Businesses Can Learn From the Classified Pentagon Leak
On April 14th, 2023, 21-year-old Massachusetts Air National Guardsman Jack Teixeira appeared in federal court, accused of leaking classified documents in a Discord group titled “Thug Shaker Central”. Facing charges under the 1917 Espionage Act, Jack is looking at potential decades in prison, and tens of thousands of dollars in fines, per charge. Documents detailing battle maps from the war in Ukraine, which were labeled “TOP SECRET” were shared on the app along with around 350 other TOP SECRET documents. Once released, the documents began circulating after other group members reposted the images across Discord and messaging app Telegram. While the trial is underway and will likely take several months or years to complete, some facts are clear; a 21-year-old low level Air National Guardsman had the ability to access, retain, transport, and disseminate classified documents to a group of teenagers. How did this happen?
According to BBC News,
Mr Teixeira worked as an IT specialist in the intelligence wing of the Massachusetts National Guard, based at Otis Air National Guard Base in western Cape Cod. The National Guard is a reservist wing of the US Air Force. They are not employed full time in the military, but can be deployed when necessary. Mr Teixeira's official title was cyber defense operations journeyman, according to the criminal complaint filed in the Boston court. He held the rank of Airman 1st Class - a relatively junior position. The affidavit provided by FBI Special Agent Patrick Lueckenhoff to the court stated that Mr Teixeira held a "top secret" security clearance since 2021, and that he would have "signed a lifetime binding non-disclosure agreement" to take on his role. Mr Luekenoff added the suspect, "would have had to acknowledge that the unauthorized disclosure of protected information could result in criminal charges".
While Jack’s role may have required top level clearance to the systems which house this data, he most likely did not require access to the documents themselves, moreover the ability to retain and transmit these documents on the public internet.
The affidavit also alleges that Jack used his government computer to search classified intelligence reporting for the word "leak" on April 6th, the day when public reporting about the documents first emerged in what is believed to be an attempt to research to what extent that the government knew of the leaker at the time.
According to the Congressional Research Service,
Under Executive Order 13,526, each respective agency is responsible for maintaining control over classified information it originates and is responsible for establishing uniform procedures to protect classified information and automated information systems in which classified information is stored or transmitted. Standards for safeguarding classified information, including the handling, storage, distribution, transmittal, and destruction of and accounting for classified information, are developed by the Information Security Oversight Office (ISOO). Persons authorized to disseminate classified information outside the executive branch are required to ensure it receives protection equivalent to those required internally. In the event of a knowing, willful, or negligent unauthorized disclosure (or any such action that could reasonably be expected to result in an unauthorized disclosure), the agency head or senior agency official is required to notify ISOO and to “take appropriate and prompt corrective action.” Officers and employees of the United States (including contractors, licensees, etc.) who commit a violation may be subject, at a minimum, to administrative sanctions that can range from reprimand to termination.
A Renewed Focus on Access Control, Least Privilege, Data Classification, and Dark Web Monitoring
While the exact details of this national headline will unfold over the coming weeks, this incident serves as a stark call to action regarding several critical IT security and compliance topics that apply not only to the military field, but to the private sector as well.
Access Control
Access control is an essential element of security that determines who is allowed to access certain data and resources, and in what circumstances. Access control policies rely heavily on techniques like authentication and authorization, which allow organizations to explicitly verify both that users are who they say they are and that these users are granted the appropriate level of access based on context such as device, location, role, etc. Access control reduces the risk of data exfiltration by employees, as was the case with this recent leak of confidential documents. Organizations both public and private must evaluate their current internal access control model to ensure employees are not able to access and download data that is not relevant to their job role.
Least Privilege
The principle of least privilege goes hand in hand with access control and dictates giving a user only those privileges which are essential to perform its intended function. For example, a user account for the sole purpose of creating backups does not need to install software: hence, it has rights only to run backup and backup-related applications. Any other privileges, such as installing new software, are blocked. In the case of the recent documents leak, such an incident might have been prevented if the alleged perpetrator had only been granted essential privileges to complete their job role and nothing further. While it is too early to say whether access to the sensitive data in question was necessary for the accused’s role, the principle of least privilege is an excellent best practice (and in some cases requirement) for businesses to implement to minimize the risk of a similar damaging data breach.
Data Classification
Data classification is the process of organizing data by relevant categories so that it may be utilized and protected more efficiently. The classification process makes data easier to locate and retrieve. Data classification is critical when it comes to risk management, compliance, and data security. An organization cannot expect to institute access control and least privilege policies effectively if their trove of data is not properly classified. Whether improper data classification led to the recently apprehended suspect’s ability to access the leaked data is still unknown. Nevertheless, data classification is an essential process for businesses to consider to adequately manage and safeguard the data they possess.
Dark Web Monitoring
While the documents in questions reportedly first turned up on social media platforms rather than the dark web, many organizations find themselves in an opposite scenario, with hackers or malicious employees looking to sell or expose their organization’s data on the dark web for financial or personal gain. This is where a dark web monitoring tool or program plays a significant role. Although the damage is already done by the that point data appears on the dark web, a dark web monitoring program will enable organizations to respond rapidly to the incident. Management may be able to track down a malicious employee and quickly sever what access they may still have, minimizing further damage and accelerating the damage control measures that must be taken to address a data breach. Without such a program in place, management might go days, weeks, or even months before they are made aware of the data breach they have suffered.
Now that the damaging leaker has seemingly been found, the Pentagon must reevaluate how it vets those who are given access to such sensitive secrets. The authorities only realized that something was amiss when these secrets began to spill beyond the initial Discord group where they were shared. While this breach will continue to unfold in the coming days, there are several IT security and compliance lessons that business leaders can glean from the incident to help ensure their organizations do not suffer a similar fate. For assistance with identifying these risks and implementing policies, processes, and procedures to mitigate them, please do not hesitate to contact the Compass IT Compliance team today!
Contact Us
Share this
You May Also Like
These Related Stories
No Comments Yet
Let us know what you think