Last month it became clear that junior airman Jack Teixeira had posted highly classified military intelligence information on the Discord platform, which became known as the Pentagon or Discord Leak.
Here I will discuss some additional details about this leak which can be found in the documents filed by the public prosecutor on April 26 and May 17.
Technical training
Op September 26, 2019, Teixeira had joined the Massachusetts Air National Guard and started working at the 102nd Intelligence Wing as a "Cyber Transport Specialist" - according to a letter he wrote to a local law enforcement officer on November 15, 2020.
In that letter, Teixeira tried to convince the officer that he had matured and changed since he was suspended for a few days at his high school in 2018 after making racial threats and remarks about guns and Molotov cocktails. After having enlisted and obtaining a Top Secret clearance, he thought he was eligible again for the Firearms ID that was denied in 2018.
A few months after joining the National Guard, on November 15, 2019, Teixeira had registred at the Community College of the Air Force (CCAF), which offers a variety of courses and programs to earn an Associate of Applied Science (AAS) degree. According to the transcript shown below, he completed the following courses:
- US Air Force Basic Military Training at Lackland Air Force Base on August 13, 2020
- Information Technology Fundamentals at Keesler Air Force Base on February 16, 2021
- Cyber Transport Systems also at Keesler Air Force Base on April 29, 2021
Transcript of the courses which Jack Teixeira took at
the Community College of the Air Force (CCAF)
(click to enlarge)
the Community College of the Air Force (CCAF)
(click to enlarge)
Sensitive Compartmented Information
Teixeira was apparently granted a regular ("collateral") Top Secret clearance already at the start of his training at the CCAF. Just over two months later this was extended to Top Secret/SCI, which means he got access to even more closely guarded information.
The Sensitive Compartmented Information Nondisclosure Agreement (SCINA) was signed by Teixeira and an undisclosed witness on July 7, 2021. This form has 12 spaces where the particular control systems for Sensitive Compartmented Information (SCI) or Special Access Programs (SAPs) can be filled in:
Jack Teixeira's Sensitive Compartmented Information Nondisclosure Agreement
(click to enlarge)
(click to enlarge)
According to the form, Teixeira was briefed for access ("indoctrinated") to the following Sensitive Compartmented Information control systems:
- SI = Special Intelligence (communications intelligence)
- TK = TALENT-KEYHOLE (intelligence from satellite collection)
- G = GAMMA (sensitive communication intercepts)
- HCS-P = HUMINT Control System-Product (intelligence from human sources)
> See also: The US Classification System
On July 15, 2021, Teixeira digitally signed the General Information Systems Acceptable Use Policy and User Agreement of the 102nd Intelligence Surveillance Reconnaissance Group, which said that his actual workplace was at the 102nd Intelligence Support Squadron.
Two weeks later, on July 28, he also signed the Information Technology User Agreement of the 102d Intelligence Wing, with numerous do and don'ts regarding the organization's computer systems.
Finally, on March 3, 2022, after 1 hour e-learning, Jack Teixeira also completed a course about Unauthorized Disclosure (UD) of Classified Information and Controlled Unclasified Information (CUI), as provided by the Defense Counterintelligence and Security Agency.
The Intelligence Support Squadron
On October 1, 2021, Teixeira started as a Cyber Transport Systems Journeyman with the rank of Airman Basic (AB) and pay grade E-1 at the 102nd Intelligence Support Squadron (ISS).
The ISS comprises more than 100 military, civilian and contractor Cyberspace Support professionals who maintain their part of the Air Force Distributed Common Ground System (AF-DCGS), also known as the AN/GSQ-272 SENTINEL weapon systemn. This includes ensuring the availability and integrity of networks and equipment, software installation and support, information system security, communications security, and everything related.
The ISS is part of the 102nd Intelligence Surveillance Reconnaissance Group, which in turn is part of the 102nd Intelligence Wing. This wing was established in 2009 after the Air National Guard's 102nd Fighter Wing had lost its flying mission.
Men and women from the former flying units were trained to work on the DCGS, learning to run its computers and analyze intelligence from spy planes and the ever-increasing numbers of drones. One of them was Jack Teixeira's stepfather.
Military personnel operating the Air Force Distributed Common Ground System
(photo: US Air Force - click to enlarge)
(photo: US Air Force - click to enlarge)
The Distributed Common Ground System
The Distributed Common Ground System (DCGS) is a system-of-systems for passing data from intelligence collection platforms along to combatant commanders and warfighters. There are separate versions of the DCGS for the Navy (DCGS-N), the Army (DCGS-A), the Air Force (AF-DCGS), the Marine Corps (DCGS-MC) and the Special Operations Forces (DCGS-SOF).
In 2015, the DCGS of the Air Force exploited more than 50 manned and unmanned aircraft sorties, reviewed over 1200 hours of motion imagery, produced approximately 3000 signals intelligence reports, exploited 1250 still images and managed a total of 20 terabytes of data each day.
The AF-DCGS had started small at Langley AFB in Virginia, Beale AFB in California and Osan Air Base in South Korea, but expanded in the early 2000s as demand for airborne surveillance surged. Soon, Ramstein Air Base in Germany and Hickam AFB in Honolulu were added, which make a total of five core sites, or Distributed Ground Stations (DGS).
