What the Discord leaks reveal about the Pentagon's own cyber security
Cyber warfare is the future of war. And in many ways, that future is already here. So, is the United States ready?
Today, On Point: What the leak of hundreds of highly classified national security documents reveals about the Pentagon’s own cyber-security and its readiness for cyber war.
Patrick Tucker, science and technology editor at DefenseOne.
Jaspreet Gill, she covers defense networks and emerging technologies for the online publication Breaking Defense.
Admiral Mike Rogers, former commander of the U.S. Cyber Command and director of the NSA. Retired four-star Navy admiral.
MEGHNA CHAKRABARTI: Here’s a metaphor for you. You’re a Cold War era spy. You infiltrate the enemy’s inner sanctum. Pull out your tiny camera and photograph top secret documents, which you then quietly deliver that tiny roll of microfilm to your handler. Or mail a microdot full of secrets home in a letter. Few eyes ever see those images. And the microfilm eventually disappears into the archives.
Sounds familiar, right? Straight out of the movies. But today, in reality, the whole world is interconnected online. If someone, say, a young, low ranking Pentagon employee puts top secret documents on the Internet, it’s as if that tiny roll of microfilm gets instantly projected around the world.
Now, cyber conflict will be central to all war fighting from now on. For example, in just the first few months of Russia’s invasion, Ukraine absorbed or fended off more than 50 cyberattacks and launched many of its own. Back in the United States, the Pentagon is full speed ahead, developing cyber offenses and defenses.
But of course, the Pentagon’s data defenses were recently shown to have disturbing vulnerabilities. 21-year-old Jack Teixeira was arrested this month in connection with one of the worst leaks to come out of the Pentagon in recent memory. The Massachusetts U.S. Air National Guardsman was essentially a low ranking I.T. worker, but he received top secret clearance to maintain various Air Force computer networks.
And he allegedly used that clearance to dump hundreds of classified documents into a social media chat room. He’s been charged with two counts of espionage. So how ready really is the Pentagon, i.e., the United States, to offer Department of Defense our military? How ready is it to both wield and defend against information as a weapon of war? Well, Patrick Tucker joins us. He’s science and technology editor at DefenseOne. Patrick, welcome back to the show.
PATRICK TUCKER: Hey, thank you so much for having me.
CHAKRABARTI: Also with us today is Jaspreet Gill. She covers defense networks and emerging technologies for the online publication Breaking Defense. Welcome to you.
JASPREET GILL: Hi. Thank you for having me.
CHAKRABARTI: Okay. So first of all, I want to start out with what’s latest or what we know most recently about what Jack Teixeira is alleged to have done. I mean, Jaspreet, I’m reading here that it seems as if there are social media accounts or postings from him that may have contained classified documents as early as February of last year. I mean, so how far back does this go?
GILL: Yeah, exactly. It goes back to last year, but most of the reporting has been focused on recently this year. What was unveiled was a couple of hundred pages of sensitive and classified documents. And those documents painted a picture of the Russia-Ukraine war. And it also included … information on adversaries like China and its weapons tests and how U.S. intelligence keeps tabs on its allies. And it was leaked over discord, which is a social media app. It’s voice, text, video, and it’s popular with the gaming community and allows users to create their own servers or join existing servers. So through that, Jack unveiled those documents.
CHAKRABARTI: You know, it’s interesting. I’m seeing here that Discord’s chief legal officer said a little bit earlier this month in a statement that classified military documents pose a significant, complex challenge for Discord and other platforms. Because there’s, quote, no structured process for the government to communicate whether documents posted on social media are classified or even authentic. Patrick Tucker, what do you think about that?
TUCKER: Yeah, that’s a huge problem. This is a result in part of a kind of massive dysfunction that exists in classification of information, one that national security leaders have acknowledged and complained about vocally on Capitol Hill. The United States government classifies too much stuff. It doesn’t have the most up-to-date means for keeping or using classified information in a way that’s … usable.
There’s an enormous backlog of people that need clearances to deal with this stuff administratively, but there’s also a huge number of people that just have classified access and aren’t using it actively. But mostly the Pentagon and really the national security community in general don’t have any sort of like data-driven strategy for determining how long something should be classified or how long something can be classified.
