After the Department of Defense conducted a 45-day review of its classified information programs, policies, and procedures, Secretary of Defense Lloyd J. Austin III said the “overwhelming majority” of DOD personnel with access to classified information are “trustworthy” in a memo released on July 5. However, the DOD still needs to improve how it handles classified information by clarifying its regulations, Austin wrote.
The review was ordered after Airman 1st Class Jack Teixeira, a Massachusetts Air National Guardsman, allegedly shared a trove of classified documents on the war in Ukraine, the Indo-Pacific and Middle East military theaters, and other sensitive subjects on an online group chat.
The review “identified areas where we can and must improve accountability measures to prevent the compromise of [Classified National Security Information], to include addressing insider threats.”
A senior defense official who requested anonymity told reporters on July 5 that the 45-day review did not delve into the specifics of Teixeira’s case, which is still being investigated. Instead, the review focused on “umbrella-level of department policies and procedures,” the official said.
The senior defense official said one of the most important findings was that the Department of Defense needs to establish a consistent way for low-level security managers to stay in touch with the Defense Counterintelligence and Security Agency and vice-versa. That kind of two-way dialogue is essential for continuous vetting, a process whereby the background of a cleared individual is regularly reviewed.
“As we’ve transitioned to continuous vetting, we need to get to that local area security manager and make sure they understand what is available to them, what information they can have on their personnel, how important that accountability relationship is,” the official said.
Beyond fostering a dialogue with DCSA, the Department of Defense also needs to clarify its standards for handling classified information, the official said. These standards, which vary between organizations and between different varieties of classified information, can be difficult to keep straight, the official said.
“As someone who’s read a lot of DOD policies, they are not the clearest documents always,” the official said. “I am not surprised that as they’ve layered on top of each other … and as this complex classified information environment has grown, that there’s a need to make sure that we are looking at them from a stand-back distance to make sure they’re understandable and that our workforce can use them to the best of their ability.”
Ambiguity can lead to inconsistency in how standards are applied. One example the official referred to is a requirement for top secret control officers, who are responsible for “receiving, dispatching and maintaining accountability of all Top Secret documents” according to Air Force regulations. The senior defense official said public-facing policy states that top secret control officers are optional, but other policies state that they are mandatory, which can cause confusion.
“Then if you get into what is a reportable offense and who you have to report it to … some of that is also confusing,” the official said. “If you’re a local level security manager managing a joint unit for example, who do you report it to, how do you do all of that?”
The official said clear regulations are especially needed to keep pace with a growing number of locations where classified materials are handled. Besides the large, highly-fortified facilities like the Pentagon and the Defense Intelligence Agency, there is a growing number of smaller facilities which require unique ways of keeping classified information secure, she said.
Instead of a single point of failure, the official said that multiple factors contribute to security incidents. The 45-day review provided a chance “to make sure that we looked at this as quickly as possible to make sure that we made the improvements that we could quickly” as the Teixeira investigation continues, the official said. That kind of self-assessment is in line with industry best practices for mitigating insider threats.
“If there were a perfect solution for this, I’d be out of a job,” Daniel Costa, technical manager of enterprise threat and vulnerability management at The National Insider Threat Center at Carnegie Mellon’s Software Engineering Institute, told Air & Space Forces Magazine in April.
“There’s an inherent risk that comes along with doing business,” he added. “What we’re talking about is human nature, and thinking about insider threats as an inherent risk to organizations requires real careful planning and organization-wide participation to reduce that risk to acceptable levels.”
Besides the 45-day military-wide review, the Department of the Air Force is conducting a review of its policies regarding classified information and an Inspector General review of security practices at Teixeira’s unit, the 102nd Intelligence Wing.
In his June 30 memo, Austin also directed all Department of Defense component heads to take a range of steps meant to ensure that Department of Defense personnel are assigned to a Security Management Office; that military Sensitive Compartmented Information Facilities (SCIFs) comply with Intelligence Community Directive requirements; that all SCIFs and Special Access Program Facilities (SAPFs) are accounted for in a centralized tracking system; that personal or portable electronic device use is prohibited in those facilities; that Top Secret Control Officers are required for top secret information; and that a Joint Management Office for Insider Threat and Cyber Capabilities is established for monitoring threats and user activity across all military networks.
To enhance communication with the DSCA, Austin directed the undersecretary of defense for intelligence and security, Ronald S. Moultrie, to make a plan for analyzing training needs; examining or improving how to make continuous vetting information more readily available, and optimizing tools for sharing that information within the military. Many of the deadlines for taking these steps fall between July 31 and December 31 of this year.
Both Austin and the senior defense official expressed a desire to avoid overcorrecting by placing unnecessarily restrictive policies on information sharing as the military works out better practices for handling that information.
“The Department is mindful of the need to balance information security with [the] requirement to get the right information to the right people at the right time to enhance our national security,” according to a fact sheet on the security review provided to the media.