Pentagon leaks by a junior sysadmin put the spotlight back on insider threat
A High School diploma and "normal colour vision" get you a lot of access...
Organisations mindful of protecting sensitive data – whether that is intelligence or intellectual property – will be taking a fresh look at their insider threat controls and broader operational security after it emerged that a junior systems administrator (sysadmin) was the chief suspect after a series of top secret document leaks.
Jack Teixeira, 21, facing court today (April 14), is understood to have been a “Cyber Transport Systems Journeyman” with access to the sensitive Joint Worldwide Intelligence Communications System (JWICS).
The qualifications required for “cyber transport systems” roles, according to an Air Force page, include: A High School diploma, normal colour vision, and a “current Single Scope Background Investigation (SSBI).”
Despite these fairly minimal requirements, systems or network administrators even at National Guard level have extensive access to multiple sensitive systems. A job description for this “transport systems journeyman” role from the National Guard says it requires network infrastructure maintenance work across the following:
“Secure computer systems and networks… daily operation, software, configuration modification and preventive maintenance inspections on all equipment including, but not limited to, network routers and switches, fiber and copper infrastructure, video teleconference, Battle Control System integrated systems, Joint Range Extension systems, Air Defense Systems Integrator, and Windows, UNIX and LINUX Servers and PC’s.”
Insider threat: Who gets Top Secret access?
Pentagon officials say that the number of people with “Top Secret” access as Texeira appears to have had, is in the thousands, if not tens of thousands. “There’s the obvious question of why someone in this relatively low rank and rather obscure corner of the military, namely the Massachusetts Air National Guard, could have access to not only some of the nation’s most critical secrets, but such an extraordinary array of them, which could have no possible bearing on his job,” said Glenn Gerstell, a former general counsel of the NSA, in the NYT.
Essentially a junior sysadmin, he joins a growing list of contractors set to end up on the Defense Counterintelligence and Security Agency’s list of “insider threat” case studies which features figures from both the national security and enterprise world. (The US’s Cybersecurity and Infrastructure Security Agency provides an insider threat mitigation guide with some step-by-step framework principles for anyone looking, here.)
And the leaks will likely be re-focussing many CISOs’ minds on the insider threat risk.
(There is no shortage of jobs advertised in this space at the moment, suggesting attention is already heightened on it as a potential threat vector in many organisations. One advert, at Barclays, for example, for an insider threat business liaison partner, describes the role as “providing insider threat consultancy…, leading workshops, round table discussions and scenario emulation/table top exercises; reporting to senior management and executives on the wider insider threat landscape; validating threat scenarios and countermeasures within application components, controls and hosting methodologies and business application flow; and identifying potential gaps in controls and opportunities in business processes that could be exploited by… insiders.”
Pentagon cybersecurity: Leaves a lot lacking...
The leaks cap a sorry year thus far for Department of Defence security. Over three terabytes of military emails were exposed to anyone in February owing to misconfigured Azure services, as just one example. Days before that incident, DoD’s Inspector General had warned Pentagon CIOs that their teams were not properly reviewing documentation designed to ensure military cloud security – and running systems with unmitigated vulnerabilities that put DoD “at an increased risk of successful cyber attacks, system and data breaches, data loss and manipulation, or unauthorized disclosures of mission‑essential or sensitive information.”
(The US Special Operations Command email server was first detected spilling data on February 8, likely due to human error that left it remotely accessible without a password. This went undetected for around two weeks before it was spotted and disclosed by security researcher Anurag Sen, as first reported by TechCrunch. Whilst none of the data viewable was classified, it included significant amounts of background information on security clearance holders. Microsoft and the Pentagon are investigating how this happened and, no doubt, why tools were not in place to automatically detect and alert stakeholders that the server had been left exposed.)
Last year, meanwhile, the Pentagon has admitted strikingly bluntly that both state hackers and individual malicious actors “often breach the Department’s defensive perimeter and roam freely within our information systems.” The comments came in the Department of Defense’s new “Zero Trust” strategy.
The Department of Defense, which had a 2022 budget of $1.64 trillion, added in the cybersecurity roadmap: “Our adversaries are in our networks, exfiltrating our data, and exploiting the Department’s users.”
Cybersecurity for the Pentagon is rendered challenging by the scale and complexity of its infrastructure.The Army alone, for example, operates 2,370 on-premises systems and applications; 40,000+ different analytics products; 150 different system interfaces for its 72,000 IT staff – overseeing 1.4 million users – and spends $1.5 billion on IT hardware and early double that for software annually, according to one slide seen by The Stack.