Friday, April 14, 2023

National Security: Crimes, Punishments and Malpractice

After nearly a weeklong search, on April 13, 2023, FBI agents captured and arrested a twenty-one year old active duty member of the Massachusetts Air National Guard as the leaker of hundreds of top secret military documents via an online Discord chat room ostensibly used by roughly two dozen teenagers and twenty-somethings to bond over their common love for guns, military gear and God. The suspect, Jack Teixeira, enlisted in the MANG in September 2019 and held the rank of Airman 1st Class after nearly four years -- only one grade above entry level -- and was assigned to Otis Air National Guard Base in Cape Code. Teixeira's assigned role at the base was PC support technician, responsible for troubleshooting problems with computers and the local network. That was apparently enough of a role for him to have access to document servers hosting documents with TOP SECRET clearances, cuz clearly the "engineer" who needs to help you reload your mouse driver after a bad Windows patch needs to be able to confirm you can still reach the Sharepoint with the minutes from last week's Joint Chiefs of Staff meeting on Ukraine strategy.

This case certainly merits review of the crimes involved to ensure appropriate punishments are applied for ALL parties involved, not just the immediate perpetrator. This case also highlights the need to review the larger failures within the American government to properly manage crucial security information. Those failures make crimes like this virtually inevitable as ever-larger quantities of secrets encounter an online world that simultaneously isolates people to accelerate their radicalization while making it easier to share content, whether stolen national security secrets or propaganda and mis-information aimed at further indoctrinating idiots into extremism.


National Security Crimes

Jack Teixeira needs to be executed. Period.

This is not a case of a leak of "stale" documents that might reflect analysis or strategies from five or ten years ago that might be seriously embarrassing or even damaging to American politicians or overseas sources. This isn't even a leak of documents reflecting current practices for data collection as part of domestic or overseas spying. The documents leaked reflected estimates of ammunition consumption by Ukrainian and Russian forces from existing stockpiles and expected replacement shipments (dates / quantities / locations). This information is second only to actual "command and control" communication about ACTUAL STRIKES to be taken in its criticality to the war. (By the way, Otis AFB is home to the 102nd Intelligence Wing of the Air Force which DOES manage command and control communications systems for the Air Force so it isn't clear if he ALSO had access to actual command and control networks and data as well.) Leaking this information to Russia may have allowed it to optimize its use of limited firing power to maximize Ukrainian casualties (civilians mostly, given Russia's tactics so far) and / or minimize further Russian losses.

Leaking these documents not only risked the lives of thousands of an American ally, Ukraine, these leaks potentially SAVED thousands of ENEMY lives -- lives of enemy soldiers and mercenaries who are committing documented war crimes against civilians on a daily basis. Allowing material at this level to be leaked then subjected to additional digital manipulation to alter content also lent support to a core Russian strategy of spreading disinformation and sowing strife within America and between America and its allies. In short, the intentional leakage of these documents wasn't just a document handling crime. The nature of the documents, their real-time nature and the manner in which they were leaked constitute treason against the United States, by an ACTIVE DUTY member of the military.

Besides these traditional justifications for execution, the case of Jack Teixeira involves uniquely modern trends and threats which must be combatted. The chat room on Discord used to leak the information was a digital home to roughly two dozen users, all male and many in their teens. Members said they bonded in the chat room over their mutual love of guns, military gear and love of God. Members describe Teixeira as a devout Catholic, while also reporting he shared video clips of himself yelling racist / anti-Semitic drivel and shooting a gun simultaneously. None of that triggered any cognitive dissonance among the members because some stated they viewed Teixeira as a father figure, or at least as someone to emulate.

Candidly, there is virtually nothing in that description of his profile that constitutes any surprise given his eventual crimes. You don't need ChatGPT to map that profile into those crimes or map those crimes backwards to a person with that profile. Teixeira had spent nearly four years in the Massachusetts Air National Guard and only achieved the first perfunctory promotion in rank. He was doing low-level tech support work identical to that in any run-of-the-mill company. He is said to have expressed disillusionment about the direction of America. Was it the direction of America he was disillusioned about, or the direction of his life? Other members of the chat room stated that few paid attention to the first documents he shared (awkward avoidance given the material and obvious crime he was committing or pure yawning disinterest?). After the initial indifference, he posted MORE documents because he wasn't getting the attention he wanted from his fellow gun-lovin', God-fearin',racist / anti-Semitic fanboys. THAT'S the mentality we are dealing with, not only with Teixeira but the TENS OF THOUSANDS like him across the country.


National Security Punishments

As of April 14, the government has only charged Teixeira with retention and transmission of national defense information and willful retention of classified documents. Merrick Garland and Joe Biden must both explain to the public why Teixeira is not charged with treason and why the death penalty should not be pursued. At a minimum, Teixeira should serve the rest of his life in prison, a sentence also possible for a treason conviction.

