WASHINGTON — The stunning leak of hundreds of classified national security documents onto the internet has thrust the Defense Department’s handling of state secrets into the spotlight. Perhaps ironically, the incident comes as the DoD is actively pursuing a new security standard known as “zero trust,” which continuously authenticates a user’s access to an organization’s network.
While the Pentagon says it’s “too soon” to speculate on the causes and preventative measures it could have taken to prevent the recent leak of classified documents, the case shines a light on why fully implementing zero trust is needed across the information enterprise – even as DoD officials and analysts acknowledge to Breaking Defense that there are practical limits to the zero trust concept.
Pentagon officials have been vocal about the need to implement zero trust and have outlined an ambitious timeline of implementing a “targeted” level of capabilities across the department by fiscal 2027, followed by a more “advanced” level. Last November, DoD released its long-awaited zero trust strategy which painted a concerning picture for its information enterprise, saying it is vulnerable to wide-scale and persistent attacks from individuals to state-sponsored adversaries.
David McKeown, DoD’s chief information security officer, said in an April 19 statement to Breaking Defense that “an insider threat with legitimate authorization and access to information remains one of the most – if not the most – difficult challenges in protecting information.”
“Implementation of Zero Trust will improve the DoD Information Enterprise’s ability to identify and detect anomalous activities, protect our data, and enable mission accomplishment,” he added.
However, experts tell Breaking Defense that while zero trust is a worthwhile goal to aim for, ultimately the only way to defend against this kind of situation emerging in the future is a mix of technology and personnel vetting. The reality, it seems, may come down to this: once someone has been vetted and is inside the system, zero trust can help, but won’t ever serve as a silver bullet.
“If we haven’t covered the basics of watching when someone accesses potentially really valuable intelligence data, that we need to build those controls in today and make sure that those controls carry forward,” Matt Radolec, senior director of incident response at data protection firm Varonis, told Breaking Defense.
The Insider Threat
Earlier this month, Jack Teixeira, a 21-year-old member of the Massachusetts Air National Guard who served as a “cyber transport systems journeyman,” was hit with two federal charges alleging that he shared classified information about the Russia-Ukraine war on the social media platform Discord.
According to the official complaint filed against Teixeira, who held a top secret security clearance and maintained sensitive compartmented access (TS/SCI), he began transcribing contents of the documents starting in December last year until he became concerned he’d get caught. Then, he started taking the physical documents to his residence and shared pictures of them in the Discord group.
The Pentagon has since launched a 45-day review of its “security programs, policies and procedures” following the leak. Defense Secretary Lloyd Austin designated the undersecretary of defense for intelligence and security to take the lead on the review in coordination with DoD’s chief information officer and the director of administration and management.
Part of the review will focus on who has access to sensitive information across DoD and other agencies and the DoD offices are expected to provide Austin recommendations on how “to improve the department’s policies and procedures related to the protection of classified information,” Deputy Defense Press Secretary Sabrina Singh told reporters April 17.
So, would zero trust have stopped this leak, which involved both digital and physical information?
“I think at face value, having fully minted zero trust might have prevented this or it might have detected it,” Radolec said in an April 19 interview.
He noted, though, that zero trust can only do so much on its own without additional security monitoring.
“So Jack [Teixiera] still would have stolen some data, but they would have caught it before it got to the point where it is. Because at the end of the day, even in a zero trust [environment], you can’t stop someone that wants a file from getting it out of a secure facility without removing their access altogether,” Radolec noted, adding that DoD should’ve been more focused on monitoring what specific data Teixeira was accessing and making sure he wasn’t abusing his privileges.
Randy Resnick, director of DoD’s zero trust portfolio management office, told Breaking Defense that the department’s zero trust strategy “recognizes that even users with legitimate access to a network cannot be trusted.”
“This is a significant paradigm shift that will require both technical and cultural change,” he said in a statement. “Zero trust capabilities will strengthen the Nation’s defenses through robust event logging and analysis, data protections, and granular access controls.”