The system is also installed at 16 additional sites: DGS‑Experimental at Langley AFB, 7 Air National Guard (ANG) sites and 8 Distributed Mission Sites (DMS). These DGS and DMS sites are manned by a mixture of active-duty, Air National Guard, Air Force Reserve and coalition partner units working to provide an integrated combat capability.
The AF-DCGS core site at Ramstein Air Base is backed-up by the Distributed Ground Station—Massachusetts (DGS-MA), which was established in December 2009. This site is operated by the 102nd Intelligence Surveillance Reconnaissance Group (ISRG), which performs near-real-time exploitation and analysis of video feeds from the U-2 spy plane, as well as from the RQ-4 Global Hawk and MQ-9 Reaper surveillance drones.
Ramstein is a crucial hub for drone operations, first for those in Iraq and Afghanistan, and now in support of Ukraine in its war with Russia. Because of moral doubts about the American drone program, NGA intelligence analyst Daniel Hale leaked The Drone Papers to The Intercept in 2014.
Suspicious behaviour
Initially, Teixeira said that he "was assigned to middle eastern intelligence gathering tasks" and in November 2022 he wrote that he worked with "NRO, NSA, NGA, and DIA people mostly", that he was "on JWICS weekly" and "knowing what happens more than pretty much anyone else is cool."
JWICS stands for Joint Worldwide Intelligence Communications System and is a highly secured computer and communications network for collaboration and sharing intelligence up to the classification level Top Secret/SCI among US intelligence agencies.
> See also: US military and intelligence computer networks
According to documents filed by the public prosecutor on May 17, 2023, Teixeira had been observed looking for classified intelligence information in the Sensitive Compartmented Information Facility (SCIF) of the 102nd Intelligence Wing, which is located in building 169 at Otis Air National Guard Base on Joint Base Cape Cod.
The entrance to Joint Base Cape Cod in Pocasset, Massachusetts
(photo: CJ Gunther/EPA - click to enlarge)
(photo: CJ Gunther/EPA - click to enlarge)
The first time was in September 2022, when a staff sergeant saw that Teixeira had taken notes of classified information and put the note in his pocket. The staff sergeant asked Teixeira if he planned to shread it and informed a master sergeant. They discussed the incident with Teixeira, who was "instructed to no longer take notes in any form on classified intelligence information."
On October 25, it became clear that Teixeira was "potentially ignoring the cease-and-desist order on deep diving into intelligence information", because five days earlier he had attended the ISS morning meeting where the weekly Current Intelligence Briefing (CIB) was being given, after which Teixeira proceeded to ask very specific questions.
Teixeira was once again instructed to cease-and-desist any deep dives into classified information and to focus on his job in supporting Cyber Defense Operations (Air Force Specialty Code 1D). Additionally, he was offered the opportunity to explore cross training for All Source Intelligence Analyst (1N0) or Cyber Intelligence (1N4), which he declined.
All this didn't stop him, because a third memorandum for the record filed by the prosecutor says that on January 30, 2023, a master sergeant "was walking the Ops [Operations] floor when she observed A1C Teixeira on a JWICS machine viewing content that was not related to his primary duty and was related to the intelligence field."
This behaviour of Teixeira is very similar to that of Edward Snowden, who also had an almost insatiable desire for information regardless of whether he was entitled to it. In his book Permanent Record, Snowden proudly recalled how easy it was to circumvent auditing controls and internal monitoring systems.
Whether Teixeira circumvented such control systems as well is still not clear. While apparently he could access intelligence information on the JWICS network, he definitely didn't had the need-to-know for the material he eventually posted on his Discord server.
Title of the Daily Intelligence Update for the Secretary of Defense and
the Chairman of the Joint Chiefs of Staff from February 28, 2023
(leaked by Jack Teixeira - click to enlarge)
the Chairman of the Joint Chiefs of Staff from February 28, 2023
(leaked by Jack Teixeira - click to enlarge)
Network monitoring
After Jack Teixeira had been arrested on April 13, 2023, various agencies started an investigation into his case. According to a declaration by a special agent of the FBI, there had been an audit of an "Intelligence Community-wide system for which U.S. Government Agency 2 acts as a service provider". This most likely refers to the Defense Intelligence Agency (DIA) and the JWICS network.
This audit, which yielded results dating back to February 26, 2022, revealed that Teixeira had accessed hundreds of classified reports and documents and conducted "hundreds of searches on the classified network on a number of subjects, many of which related to the Russia-Ukraine conflict."
In addition, on or around July 30, 2022, he also searched for the terms "Ruby Ridge", "Las Vegas shooting", "Mandalay Bay shooting", "Buffalo tops shooting", and "Uvalde" which are all (related to) mass shootings in the United States.
While it's definitely useful to have these audit results for a criminal investigation, there's apparently still no insider threat detection system that is capable of near real-time anomaly detection, something the NSA, DISA and large contractors were already working on over a decade ago.
Links and Sources
- Court Listener: United States v. Jack Douglas Teixeira
- The New York Times: Airman in Leaks Case Worked on a Global Network Essential to Drone Missions (April 30, 2023)
- US Air Force Unit History: 102 Intelligence Wing (Jan. 19, 2022)
- AutoNorms: Shortening the Kill Chain with Artificial Intelligence (Nov. 28, 2021)