial intelligence (AI) in a proactive manner.

Using Teixeira as an example, Cossa asserted that his anomalous behavior at the outset may have been an opportunity to address how his actions were increasing risk and for proactive engagement. He noted that the construct of the JWICS was global, always on, always available (picture a wide area network) and that the distant network becomes a local responsibility.

Mac Townsend, acting chief data officer for the DIA, also highlighted that the updated JWICS will present opportunities for proactive engagement as pattern-of-life anomaly detection is availed.

Learning lessons from the Teixeira debacle

It is not enough to have processes, procedures, background checks, and technology designed to identify when an individual takes an action that may increase the risk to the information being protected if the culture of security is absent. You can have all the bells and whistles in place, yet if there is an unwillingness to do the right thing, every time, then you in reality have a house of cards which is built upon a foundation of arbitrary behavior and decision-making. Trust is the foundation of any and every security regime.

As has been said before, and appears to be apropos to this incident, those not thinking about security constantly, consistently, and conscientiously may wish to consider their own job security.