CHAKRABARTI: We’re going to come back to that because a little bit later in the show, we’re going to be hearing from someone who was actually charged with helping make military data more secure for the United States. But Jaspreet, let me ask you, it seems quite amazing to me that well and amazing to everyone that someone allegedly like Jack Teixeira could have been posting what are classified documents to a gaming chat room essentially for a year. And nobody noticed. When at the same time, and you’ve reported on this the Defense Department itself last year, identified the threat of internal leaks as a major security vulnerability for the Pentagon. Can you tell us a little bit about that report?
GILL: DOD told me that combatting an insider threat that has legitimate authorization like Jack did, he held the top-secret security clearance and the sense of compartmental access. It’s one of the most difficult, if not the most difficult challenges that the department has when it comes to protecting information. And now it’s really moving ahead. The department is moving ahead on this security concept called Zero Trust. And that’s exactly what the name implies.
It, you know, assumes that all users and devices, whether it’s inside or outside an organization’s network, cannot be inherently trusted. So last year in November, D.O.D. released its Zero Trust strategy. And to go along with that, there was an implementation plan. And the strategy itself outlined this timeframe of 2027 for what it called targeted zero trust, which is a set of baseline Zero Trust capabilities that need to be implemented across the entire enterprise. And then those would be followed by a more advanced level of Zero Trust. So they’re really trying to move ahead on the security concept.
CHAKRABARTI: Okay. But I want to just emphasize to people that how clear the Pentagon’s own internal assessment was, as you reported last year, because I’m seeing a more recent statement to you from David McKeown, the DOD’s chief information security officer, because I believe it was April of this month that he told you that an insider threat with legitimate authorization and access to information remains one of the most, if not the most difficult challenges in protecting information. Was the report from last year about the dangers of those insider threats as clearly worded as that?
GILL: I would say, you know, DOD recognizes that … insider threat. But I think that this particular case really highlighted the fact that they need to focus just as much as they do on the outside threat to the inside threat as well.
CHAKRABARTI: Patrick Tucker, what would you say to that?
TUCKER: Yeah, I think that the Defense Department has recognized the growing challenge of insider threat detection and mitigation, really going back for a very long time. And they have made incremental changes over the years. So you see, for instance, the mandate on implementation of Zero Trust security architectures. You also see a move towards continuous evaluation that’s now Defense Department wide. And that’s just a change in the way the Defense Department evaluates people that have clearances.
So going from, for instance, you know, in awarding the clearance, talking to a bunch of people that the individual used to know, figuring out whether or not they’re trustworthy and then going back and revisiting that trustworthy designation on a note every 3 to 5 years. Now, what the Defense Department does is remain open to kind of notifications about big changes like arrests. A divorce could be an indicator that someone is rising in the potential to become an insider threat, a big life change. But even that wouldn’t have caught this particular case in large part because this kid, 21 years old, didn’t have a lot of credit card debt or anything that would have pinged continuous evaluation.
So it’s this ongoing struggle and there’s a lot of bureaucratic obstacles in place. When you talk about a Defense Department trying to predict potential insider threat behavior among a serving population, that is incredibly large and it’s kind of a political hot button issue, too, because there are, you know, social media postings that can be seen as indicative perhaps of insider threat behavior. And the Defense Department, as well as the entire national security community, has legal right to look at those and use those as part of an evaluation of someone’s potential. But there’s no policy that says exactly how they can do that. And there’s a lot of disagreement about whether or not that constitutes something like undue government surveillance over the serving population.
CHAKRABARTI: I see. Now, Jaspreet, in your reporting, officials have told you that maybe this whole Zero Trust philosophy or security environment might have stopped to share, but that you can’t fully prevent someone from stealing information and getting it out of a secure military facility unless you remove their access entirely. That’s the only guaranteed way to do it.
