June 6, 2023

On the 10th anniversary of the Snowden revelations

(Updated: June 7, 2023)

To mark the 10-year anniversary of the start of the Snowden revelations I will look back at some of the most notable disclosures and how they developed, based upon the numerous blog posts which I have written here. Still, it should be noted that this overview is not a complete coverage of this wide-ranging topic.





Books and archives

Between June 2013 and May 2019, the Snowden revelations resulted in over 200 press reports and more than 1200 classified documents were published in full or in part. Additionally, The Intercept published 2148 editions of the NSA's internal newsletter SIDtoday.

A collection that allows a useful visual recognition of the documents can be found on the private website IC Off the Record, while text searches are possible at the Snowden Archive which is a collaboration between Canadian Journalists for Free Expression (CJFE) and the University of Toronto. A private collection of the documents is also available at GitHub.

There are also at least 12 books about the Snowden revelations. Glenn Greenwald's No Place To Hide from 2014 reads like a pamflet against perceived mass surveillance. A much more factual overview can be found in Der NSA Komplex, which is also from 2014 and written by two journalists from Der Spiegel, but unfortunately only in German.

Detailed insights into the political and legal background of the NSA's collection programs are provided in Timothy Edgar's Beyond Snowden from 2017, which is in contrast to Snowden's own memoir Permanent Record from 2019, which leaves more questions than answers.

Finally, and long awaited was Dark Mirror by Washington Post journalist Barton Gellman, which was published in 2020 and offers some important new angles to the initial stories told by Snowden and Greenwald.

> See also my review of Permanent Record: Part I: at the CIA - Part II: at the NSA





Incentives

Some people assume that Snowden is a spy who worked for a Russian intelligence agency, but nowadays, requests for information come from transparancy activists as well. Wikileaks' wiki-page titled The Most Wanted Leaks of 2009 may have inspired Manning to search for information on SIPRNet and to download hundreds of thousands of military and diplomatic files.

Likewise, the incentive for Snowden may have come from the news program Democracy Now!, in which on April 20, 2012, former NSA crypto-mathematician Bill Binney, documentary filmmaker Laura Poitras and hacktivist Jacob Appelbaum were interviewed by Amy Goodman (a full transcript can be found here).

In the program, Binney claimed that after 9/11 "all the wraps came off for NSA, and they decided to eliminate the protections on U.S. citizens and collect on domestically".

Appelbaum repeated what he said at the HOPE conference in 2010: "I feel that people like Bill need to come forward to talk about what the U.S. government is doing, so that we can make informed choices as a democracy" - which is exactly what Snowden would do: leaking documents because "the public needs to decide whether these programs and policies are right or wrong."

Later that day, Binney and Appelbaum spoke at a "Surveillance Teach-In" in the Whitney Museum, where Appelbaum emphasized that disclosing secret information is also important for privacy and civil liberties organizations: because of a lack of hard evidence and concrete harm it was almost impossible for them to fight NSA surveillance in court.



Binney and Appelbaum at the Surveillance Teach-In on April 20, 2012


Just a month earlier, Snowden started a new job as a SharePoint systems administrator at the NSA's regional cryptologic center in the Kunia Tunnel complex in Hawaii. There, he started automating his tasks to free up time for something more interesting, which he describes in Permanent Record:
"I want to emphasize this: my active searching out of NSA abuses began not with the copying of documents, but with the reading of them. My initial intention was just to confirm the suspicions that I'd first had back in 2009 in Tokyo. Three years later I was determined to find out if an American system of mass surveillance existed and, if it did, how it functioned." *

With this, Snowden basically admits that he isn't a whistleblower: he wasn't confronted with illegal activities or significant abuses and subsequently secured evidence of that, but acted the other way around, by first gathering as much information he could get and then look whether there was something incriminating in it.

In his memoir, Snowden doesn't come up with concrete misconducts or other things that could have triggered his decision to hand them over to journalists. He even omits almost all the disclosures made by the press, which makes that Permanent Record contains hardly anything that justifies his unprecedented data theft.



The tunnel entrance to the former Kunia Regional Security Operations Center
in Hawaii, where Snowden worked from March 2012 to March 2013
(photo: NSA - click to enlarge)



The documents

The actual number of documents which Snowden eventually exfiltrated from the NSA has never been clarified. According to the 2016 report from the US House Intelligence Committee, Snowden removed more than 1.5 million documents from NSANet and the JWICS intelligence network.

Glenn Greenwald repeatedly said that number was "pure fabrication" and probably he could agree with former NSA director Keith Alexander who in November 2013 estimated that Snowden had exposed only between 50,000 and 200,000 documents.*

According to Barton Gellman, Snowden provided him and Laura Poitras an encrypted archive of documents called "Pandora" on May 21, 2013. This archive was 8 gigabytes and contained over 50,000 separate documents, all neatly organized in folders.*

Poitras gave Greenwald a copy of the Pandora archive just before they boarded their flight to Hong Kong on June 1. There, Snowden handed over all the remaining files to Greenwald and Poitras, who are believed to be the only ones with a complete set. Other media outlets only got partial sets.

