Air Force Secretary Frank Kendall told lawmakers his department is committed to a complete review of its security practices after an Airman allegedly shared a trove of classified documents on the war in Ukraine, the Indo-Pacific and Middle East military theaters, and other sensitive subjects on an online group chat.
In the meantime, the Air National Guard unit to which the accused Airman was assigned has been temporarily relieved of its intelligence mission while a second, more focused review unfolds, an Air Force spokeswoman told Air & Space Forces Magazine.
“There is a full-court press going on about this,” Kendall told the Senate Appropriations defense subcommittee on April 18. “We are all disturbed about it and we are working very very hard to get to the bottom of it and take corrective action.”
Besides the ongoing criminal investigation of Airman 1st Class Jack Teixeira, the Air National Guardsman accused of leaking the documents, Kendall said the DAF has initiated three efforts to get a better handle on its policies for protecting classified information:
First, the Air Force Inspector General is reviewing the Massachusetts Air National Guard’s 102nd Intelligence Wing, Teixeira’s unit, to see if anything went wrong in terms of following Air Force security policies. In the meantime, the 102nd Intelligence Wing “is not currently performing its assigned intelligence mission,” Air Forces spokeswoman Ann Stefanek said. The 102nd’s mission has been temporarily reassigned to other Air Force organizations, she said.
Second, the department is conducting a “complete review of our policies themselves within the staff to make sure our policies are adequate,” Kendall said.
Third, units across the entire Air Force and Space Force will conduct a stand-down for Airmen and Guardians to review their security practices and conduct training as necessary. The stand-down is to be conducted in the next 30 days.
“Obviously we have got to tighten up our policies and our practices to make sure this doesn’t happen again,” the secretary added.
Kendall’s announcement comes the day after Defense Secretary Lloyd J. Austin III asked the entire military to review its information security programs, policies, and procedures. The initial findings of the review are due in 45 days, along with any recommendation to improve those systems.
“Adverse security incidents are a stark reminder that adherence to required security procedures underpin all aspects of the Department of Defense mission, and we must continually reinforce these requirements to keep pace with evolving threats,” Austin wrote in an April 17 memo about the review. “It is therefore essential to carefully examine the sufficiency of, and compliance with, all security policies and procedures.”
Kendall said one of the key points of the Air Force-wide review is to emphasize the principle of ‘need to know.’ Earlier in the hearing, Air Force Chief of Staff Gen. Charles Q. Brown Jr. said that Teixeira, a cyber transport systems journeyman, had access to sensitive information but did not necessary have a need to know some of that information.
“We need to enforce [need to know] much more rigorously than it appears to have been in this case,” Kendall said.
In a memo sent to Airmen and Guardians on April 18 and provided to Air & Space Forces Magazine, Kendall, Brown, and Chief of Space Operations Gen. B. Chance Saltzman made the point even more finely.
“Safeguarding national security information is not limited to ensuring personnel possess the appropriate clearance and training, they must also have the need to know,” they wrote. “All of us are responsible for obeying and enforcing the rules that protect classified information.”
The department leaders said Airmen and Guardians should be “continually alert” for personnel accessing classified information without the need to know.
The advice echoes analyses made by the National Insider Threat Center at Carnegie Mellon’s Software Engineering Institute, which studies insider threats—instances where individuals with authorized access to an organization’s assets misuse that access to the detriment of the organization.
“This is not a technology problem, it’s a people problem,” Daniel Costa, technical manager of enterprise threat and vulnerability management at SEI, previously told Air & Space Forces Magazine. “We use technology to help us manage those risks, but at the end of the day—especially in terms of making the organization less mistake-prone—that largely comes down to management-related and HR-related activities.”