The Teixeira leak: an ignoble betrayal of trust and an avoidable security failure

Trust is a word much bandied in information security, often it seems as a table stake in the cybersecurity game. We have zero trust, in which we create an environment and culture where the goal is to protect data in every instance. Then there’s insider trust, trusting colleagues to keep corporate secrets or to speak up when they see something awry.

When trust is broken, the consequences can be devasting.

The recent public release of the Air Force Inspector General’s report on the case of US Air Force Reserve Airman Jack Teixeira tells a tale of mishandled classified information, a breach of least privileged access, and colleagues who failed in the responsibility entrusted to them when they noticed Teixeira wandering outside the expected pattern of his life. The actions of 21-year-old Teixeira, a cyber defense operations specialist, in leaking classified documents related to the war in Ukraine on the social media platform Discord, highlight how easily trust can break down in even the strictest of environments.

Teixeira leak prompts quick change to DoD insider risk management

Lest we underestimate how damaging the leak was, after a 45-day security review of the unauthorized disclosure, US Secretary of Defense Lloyd Austin issued a memorandum creating a new entity, the Joint Management Office for Insider Threat, and Cyber Capabilities to address insider risk within the Department of Defense (DoD) and ensure user activity monitoring (UAM). In addition to addressing the insider risk issue, the memorandum spoke to the need for more attentiveness to the trust and responsibilities in the management of classified materials and those environments to include electronic devices within those classified spaces.

Even that may fall somewhat short of plugging all leaks, according to Rajan Koo, co-founder and CTO of DTEX Systems. “The requirements for UAM were created over a decade ago and focus on user surveillance, where the data captured is only useful after a data leak has occurred,” Koo says. “In other words, most UAM tools capture reactive data that can’t be actioned to stop leaks occurring in the first instance.”

It is often said the weakest link in the protection of information is the individual. I have long advocated that the individual is the linchpin that holds the entire protection schema together and thus should be the strongest link. The actions by those in Teixeira’s chain of command clearly demonstrated that my point of view, while perhaps correct most of the time, is not an absolute as the Air Force inspector general noted both a “lack of supervision” and a “culture of complacency.”