By Jonathan Rowe, Research Analyst

Cyber breaches come in all shapes and sizes, and no organization is immune – including the United States military. On April 13th 2023, Jack Teixeira, a 21 year old Airman in the 102nd Intelligence Wing of the Massachusetts Air National Guard on Cape Cod, was arrested by the FBI at his parents’ home in Dighton, Massachusetts. Teixeira was charged with two crimes: violating the Espionage Act of 1917 by retaining and transmitting national defense information without authorization; and unauthorized removal of classified information. Specifically, Teixeira allegedly obtained classified information and uploaded it to an online Discord chat group known as “Thug Shaker Central” which is believed to have held 20-to-50 members.

This classified information was posted in the form of transcripts Teixeira read aloud, copied notes, and included screenshots of classified documents. These classified documents included highly sensitive details, such as the United States’ plans for potential scenarios in the Russian war on Ukraine, names of informants and spies, military strategy, and other data that US prosecutors allege would have been of “tremendous value to hostile nation states”. The leak is thought to be the most significant security breach in the United States since over 700,000 sensitive materials were published on WikiLeaks in 2010.

The Teixeira incident sparked an inside review of the military’s approach to cybersecurity. On December 11th, the Air Force disciplined 15 members of its ranks relating to the Teixeira incident. This discipline spanned from personnel being removed from their positions – including command positions – to non-judicial punishments. Furthermore, Air Force personnel close to Teixeira knew about up to four separate occasions of him exhibiting questionable behavior prior to the leaks, and a small number of people “intentionally failed to report the full details of these security concerns/incidents.”

Even before the Air Force’s disciplinary action was publicized in December, what quickly became apparent after the breach was that Teixeira, himself, had little need to possess access to classified information. Moreover, he essentially worked in the IT department of the National Guard, but not with or related to the sensitive information in the systems with which he worked. Although focused on IT issues, technically his role was as a member of cyber defense operations. This highlighted an overall security flaw in the US military, where it is commonplace for low-level personnel, including technology workers, to have access to classified information.

The incident prompted the Air Force to conduct “a security-focused stand down to reassess [its] security posture and procedures, validate the need to know for each person’s access, and emphasize to all Airmen and Guardians the responsibility [they] are entrusted with to safeguard this information and to enforce and improve our security requirements.”

The Teixeira incident and the Air Force’s subsequent review of its security requirements invokes the concept of zero-trust security that is growing in popularity across organizations of all sectors. Zero-trust security is the idea that companies need to be on guard for external cyberthreats, in addition to having robust internal security policies and arrangements. In large organizations like the Air Force, there are a plethora of people with potential access to sensitive information. With a zero-trust security stance, organizations consider how to assign and prioritize security clearance to their own employees; in organizations with a zero-trust security model, employees are granted access to critical information only on a need-to-know basis. While organizations generally trust their employees, they must operate under the assumption that they cannot trust their most important information with anyone and everyone within a company. Following the Jack Teixeira episode and the Air Force’s related internal review, it is likely that the Air Force will adopt a zero-trust security clearance model within its own ranks, ensuring that vital information does not fall into the wrong hands again in the future.