GILL: Right. And, you know, implementing Zero Trust isn’t a process that just happens overnight. It takes time. And in this particular case, we saw Jack began with transcribing the documents over Discord, and then he started physically taking the documents home. So when something like that happens, it could be something beyond Zero Trust, because the only way to stop something like that would be a physical inspection of the documents if they’re leaving the facility or not.
CHAKRABARTI: For we lay folks out there, can you give us the simple, like, couple sentence definition of what Zero Trust management philosophy actually is? How would you describe specifically what it is?
GILL: Sure. So it’s a security concept and you know, the name really is what it is. It seems that no users or devices on the network, whether it’s inside or outside the network, cannot be inherently trusted. And it basically operates under the assumption that attackers have already breached an organization’s network.
And some of the main tenets of this concept includes things that we’ve already mentioned, like continuous monitoring of all network activity, multifactor authentication, which I’m sure everyone is familiar with. If you have something like an online banking account, for example, or use Twitter or Facebook, and it emphasizes least privileged access, which basically means that a user should only have access to what they need to perform their job functions.
CHAKRABARTI: You were telling us the about the things that are or the tools or methodologies that are involved with zero trust information environments that the Pentagon is moving towards. I just wanted to give you a chance to finish your thought.
GILL: Sure. So one no, I think that’s important to make here is that not all zero trust models are the same, meaning that broadly, while the end goal is the same to prevent, you know, potential threats and breaches, it really does come down to the individual organization’s own policies, the size of the organization’s network, the types of data that they’re working with and to what extent they employ things like monitoring the users. And this is completely different from the traditional approach.
CHAKRABARTI: Patrick, just quickly, do you see the Pentagon as not having all of these tools in place, but are they moving with enough determination, do you think, towards getting sort of a true Zero Trust environment in place to hopefully prevent … future leaks?
TUCKER: Well, it’s hard to say. There’s so much leaking in the case of Teixeira that it’s hard to say exactly how like when it might have caused an intervention effect. If you talk to military leaders, they say that we’re very serious about this and they want to move out as quickly as possible. There is a policy that guides them to do that. But, you know, you also run into this problem where you have a lot of different networks. You have a lot of classified information.
And so moving all of that into a Zero Trust architecture means, you know, doing a really pervasive sweep of all of that stuff and then figuring out how to bring it all into a more modern environment. And this speaks to kind of a big problem that, yeah, the Defense Department is trying to move very quickly, but it’s also an enormous bureaucracy. And, you know, there’s also a lot of priorities that it has. Like, you know, establishing Zero Trust architecture is a priority as well as developing next generation hypersonics, as well as developing defensive mechanisms for next generation hypersonics, as well as supplying weapons and aid to the fighters in Ukraine. So how well it can do all of these things at once. You know, this is a priority amongst many, many priorities.
CHAKRABARTI: Okay. So Patrick and Jaspreet, hang on for a second. In a moment, we’re going to hear from someone whose job it was specifically to prepare or defend against these kinds of information leaks. But before we hear from him, I want to just play quickly a thought from Nicole Perlroth, because she covered cybersecurity and digital espionage for The New York Times for years and is the author of a book about how the NSA’s most powerful cyber weapons were leaked to the world.
And when she looks at the case, she says the fact that a lot of those documents ended up on Discord tells her that the insider threat problem is not going away for the Pentagon.
NICOLE PERLROTH: I, for one, was very surprised to see that again, a low level I.T. administrator would have this much access to this much intelligence. Be bringing it home, be sharing it online. On this Discord channel with his buddies. And that it would take them this long to figure out what was happening. That is really a failure of security within the federal government. And I think I hope that this is yet another wake up call that unless they figure this out, this is just going to keep happening.
And it’s going to get worse and worse.
CHAKRABARTI: So when Nicole Perlroth says again, she was surprised to see that again, this is happening, referring there back to the Edward Snowden leaks in 2013. So that brings us to Admiral Mike Rogers. He’s former command commander of the U.S. Cyber Command and director of the NSA. He retired as a four-star Navy admiral and is currently senior advisor at the consulting firm the Brunswick Group. Admiral Rogers, welcome to On Point.
MIKE ROGERS: Thank you for the opportunity.
