IE 11 is not supported. For an optimal experience visit our site on another browser.

Corporate America is better at protecting secrets than the Pentagon

The Defense Department appears to lack the will or the capacity to do more than react to the circumstances of a particular leak.

Jack Teixeira, a 21-year-old Massachusetts Air National Guardsman, was arrested Thursday on federal charges of unauthorized removal, retention and transmission of classified national defense information. Authorities say he’s responsible for releasing potentially hundreds of highly classified documents, first within a small online video gaming group on the Discord platform, then more broadly across social media. He was not required to enter a plea when he appeared in court Friday.

Corporate America has better insider threat programs than the Defense Department does.

The allegations against the suspect highlight a dangerous and embarrassing disparity: Corporate America has better insider threat programs than the Defense Department does. Our vulnerability to such threats is a problem that the Pentagon and Congress must address now.

It was in 2010 that Chelsea Manning, then a 23-year-old Army intelligence analyst, stole and shared nearly 750,000 classified and sensitive documents leading to their dissemination by Wikileaks. In the aftermath of that intelligence disaster, the Pentagon rethought its cybersecurity protocols to mitigate the chances of such a massive leak happening again.

At the time of that hemorrhage of secrets, the Defense Department admitted that only 60% of its computer systems were equipped with software capable of “monitoring unusual data access or usage.” Cybersecurity expert Hemu Nigam remarked then, “Only 60%? That’s ridiculous. You would never hear a corporation saying they have anything less than 90% cybersecurity.”

Then in May 2013, National Security Agency contractor Edward Snowden leaked over a million classified documents to the media. Snowden, who is wanted by the federal government, has taken refuge in Russia to avoid extradition and prosecution. The Defense Department said changes were made then, too. But those changes were clearly not enough.

The Defense Department appears to lack the collective will or the capacity to do more than react to the specific circumstances of a particular leak. Manning was an intelligence analyst; so the Army limited broad access for intelligence analysts. Snowden was a contractor; so the defense community granted fewer contractor clearances. Now comes Teixeira, a “cyber transports systems journeyman,” similar to an information technology specialist, accused of yet another leak. Expect, then, to hear demands that the Pentagon crack down on IT personnel.

Typically, IT professionals are allowed access across systems so they can maintain and fix technical issues. It’s the kind of role that the Defense Department should have identified as a high-risk insider threat. In fact, it already had a heads-up: Snowden was an IT systems administrator.

There are at least two measures the Pentagon should implement to tackle the problem of insiders deliberately leaking classified data.

First, access to classified documents must be far more limited and better locked down than it ever has been. All top-secret data should be encrypted so that even if IT specialists try to read documents they’re not supposed to access, all they’ll see is gobbledygook. My mechanic doesn’t need to read the registration and insurance information in my glove box. That’s why I keep it locked when my car is in the shop. Similarly, IT specialists don’t need to read the content in whatever system they’re helping maintain.

Additionally, and though it may sound counterintuitive given what just happened, the Defense Department might need more, not fewer, IT specialists so their respective responsibilities can be confined to fewer systems.

Though it may sound counterintuitive given what just happened, the Defense Department might need more, not fewer, IT specialists.

Second, alerts must be put in place when someone is doing something they shouldn’t be doing with classified data. The Defense Department should adopt the best practices of the corporate world with regard to algorithms and filters that alert security when employees or contractors are trying to access high-value data they don’t need to see, when someone is sending an email externally that contains a sensitive attachment or when someone is printing data that’s been tagged as a company crown jewel. These alarm bells have been in place for years in the corporate world, even for small businesses, and it’s time for the Defense Department to figure out how to set its own alarms. The Pentagon needs to act more like an agile business and less like an aging battleship adrift at sea.

What the Pentagon should not do is stop recruiting 20-somethings into IT and cyber jobs. Teixeira’s arrest has prompted many to ask why someone so young was handed a critical computer systems role, but the reality is that this is the norm across the military. This young demographic is precisely the group that possesses the essential — and perishable — skill sets needed to protect national defense information from our enemies. The Defense Department just needs to work on protecting that data from those very same young recruits who haven’t yet assimilated into the military culture nor have had time to grasp the gravity of their mission. This age cohort grew up online, in a digital world where they trust people they’ve never met and where real-life is conflated with just another online video game challenge.

Congress and media organizations need to ask the hard questions that will put pressure on the Pentagon to protect the nation’s secrets at least as well as high-profile companies protect theirs. What Congress and news outlets should not do is mischaracterize Teixeira as some high-minded whistleblower. His alleged disclosures are damaging and, according to The Wall Street Journal, were further disseminated and amplified by at least one pro-Russian platform. Teixeira’s own Discord buddy — who knew him as “OG” — expressly explained to The Washington Post that the 21-year-old was not remotely driven by exposing fraud, waste or abuse. That friend, according to the newspaper, said, “I would definitely not call him a whistleblower. I would not call OG a whistleblower in the slightest.” In fact, Teixeira appears to have been driven by a twisted desire to impress his friends.   

Yet, Rep. Marjorie Taylor Greene, R-Ga., who sits on the House Homeland Security Committee, and Fox News host Tucker Carlson have tried to turn Teixeira the alleged traitor into Teixeira the hero. They’ve manufactured a motive for Teixeira that fits their anti-government mission to topple a make-believe left-wing deep state by exposing national secrets and maligning the FBI and the Justice Department for pursuing threats to our democracy, such as the leaks of classified documents. That’s despite the inevitable damage of Teixeira’s revelations to Ukraine’s war efforts, our relations with allies and the potential executions of American sources once Russia determines which of its officials are tied to the leaked intelligence.

Lawmakers and newsmakers siding with alleged traitors who unlawfully retain and transmit classified information will make it much harder for the Defense Department to get the budget and resource support needed to adopt the best practices of corporate insider threat programs. In fact, in making such arguments, people such as Greene and Carlson present their own insider threat to our nation’s security. Unlike Teixeira, whose youth some may cite as a factor in the allegations against him, Greene and Carlson are certainly old enough to understand the gravity of the damage they’re doing.