Air Force Intel Leak: The Problem with Trusting the Zeros

As we learn more about Jack Teixeira, the Air National Guard enlisted man accused of leaking sensitive intelligence documents over the Discord platform, the more ominous the story gets. New disturbing allegations include Teixeira planning assassinations and other shocking revelations about a young man who should never have had access to national security secrets, but did.

Color me not surprised. This episode reminds me of one of my most unpleasant experiences as a business owner. The IT support person at a web design agency I co-owned in the 1990s was a former Marine who had served with an ultra-elite Force Recon unit in Desert Storm. He was a friendly, clean cut young man to whom I imputed a great deal of honor and trust. This was an error on my part. Consumed with a false fear that he was about to lose his job, this dishonorable veteran took it upon himself to hack our files and email the company’s complete salary list to all our employees—causing irreparable damage to our business.

Military service does not (or should not) imply honor or trustworthiness. 

Military service does not (or should not) imply honor or trustworthiness. I realize this is heresy in this mind-numbing era of “support the troops,” but events show that misplaced trust is deadly. The military and intelligence communities trusted Chelsea Manning and Edward Snowden. How did that work out? Now, here we are, a decade later facing a nearly identical scenario.

What went wrong? David Ignatius offers some ideas in a Washington Post article titled “To stop intelligence leaks, assume there will be bad actors.” Yes, that’s a good idea, and not a moment too soon. David Greenglass, an Army Sergeant, stole nuclear secrets from the Manhattan Project nearly 80 years ago. Since then, we’ve had catastrophic insider attacks from Aldrich Ames, Robert Hanssen and many others.

It would be grossly unfair to say that the military and intelligence establishments do not put effort into stopping malicious insiders, but the results plainly show that their controls are not working. Ignatius cites James R. Clapper Jr., the former director of national intelligence who led the Pentagon’s post-Manning investigation, who said that new rules were established by the DoD after the Manning incident, but, as he put it, “Enforcement was uneven across the Defense Department, and control eroded over time because the restrictions were seen as onerous and inefficient.”

Zero Trust is not a bad idea, but it presents several serious problems.

Ignatius offers a solution, likely whispered in his ear by a defense contractor, which is to implement a “Zero Trust” architecture across the DoD and other areas of the government where secrets lurk. As it happens, Zero Trust is already on the agenda, at least based on the 2021 Biden administration’s Executive Order on Improving the Nation’s Cybersecurity, which stated, “The Federal Government must adopt security best practices; advance toward Zero Trust Architecture.”

Zero Trust is not a bad idea, but it presents several serious problems. One is simply a matter of implementation. Military and intelligence IT infrastructure is complex and layered with ossified and opaque legacy systems. Any changes to them are challenging, and organizational obstacles can cripple even the most well-intentioned efforts.

Indeed, five months after the Biden order on Zero Trust, Nicolas M. Chaillan, the first person ever to be appointed chief software officer of the US Air Force, noisily resigned from his post in exasperation. He was fed up with the fool’s errand he had been sent on to get Air Force software teams to implement DevSecOps, which would embed better security countermeasures into Air Force applications.

Five months after the Biden order on Zero Trust, Nicolas M. Chaillan, the first person ever to be appointed chief software officer of the US Air Force, noisily resigned from his post in exasperation.

Then, there’s the matter of trust itself. Zero Trust architecture assumes that an organization knows whom it can trust. Done right, it can verify the identity of a user seeking access and block untrusted individuals or devices. That’s fine, but Jack Teixeira would have sailed right through a Zero Trust access control layer. Zero Trust should include policies and procedures that avoid having to trust the zeros.

Clappers seem to understand this, because he’s later quoted in the article as saying, “’There needs to be a comprehensive system for monitoring electronic behavior’ at work by people with high security clearances.” It’s impossible to implement controls that will catch every suspicious attempt to access or exfiltrate sensitive data. However, it is possible to deploy AI-driven solutions that can scour internal networks and the worldwide internet itself, for evidence of intelligence leaks.

Zero Trust should include policies and procedures that avoid having to trust the zeros.

If such a system was in operation, it missed Teixeira’s alleged activities. This is an unacceptable failure of controls. What’s needed is more defense in depth, a layering of active controls over access, such as Zero Trust, augmented by passive controls that flag potential leaks before they spread. The Teixeira affair reveals the need for more, better countermeasures of these types.