The leak of classified Pentagon documents through a popular messaging platform is not about the leaker's maturity, whistleblowing, or even the war. It's about people and the need to propel and maintain a trusted workforce to mitigate insider risk proactively.
Since news broke that National Guard Airman Jack Teixeira posted sensitive military documents on the Discord platform, there has been significant debate surrounding how the government handles national secrets in a post-9/11 world.
There is an argument that Teixeira had too much access — that, in his "low-ranking" role, he did not need to know certain information that, circulated in the public domain, posed a "very serious risk to national security."
Of course, access control is important, but it's just the tip of the iceberg. At the end of the day, Teixeira was authorized and cleared. Any question about his age misses the point. What's important to note is that, by virtue of his security clearance, he was trusted.
As far as the consequences go, only time will tell. But one thing is sure: The leak has played right into the adversary's hand, all without them lifting a finger. There is no doubt that foreign actors will look to exploit this perceived internal weakness, which makes it even more prudent to tackle the issue head on.
Breakdown of Trust
By most accounts, it appears Teixeira was not motivated by the whistleblower intent exhibited by Edward Snowden or Chelsea Manning several years earlier. More likely, he was trying to boast to his online counterparts. What the Teixeira, Snowden, and Manning cases have in common is that each involved a breakdown of loyalty to their employer. And when loyalty is broken, so too is trust — and harm, however manifested, is a natural byproduct, whether intentional or not.
In the Teixeira's case, there are several questions that need to be addressed:
- At what point did Teixeira become disloyal to the National Guard?
- Were there red flags for risk in the lead up to the leak?
- Did the National Guard even know what red flags to look for and how to find them?
- What could the National Guard have done differently to obtain and maintain Teixeira's loyalty and, when that failed, to turn the hose off before the leak occurred?
Of course, the complexity of people means there is no silver bullet to gaining trust. Humans are fallible. People change, and good people do bad things all the time without being inherently bad.
Even so, addressing these questions can help government entities maintain trust over time and proactively detect and deter insider risk.
Preserving Insider Trust in the Military: A Work in Progress
The Defense Counterintelligence and Security Agency (DCSA) has been implementing changes under the Trusted Workforce 2.0 strategy, a whole-of-government approach to reform the personnel security process.
Set to take full effect by late 2023, the strategy "reimagines what it means to establish and maintain a relationship of trust with an individual throughout their affiliation with the government."
A centerpiece of the strategy relates to personal vetting, which replaces periodic background checks (every five or 10 years) with a continuous vetting system.
The new system is designed to mitigate risk early by alerting security officers about any potentially suspicious activity in real time. This includes significant life changes that have the potential to increase insider risk.
This is a significant leap forward in enabling the Department of Defense to proactively deter insider risk; by detecting such indicators in real time, it can address risk before a security incident occurs. Importantly, it can decide the best course of resolution depending on the level of risk posed. For example, where a divorcee might require support and risk-based training, someone engaging in extremist political activism might grant cause for further investigation.
Preventing Insider Threats: Actionable Data at the Right Time
In many ways, the Pentagon leaks confirm that the Trusted Workforce 2.0 strategy and the continuous vetting system are on the right track, it's just unfortunate that so many risk indicators weren't detected this time around. Hopefully other federal entities will take stock.
While the continuous vetting system addresses the time component, the government must make sure to capture and correlate the right data at the right time. This includes data sets covering cyber, human, organizational, and physical terrain. If there's a lesson from the Pentagon leaks, this is it.
Going forward, gaining the right data at the right time will require an ongoing collaborative effort across government and industry to fill gaps in expertise and knowledge.
Social media monitoring might have gone a long way in the Teixeira case, but it will always be a grey zone, and rightly so; no one wants a big-brother approach. Understanding what to look for, and when, and how to resolve for it in a responsible way is prudent to delivering a trusted workforce. Identifying and closing these gaps will take cross-cutting collaboration, but for the sake of national security, it will be worth it.