The recent leak of classified Pentagon documents on a popular messaging platform has raised serious concerns among the US government regarding the issue of insider risk. The National Guard Airman, Jack Teixeira, who posted sensitive military documents on the Discord platform, has been criticized for his actions, with some claiming that he had too much access to sensitive information. However, the focus must not be on Teixeira’s age, maturity or even the war, but on the need to maintain a trusted workforce to mitigate insider risk proactively.
The leak of classified information has played right into the hands of the adversary without them lifting a finger. Foreign actors are likely to exploit this perceived internal weakness, making it essential for the government to tackle this issue head-on. While access control is essential, it is only the tip of the iceberg. At the end of the day, Teixeira was authorized and cleared, and any question regarding his age and role misses the point. By virtue of his security clearance, Teixeira was trusted, and any damage caused by his actions was a byproduct of a breakdown of trust.
The Teixeira, Snowden, and Manning cases had one thing in common: a breakdown of loyalty to their employer. When trust is broken, harm is a natural byproduct, whether intentional or not. Therefore, it is essential to address several questions regarding Teixeira’s case. At what point did Teixeira become disloyal to the National Guard? Were there red flags that the National Guard should have looked for, and how could they have obtained and maintained Teixeira’s loyalty before the leak occurred? Addressing these questions can help government entities maintain trust over time and proactively detect and deter insider risk.
To mitigate insider risk, the Defense Counterintelligence and Security Agency (DCSA) has been implementing changes under the Trusted Workforce 2.0 strategy. This whole-of-government approach to reform the personnel security process emphasizes the importance of personal vetting, which replaces periodic background checks with a continuous vetting system. This new system alerts security officers about any potentially suspicious activity in real-time, including significant life changes that have the potential to increase insider risk. This proactive approach can detect risk before a security incident occurs, allowing the Department of Defense to decide the best course of resolution depending on the level of risk posed.
The Trusted Workforce 2.0 strategy and the continuous vetting system are on the right track, but the government needs to capture and correlate the right data at the right time to prevent insider threats. This includes data sets covering cyber, human, organizational, and physical terrain. The recent leak of classified information should serve as a lesson to capture the right data at the right time, requiring an ongoing collaborative effort across government and industry to fill gaps in expertise and knowledge.
Social media monitoring might have gone a long way in the Teixeira case, but it will always be a grey zone. No one wants a big-brother approach, but understanding what to look for, and when, and how to resolve it in a responsible way is essential to delivering a trusted workforce. Identifying and closing these gaps will require cross-cutting collaboration, but for the sake of national security, it will be worth it.
In conclusion, the issue of insider risk is not about Teixeira’s maturity, whistleblowing, or even the war. It’s about people and the need to maintain a trusted workforce to mitigate insider risk proactively. The focus should be to address the issues that lead to a breakdown of trust and find ways to proactively detect and deter insider risk. The Trusted Workforce 2.0 strategy and the continuous vetting system are steps in the right direction but require an ongoing collaborative effort to capture and correlate the right data at the right time. Ultimately, preserving insider trust in the military is a work in progress that requires ongoing exploration and adaptation.