CHAKRABARTI: So first of all, give me your thoughts about the fact of the … leaks and that they’ve been apparently allegedly going on for so long without the Pentagon knowing about it.
ROGERS: So I think it clearly speaks to we’re not where we need to be. There shouldn’t be any doubt in anybody’s mind that … the Department of Defense, and I’ll just give you an opinion. I’m not a member of the department anymore, is not where it needs to be with respect to security. I mean, I lived this personally as I became the director of NSA in the aftermath of Snowden’s theft of classified information. So, you know, I’ve led an organization that was trying to address, hey, how are we going to deal with the insider threat within our segment, the NSA segment of the Department of Defense. It’s interesting.
If you look at the trend in the last few years, look at Snowden manning this latest issue, leakers have tended to be young and junior individuals of late, which is a little different than the historic norm. And I’m trying to figure out, so what are the implications of that? Is this just something unusual? Is this something more fundamental? But it clearly, I think, highlights we have granted a wide level of access to a whole lot of people. And we have not applied technology as broadly as we need to ensure those individuals who have granted access … have some measure of oversight or control in some ways. And we’re not there yet.
CHAKRABARTI: Okay. So with that in mind, though, I’d like to mine your expertise in the aftermath of the Snowden leaks in 2013. I mean, because in a sense, you know, the old cliche about the military always fighting the last war. I mean, what lessons were learned post-Snowden?
ROGERS: Well, I think, again, the issue gets to be what controls do you put in place to ensure you have a level of awareness of what your authorized users are doing? Because in this case, he was an authorized user. He was an I.T. administrator who had been granted, it appears, a fairly wide system of privileges because it appears he needed to use those privileges to actually execute oversight of this classified network. He used those privileges, though, to actually access content on the network and then either transcribe it initially, photograph it, or ultimately print it out and pull it. The thing that I wonder about is are we providing access to broadly number one and number two?
Are we failing to apply technology to really understand exactly what our authorized users are doing? Because one of the challenges with a trust approach, for example, it probably wouldn’t have done anything in this case. It’s largely designed to ensure that the individuals, for example, who are on your network structure are actually the authorized individuals. And it isn’t someone who has assumed another identity. And that’s not the scenario in this case. He was an authorized user who used his authorized access for an illegal purpose.
CHAKRABARTI: Right. So we’ll talk more about what the latest leaks tell us about needed areas of improvement. But, Admiral, I’m wondering if you can describe what measures were put into place since Snowden, and you mentioned Chelsea Manning as well. … What measures have been put into place?
ROGERS: I wasn’t responsible for the D.O.D. the Department of Defense as a whole. I don’t want to go into maybe the classified things we put in place at the National Security Agency to ensure it wasn’t replicated. But in general, I would say you review, Have you granted too much access? So you try to cull down the numbers? Secondly, what is the nature of the access you’ve granted? Is it too broad? Do you need to really clamp it down?
And then lastly, what are the tools that you can put in place to ensure you have a level of awareness about activity on your network structure? From simple questions like who is accessing what information? When? For how long? For what purpose? How are things like printers and other devices, for example, that you can a thumb drive that you can enter into the system? Are you restricting the ability to remotely access your network structure? And we did all of those things within the National Security Agency in the aftermath of Mr. Snowden?
DefenseOne: “Why the Pentagon’s Response to the Discord Leaks Won’t Fix the Problem” — “Some steps the Pentagon is taking in the wake of the recent leak of classified documents are missing the point.”
Breaking Defense: “Zero Trust is the Pentagon’s new cyber buzzword. It might not have stopped the Discord leaks.” — “The stunning leak of hundreds of classified national security documents onto the internet has thrust the Defense Department’s handling of state secrets into the spotlight.”
DefenseOne: “The US Military Is Creating the Future of Employee Monitoring” — “The U.S. military has the hardest job in human resources: evaluating hundreds of thousands of people for their ability to protect the nation’s secrets. Central to that task is a question at the heart of all labor relations: how do you know when to extend trust or take it away?”
This article was originally published on WBUR.org.
Copyright 2023 NPR. To see more, visit https://www.npr.org.