Air National Guardsman Jack Teixeira allegedly removed, without authorization, classified materials from information systems and controlled areas and posted it on social media platforms.
While sharing information to bolster one’s ego is not new, Teixeira’s exploitation represents the growing reality that online platforms and services are where individuals are turning to impress their associates and garner recognition.
The case again raises the topic the government has been wrestling with since the advent of the internet: the monitoring of social media for initial determination of eligibility, continuous evaluation, and the proactive identification of unauthorized disclosures.
Continued government debate over the appropriateness, legality, viability, and desirability of proactively accessing and analyzing public-facing social media to protect national security appears increasingly archaic when society now lives much of their lives online, which is the new and more relevant ‘neighborhood check’ to fulfill the federal investigative standards.
This debate seems further outdated when considering that today’s workers have immediate access to worlds of data, are algorithmically driven to seek controversial information, and are accustomed to engaging online, often anonymously without fear of any real response, with anyone at any time.
The recognition that Teixeira sought by sharing classified materials likely relates to a broader phenomenon, that many individuals want to be noticed, be the first in getting information to market, to go viral, and be the next powerful social media influencer.
Of greater concern, it likely reflects a world in which a growing demographic doesn’t understand the risk associated with sharing certain personal information and images on social media, which could lead to compromise and increased susceptibility to targeting, or other detrimental consequences such as property theft, physical harm, doxing, stolen identities, or blackmail.
It is unclear to what extent these unsafe online attitudes and behaviors in non-work settings affect an individual’s attitude and behavior for following security requirements to protect national security.
What is clear, is that the government needs (1) policy reforms that include social media cognizance to improve insider risk management effectiveness, (2) better guidance and criteria for using social media to prescreen candidates and continuously evaluate them, and (3) methods to legally, ethically, and effectively use social media and publicly available information to identify potential risk indicators. In recent years, digital identity attribution has vastly improved to assure greater accuracy and enhance due diligence.
As set forth in the U.S. government Security Executive Agent Directive 5 (SEAD 5) on collection of publicly available social media information, as part of the personnel security background investigations for determining initial or continued eligibility for access to national security information, agencies may collect publicly available social media information and incorporate it into the investigative record. Today, this policy is optional, rather than a mandate.
However, SEAD 5 (which applies only to applicants and holders of a security clearance) does not require individuals to provide their social media usernames or passwords, nor does it provide an effective mechanism to assess the future creation of private social media accounts, under ambiguous identities, that may violate security policies. The Teixeira case demonstrates that SEAD 5 is necessary but not sufficient to provide early warning of individuals who abuse their privileges for access to sensitive information.
Because the Teixeira case highlights a complex relationship between unhealthy psychological factors and motivations to violate security protections, it reinforces the need for related improvements in social media security policies and programs. Such improvements will only be possible by conducting innovative social science research that better characterizes, models, and predicts concerning psychological factors—perhaps integrating that information with approved data from criminal records and other security-relevant files—to increase the reliability, validity, and speed of detecting potential online security violations by cleared individuals. As with all security policy, this need is inextricably connected to the continuing ethical responsibility to ensure that improved effectiveness does not infringe upon constitutional rights such as privacy and free speech.
In today’s world, all organizations need the mandate and capacity to monitor public-facing social media to protect lives, intellectual property, and national secrets. Government and industry stakeholders must do more to address the critical gaps for additional social science research and for updated personnel security/continuous evaluation governance that are both ethical and relevant in today’s complex online culture, finding ways that cleared employees have the opportunity and privacy to express themselves on social media while concurrently safeguarding national security.
This is the third segment in the series by the Intelligence and National Security Alliance (INSA) Insider Threat Subcommittee, Emerging Threats Working Group: Val LeTellier, Sue Steinke, Michael Crouse, Fred Walker, Eric Lang, Frank Greitzer, Ross Tapp, and Bishop Garrison.
Any opinions and conclusions expressed in this material are those of the authors and do not necessarily reflect the views of the U.S. Government or INSA.