Why is it so important for Teixeira to be subjected to the death penalty or at least life in prison? There are HUNDREDS OF THOUSANDS of people, similarly disenchanted with their economic plight and similarly addicted to social media for a false feeling of belonging and respect who are actually being indoctrinated into hate and violence. TENS OF THOUSANDS of such people already staged an insurrection attempting to interfere with the peaceful transition of power to a new President. This case is likely the most blatant case of immediate, actionable military intelligence being compromised during wartime that America has seen in a century. It affects the lives of millions of people and billions of American expenditures for its ally. And it was committed by an ACTIVE DUTY member of the armed services trying to score style points with his friends in a chat room. What message will be sent to those HUNDREDS OF THOUSANDS like him if this crime isn't met with the ultimate penalty?

Carry on.

The military must cast a much wider net in its investigation. If Teixeira was able to photograph the documents because he had access to shared file servers to print a local copy to photograph it, then the personnel in the Massachusetts Air National Guard and the larger branches involved with the design and operation of those desktop systems require discipline including termination with zero benefits. If Teixeira was able to photograph the documents because they were left exposed after classified meetings or left exposed in private offices, the attendees of those meetings need to be identified and also subjected to discipline under UCMJ or civilian law as appropriate, including termination with zero benefits.

The other members of the Discord chat room also merit criminal investigation. At least one member (still under age 18) saw the documents posted within the room but didn't notify anyone. That's not a crime per se but it isn't clear if any of the chat room members COPIED the documents and saved them anywhere else. That would be a crime. Technically, it might be argued that the act of viewing the document from the server may have temporarily copied it FROM the server to a local machine, constituting a crime. Also, authorities have found some of the documents were digitally altered to obscure information or change the information. Each altered document is confirmation that document existed at one point in time in at least one other location where the editing was performed. If Discord logs identify where the altered document originated, other parties should be subject to criminal prosecution as well.

As described in the next section, the government needs to correct glaring flaws in current tools and procedures regarding classified information. This type of crime should not have been possible to this extent without being detected earlier in the process. But until the government can improve technology, those entrusted with clearances and those who merely encounter secrets but know better must be held accountable in proportion to the lives lost, lives risked or national goals jeopardized by their crimes. A mere fifteen year sentence is not proportional to this crime.


National Security Malpractice

The government may have identified the origin of the leak and arrested the perpetrator but much more explanation is required of the policies and capabilities of both the Department of Defense and the Justice Department. Concerns abound, ranging from the mundane to the insane.

Teixeira was in the military but was not flying planes, selecting targets, or managing shipments of munitions between bases. His job was providing desktop and local network support, just like the people working in every Fortune 500 company that has 50,000 laptops that get patches every month and have strange software bugs or hardware failures that someone from IT has to come up and help with. THAT was his role.

In any competent IT organization, when employee Jane Doe calls for support and Joe Blow is assigned as the technician to fix their problem, Joe Blow isn't given "god" rights on his normal joeblow login that allows him to alter anyone else's machine to install new applications, drivers, patches, etc. He is given a second PARALLEL userid (something like joeblowelevated) which has those elevated rights to any local machine. That joeblowelevated userid does NOT have read/write access to any arbitrary shared drives that an employee might have. Any action performed by Joe Blow while logged in as joeblowelevated is recorded with extra detail and those logs are forwarded to a centralized server for automated analysis for signs of abuse / data theft / etc. If logs appear showing joeblowelevated accessed the computer for userid janedoe when no support ticket was opened by that user, that can trigger alerts about potential security breaches.

If Corporate America has figured out how to administer modern operating systems on tens of thousands of computers for users scattered across an entire country, why hasn't the Defense Department adopted these best practices? Many of these security controls are included with modern operating systems. Others require additional add-ons per computer. The Pentagon budget is roughly $842 billion dollars per year. It seems obvious that an $842 billion dollar budget can fit the cost of putting extra security software costing maybe $100 per seat per year on the computers of 950,000 civilian employees and 1.3 million active duty personnel. That's a mere $225 million dollars. That's 0.0267 percent of the yearly defense budget.

The Defense Department also needs to look through its $842 billion dollars of annual spend and explain to Congress and the American public why it has not designed a better document classification and access system for all of the supposedly top secret documents involved in running a modern national security state. Given the number of cases of document mishandling by high and low ranking personnel alike (generals, generals' girlfriends in the press, vice presidents, active presidents, former presidents…), it seems more effort has been devoted to devising new categories of security to protect turf between agencies and impress women at after-work cocktail parties than efforts to actually protect information.

Some examples:

If the Defense Department is properly configuring computer access rights for employees and helpdesk technicians, a support technician would never be able to see top secret documents on a general's machine without a central system recording the date, time and technician userid and EVERY ACTION taken by that technician on that general's computer (every application launched, every folder opened, every document opened…). As mentioned before, that log data can be automatically analyed and merged with other data to more surgically identify potential abuse / theft in real time, even before humans know to suspect a breach.