He pointed to a few specific capabilities outlined in the department’s zero trust implementation roadmap to achieve baseline capabilities by FY27, specifically ones that focus on things like user behavior monitoring, data monitoring and data loss prevention.
For example, capability 7.4, “user and entity behavior monitoring,” states that DoD will “employ analytics to profile and baseline activity of users and entities and to correlate user activities and behaviors and detect anomalies.” In another capability, 4.4., “data monitoring and sensing,” metadata will be captured “that includes information about the access, sharing, transformation, and use of their data assets.”
The ‘Missing Element’
And yet, that didn’t seem to matter in this case, with Radolec noting that “the other half of zero trust which is ensuring that the controls you put in place stay in place and that people aren’t abusing their privileges is the missing element here.
“Someone should have noticed that this administrator was pulling this data,” he continued. “It’s likely not data that they interact with on a regular basis. That should have driven alarm bells and had the same thing happened to the actual data itself, it’s unlikely they would have been able to amass so much content if each little bit of content was more appropriately locked down.”
Emily Harding, deputy director and senior fellow with the international security program at the Center for Strategic and International Studies, told Breaking Defense that usually when people talk about zero trust it’s about the access a user has to various parts of a network. But in Teixeira’s case, “we’re not talking about elements of the network, we’re talking about pieces of information.”
Meaning, in this specific situation, it would seem that Teixiera did have the proper credentials to be on the network itself, but his exact movements and what information he was accessing went unmonitored.
The status of implementation of zero trust within the department is unclear — the roadmap itself assumes a starting point in FY23 to begin implementing some capabilities and provides pretty broad timelines to achieve both the targeted and advanced levels. For example, the roadmap shows DoD this fiscal year will start working on capability 7.1, which would log traffic from the “network, data, application, device, and user logs and make those logs available to the appropriate Computer Network Defense Service Provider (CNDSP) or security operations center (SOC).” But it’s still unclear as to how far into that capability DoD is, and if something like that could have played a part in minimizing the leak.
Radolec added that when it comes to zero trust, there’s “a lot of buzz” on things like secure facilities and networks, but not as much emphasis on “how do we watch and make sure it’s staying that way.”
“You can almost imagine it like malware… so what happens [when] a computer has some weaknesses, that weakness gets taken advantage of, and some bad code gets put on that box,” Radolec said. “If you talk to anybody in the DoD about that, they’re going to tell you all the ways that they pick up on bad code, and bad code is bad machine behavior. But if we ask the same question, do you apply that same principle to identifying bad behavior — I don’t think you’d have the same answer. It wouldn’t be as robust.”
And just because Teixeira held a TS/CSI clearance, it’s not clear if he should have been looking at certain information, according to Harding.
“Yes, maybe he needs to have access to the backbone of the network, but that doesn’t mean he needs to be able to read the WIRe, for example,” she told Breaking Defense. “He shouldn’t need to have a reason to log into the WIRe and you certainly shouldn’t have a reason to print it. He did start off by transcribing and there’s really no way to stop that other than a physical search as you walk out of the building with the pieces of paper crumpled up in your bag, but you can certainly minimize the amount of leakage.”
She added that beyond the zero trust aspect, the case highlights that DoD’s background investigation methodology is “outdated.”
“They ask questions about drug use and your loyalty to the United States,” she said. “But they don’t ask questions about what’s your online activity like? What do you think about what’s important to protect as far as classified information? Does this person believe that he has to correct the direction of the United States? Those are questions I would consider adding to the list.”
Even with the gaps that currently exist, Radolec said he believes that DoD can mitigate its issues to prevent something like this from happening again.
“These problems can be solved now,” he said. “I’m confident that DoD can make progress today on the control gaps that led to this and that tomorrow and the years leading up to 2027 can have a reduced chance of this happening as a result of those actions.”
Pentagon plans secure cloud pilot to defend small businesses from hackers
The Army’s recently announced NCODE secure enclave is one model that OSD is looking at, said Derrick Davis of the Office of Small Business Programs.