23 April 2023

Why the Pentagon’s Response to the Discord Leaks Won’t Fix the Problem

PATRICK TUCKER

Some steps the Pentagon is taking in the wake of the recent leak of classified documents are missing the point.

In response to the unauthorized disclosure of hundreds of pages of sensitive and secret material on a private Discord server, Defense Department officials will add restrictions on classified material and allow fewer people to access it. But that response misses the core problems that drive unauthorized disclosure: the Pentagon classifies too many documents, limits its own ability to detect when leaks occur, and greatly overestimates how long classified information can stay secret according to a senior Defense Department official that works in insider threat detection.

On Monday, National Security Council spokesperson John Kirby told reporters that the Defense Department was “taking a close look at security protocols and procedures and assessing whether or not they need to be changed,” around classified information. Kirby said Defense Secretary Lloyd Austin, “has already restricted access to classified information” to fewer people. He added that U.S government protocols and practices “exist for a reason and they are never considered static. So if we need to implement changes, we will.”

One senior Defense Department official who has worked in insider threat detection told Defense One that so-called “unauthorized disclosures” of classified and sensitive information are incredibly common, though few of them make the press. That’s important because it shows that the government is failing to keep a lot of things secret, not just this case.

That’s partly because of the sheer number of secrets it has tasked itself with keeping. But the Pentagon also doesn’t have the right policies in place to allow for the rapid detection of unauthorized disclosures.

In recent years, Defense leaders have set up new systems and policies to predict who might be a leaker. But so-called continuous vetting only captures things like arrests, large purchases, suspicious trips or credit activity, and the like. It is unlikely to have spotted an IT guy who was posting secret documents for clout on a closed Discord messaging group.

What might have helped is monitoring social media. As the Pentagon’s recently leaked documents spread online, groups such as Bellingcat used public clues to identify the alleged leaker as Jack Teixeira. But DOD policy does not make clear how investigators and monitors should and should not scrutinize Americans’ social-media posts for hints of illegal behavior, the official said. The Pentagon has experimented with hiring surveillance companies to monitor public posts for hints of insider threats, but those pilots failed largely because DOD declined to give its contractors vital information, the official said. A clearer policy on the use of public information would be useful.

Another problem: the Defense Department isn’t using the most modern tools and techniques for managing classified data.

As an IT maintainer in the Air National Guard’s 102nd Intelligence Wing, Teixeira had the run of the Joint Worldwide Intelligence Communications System, a Pentagon intranet for secrets. Think of JWICS as a hotel, the official said: just having a clearance will get you access to some of the shared spaces in the hotel, like the lobby or bar or pool. Access to individual rooms is handed out on a need-to-know basis. However, someone running maintenance would need to be able to access virtually any room.

The official called that a very old-fashioned approach to housing data. The Defense Department basically asks for virtual versions of its own data centers. The material is hosted in the cloud but doesn’t have all the benefits of cloud computing. If the Defense Department were to adopt cloud-native data storage and computing, that would allow it to build applications like virtual private containers where classified information could be shared with key participants for only short windows and where maintainers like Teixeira would not need to have access to all material in every room just to maintain things, said the official.

But a potentially larger issue is simply that the government classifies far too much information with no clear policy for eventually de-classifying things. That’s unsustainable and virtually assures more unauthorized disclosures.

In his press conference, Kirby said that “None of this material belongs in the public domain,” implying that its release, per classification regulations, might “harm national security.” But the more secrets you have, the harder they all are to keep, and the government isn’t doing a good job prioritizing them.

That reflects a phenomenon that many top military and intelligence leaders have complained about for years: the U.S. government greatly overclassifies material. Moreover, while more than 1.3 million people have top secret clearances, many of them are older or retirees. There remains a massive backlog of workers needing clearance to handle that information. That imbalance suggests a big problem: the government has too many people with clearances that aren’t the people that it needs to have them. Add that to the very large number of items that are classified–many without good reason, by leaders’ own acknowledgement–and lots of unauthorized disclosure becomes inevitable.

Consider this 2016 paper from David Grimes, a cancer researcher and author of the books The Irrational Ape and Good Thinking.

Grimes’ paper looked at conspiracy theories—specifically, the idea that climate change is a government hoax. He showed that such a conspiracy would be impossible to maintain because of the number of people who would need to be in on it and how long they would have to keep their mouths shut. He demonstrates that with just a few pieces of information, i.e. the number of people who know the secret and the amount of time they have to keep it, it’s possible to predict when any piece of clandestine information might leak out.

That same formula is relevant to the challenge of leaks and predicting when they might happen and it’s particularly relevant to the recent Pentagon leaks, Grimes said.

“This does happen and happens every few years. And that's kind of what you expect. That's what I found in the formula. Even if I made the parameters as favorable as possible to the secret keepers, if I made a simulation where they were better secret keepers than the NSA, even then, when you start involving thousands of people, or even hundreds of people, or even tens of people things would fail. And they fail a lot quicker than you might expect.”

That’s because every new link increases the potential of failed secret keeping exponentially. By applying a formula to pieces of information that the government wanted to keep secret and entering in the number of people who might have access to that secret information, it should be possible to simulate when “classification” will fail and, thus, whether or not the secret in question should be classified at all and for how long.

The official said that the Department currently employs no formula or data-driven approach to classifying documents.

He called the idea: “brilliant.”

No comments: