When the news broke this week that the leaker responsible for releasing perhaps hundreds of classified documents including transcribed messages and photocopies of classified information was allegedly a 21-year-old member of the Massachusetts Air National Guard, a variety of critics have called out the age of the guardsman and why he had a Top Secret security clearance.
Throwing the caution flag to why he had access to the volume of documents and most importantly, how he was able to photocopy any of them, is absolutely on the right track. But the many armchair critics questioning why a 21-year-old would have a Top Secret security clearance seem to be missing the point of the vetting process entirely – and its need for individuals with the right clearance eligibility at every working age.
Military Security Clearances
Jack Teixeira was a 21-year-old in the Air National Guard. Not every service member is granted a security clearance, but every service member does undergo some form of background investigation. A Top Secret security clearance would not have been uncommon for someone serving in an intelligence wing, which is where news reports indicate Teixeira served. News reports say he was an IT specialist, but working on classified military networks that provided highly sensitive information to combatant commanders across the globe.
Indications that Teixeira shouldn’t have had a Top Secret security clearance miss the mark, and ignore the hundreds of thousands of very young service members and entry-level cleared professionals that are necessary in a national security workforce. The question shouldn’t be why a 21-year-old had a security clearance – but how he got the specific information he did, and why he walked out the door with it.
Cyber & Continuous Vetting and Social Media
The other clear question is why social media monitoring didn’t catch the sharing of classified documents. The reality is – while cyber vetting can be a part of the security clearance process, it’s not commonly used or fully baked into the CV program to-date. And if it was, it’s unclear how the process could successfully scale to track activity across the thousands of forums and internet chat rooms. Pilots have been conducted, and it’s clear more can be done. Privacy and accuracy issues to rolling out cyber vetting are obvious, but there are clearly issues when commercial websites at least appear to better track our activity across the web than the government tracks it for security clearance holders.
Education, Awareness, and Narks
The investigation into Teixeira has only just begun. Any process that allowed him to take photos of classified documents is going to be an issue (what happened to no phones in the SCIF?!). Other questions include how to better package SCI information so only those who truly need it have access, to what they need, when they need it.
But what absolutely doesn’t need to happen – is a world where we think a 21-year-old, or a National Guardsman, or an individual without a college degree – somehow doesn’t need a security clearance. A security clearance grants eligibility – but it also creates parameters. Teixeira should have known disclosing classified information was a crime. Education and insider threat plans help employees know their obligations – both for themselves, and for their coworkers. If your allegiance to an online forum, an anti-war effort, or your own ego, is greater than your allegiance to the United States – that’s an issue.
Without social media monitoring a comprehensive part of the security clearance process, the best avenue for finding breaches online is through other individuals reporting what they see – ‘if you see something, say something.’ The minors, paramilitary enthusiasts, and foreign nationals on the Discord platform were probably not going to do that – but one would hope across the intelligence wing, there may have been someone who noticed red flag behaviors.
It’s easy to see a serious breach and want to break the whole system – or accuse it of ineptitude. But the devil is in the details, and issues often come down to process, not policy. It’s not the security clearance process that’s broken. (The classification process is broken but that’s another article). There is one individual who busted through the parameters – and if we look, we may find process failures behind it.
Leaks are never good. They damage national security. They compromise relationships. And they cost a lot of people extra time sitting in meetings and security training. But every mistake creates opportunity. As congressional scrutiny does what it does, and looks at how this happened, it will also press in to areas where there is a policy framework, and there is some movement (like social media monitoring) – but where more clearly can be done.
It’s too early to say what went wrong and where – but saying a 21-year-old shouldn’t have a clearance, too many people have clearances, or getting a clearance is too easy – is absolutely, without a doubt, chasing after the wrong problems.