Virtually every outpost in Corporate America has adopted computer administration practices that a) encrypt any local hard drive or solid-state drive, b) disable USB drivers to prevent external USB drives from being plugged in as a path for virus infections AND to block local files from being copied off the machine to a removable drive to steal documents, c) mirror any documents created by the user on their local drive to a network-accessible backup folder. All of these practices ensure that if the laptop is ever stolen, no thief can read the hard drive / SSD, even if they mount it in another machine they already control. Many companies install additional drivers that consult a public internet registry service at startup and will "brick" the machine if the owner flagged it as stolen. With these practices in place, a laptop computer is portable but can be scrambled and cut off from the mother ship with zero risk of data loss. (It's not a fun world for the user who can't use their USB drive but work isn't meant to be fun, is it?) Has the Defense Department adopted these capabilities universally?

Of course, none of these practices help in cases where the leaker can take a PICTURE of a screen or printed document with top secret information and exit the secure facility with a camera. The first obvious solution is to confiscate any smartphone or camera device from personnel entering facilities where screens or printed materials can expose secure data. Again, in virtually any Corporate America setting, support agents working at banks, internet providers or other firms with sensitive data on MILLIONS of customers have rules that require them to leave smartphones in a locker before entering the call center floor and prevent them from having any paper at their desk during a shift to write sensitive customer data down. Of course, the effectiveness of this approach was compromised during the COVID-19 pandemic when many workers began working from home and again their work environment became uncontrolled by their employer.

The military is in a different position vis a vis its personnel. For example, the military could design its own geofencing smartphone app and require its installation on employee devices. The app would monitor the phone's GPS location and disable cameras and audio recording capabilities when the location is within a geo-fence boundary of any DoD location. All non-military personnel would still be required to lock up smartphones before entering such facilities. Not perfect, but likely better than the current state.

The camera problem really points out the biggest problem the United States has not addressed as it spends more and more money attempting to build the ultimate national security state. Documents WILL always leak out, either inadvertently or intentionally. Once leaked, the government MUST be faster at identifying the document's history (who / what / where / when) to narrow down who might have leaked it. An estimate from 2019 indicates roughly 2.9 million Americans hold some level of security clearance. A quick search shows the government itself considers there to be five levels of security:

  • Controlled unclassified
  • Public trust position
  • Confidential
  • Secret
  • Top Secret
  • Compartmentalized

Using the earth as a metaphor for all possible areas of sensitive information, this classification scheme implies that current practices are more focused on the "altitude" of a person (how high up the scheme they are) rather than the "latitude and longitude" of their need to know. Information within the Compartmentalized tier is obviously more segmented but at lower levels, access seems to be quite wide. Conceptually, if you are trusted to view information at two thousand feet, you are trusted to look at any point on the planet at that two thousand foot level. Assuming for a moment that current government policies which seem to require ever larger volumes of information to be hidden from the public are legitimate, it seems clear current classification schemes cannot serve the defined need. They lack the specificity required to properly compartmentalize information and thus contribute to oversharing of information.

If we're going to continue attempting to operate a national security state, a more effective means of tagging information and compartmentalizing access to such data is required. The US Post Office introduced ZIP codes in 1963 to speed the sorting required for a piece of mail by boiling down all geography within the US to numeric codes representing a specific geographic block served by a specific post office. When sending a letter from Los Angeles to New York City, no one anywhere in the country within the postal system needs to process the fact the letter is addressed to Mayor Adams or even City Park Hall. They only need to know the letter goes to New York City within New York State which can be discerned from looking at the ZIP code 10007 and putting the letter in a pile that will move towards that post office. Only the last two people touching the letter (the sorter in the post office and the carrier) need to look at the full address.

In essence, government systems need to implement a new process based on something I'll call a "ZIPIT" code. Like a ZIP code, a ZIPIT code would be a relatively short character string that would be automatically created any time a confidential document is created electronically or printed that would encode information about the originating agency, department and possibly author. How much information could be embedded in a ZIPIT code? If the code was kept to seven alphanumerics (digits and upper case), that would be 37^7 or 94,931,877,133 combinations.

Theoretically, this concept would allow over 94 billion unique areas of information to be identified for subsequent use in identifying the source of a document and information about the organization and author that created it, allowing searches to rapidly trace the document's trail if leaked. If a ZIPIT code was also embedded with a document and used to trigger an event when read electronically, such read confirmations could be collected and searched to instantly diagram a document's sharing history and identify parties that viewed the document. The tasks of synthesizing such codes at document creation and generating "read tags" as documents are passed and opened is child's play for modern big data systems. Amazon processes more details on your search behavior on their portal than would be generated by this type of system.

Why is this type of system required? In this case, the original story triggered a race between the Justice Department and Department of Defense on one hand and the press -- the Washington Post, in particular -- to identify the leaker. The Washington Post actually beat the FBI to Teixeira's literal doorstep because they were able to associate a COUNTERTOP and a floor tile pattern underneath one of the document photos with the kitchen in Teixeira's home faster than the FBI and DoD were able to use the pictures of the documents with subjects, dates and data to original documents, points of origin and points where those documents might have been printed to then identify Otis AFB and Teixeira.


WTH