Greenwald's cache ended up at The Intercept, the online news outlet he co-founded with Jeremy Scahill and Laura Poitras in 2014 to report about the Snowden documents. In March 2019, The Intercept closed its Snowden archive and reportedly destroyed it.




Screenshot from a Brazilian television report, showing some of the Snowden files
opened in a TrueCrypt window on the laptop of Glenn Greenwald.
(screenshot by koenrh - click to enlarge)



Non-Snowden leaks

In a message to Gellman, Snowden said that "he was not resigned to life in prison or worse. He wanted to show other whistleblowers that there could be a happy ending".* Later, whistleblower attorney Jesselyn Radack hoped that "courage is contagious, and we see more and more people from the NSA coming through our door after Snowden made these revelations."

Indeed, other sources started to leak documents to the press. The first one was a so-called tasking record showing that the NSA had targeted the non-secure cell phone of German chancellor Angela Merkel. This was revealed by Der Spiegel on October 23, 2013, which is less than five months after the start of Snowden's revelations.


The second leaked document that wasn't attributed to Snowden was just as spectacular: the ANT product catalog with a range of sophisticated spying gadgets from the NSA's hacking division TAO. This catalog was also published by Der Spiegel and discussed by Jacob Appelbaum during the CCC on December 30, 2013.

Initially, hardly anyone noticed that these documents didn't come from Snowden, and so a mysterious "second source" was able to publish files that were sometimes even more embarrassing and damagaging than those from the Snowden trove, like intercepted conversations from foreign government leaders.

Later, other piggybackers who called themselves The Shadow Brokers leaked highly sensitive information about NSA hacking tools. The sources of these leaks have never been identified, although it's often assumed that Russian intelligence was behind it. Snowden never addressed these other leaks, nor distantiated himself from them.




NSA report about an intercepted conversation of French president Hollande.
Leaked by an unknown source and published by Wikileaks in 2015
(click to enlarge)



The Section 215 program

The very first disclosure of a document that did come from Snowden was the Verizon order of the Foreign Intelligence Surveillance Court (FISC), which is often, but injustly referred to as a "rubber stamp". The order was published by The Guardian on June 6, 2013.

The Verizon order showed that the NSA was collecting domestic telephone metadata under the so-called Section 215 program. In the US, this became the most controversial issue and initially it seemed to confirm cryptic public warnings by US senators Ron Wyden and Mark Udall, as well as the aforementioned claims by Bill Binney about domestic mass surveillance.

In reaction, Director of National Intelligence (DNI) James Clapper started an unprecedented declassification effort and released numerous FISC and NSA documents about the Section 215 program on a newly created Tumblr site called IC On the Record.

This was meant to clarify a central misunderstanding: the fact that the NSA collects data inside the US doesn't mean they are spying on Americans. The NSA is still focused on foreign targets, but because they are using American internet services, it proved to be fruitful to intercept their data not only abroad, but at telecoms and internet companies inside the US as well (the "home field advantage").

Accordingly, the purpose of the Section 215 program was to find out whether foreign terrorists were in contact with unknown conspirators inside the US, which was one of the failures that could have prevented the attacks of 9/11.

Therefore, the only thing the domestic telephone records were used for was a simple contact chaining: NSA started with a phone number of a foreign terrorist and then the MAINWAY system presented the (foreign and domestic) phone numbers with which that initial number had been in contact with:



In 2012, the NSA used 288 phone numbers as a "seed" for such a contact-chaining query, resulting in 6000 phone numbers that analysts actually looked at. When this led to a suspicious American phone number, the NSA passed it on to the FBI for further investigation.

Although these domestic telephone records were not used to spy on Americans, and the FISC limited their retention to 5 years and prohibited the collection of location data, many people would not like to have them in an NSA database because of what Binney and Snowden called the possibility of a "turnkey tyranny".*

The publication of the Verizon order did not only made the general public aware of the Section 215 program, but also gave civil liberty organizations standing in court, which fulfilled Jacob Appelbaum's wish from the 2012 Surveillance Teach-In.

Meanwhile there have been two cases in which a Circuit Court of Appeals ruled about the Section 215 program. They both found that the bulk collection of metadata exceeded the scope of Section 215 of the Patriot Act (because the actual practice hadn't been foreseen by lawmakers, although they had been briefed about it later). The courts didn't decide on whether the program was constitutional or not.




The first page of the Verizon order from April 25, 2013
(click for the full document)



The PRISM program

One day after the publication of the Verizon order, The Guardian and The Washington Post revealed the PRISM program, which became synonymous for an all encompassing NSA spying system, just like ECHELON was before.

In his book Dark Mirror, Barton Gellman tells a different story than Greenwald did in No Place to Hide. Greenwald presented himself als the one who was chosen by Snowden to lead the revelations and claimed that he and Laura Poitras were working with Snowden since February 2013, "long before anyone spoke to Bart Gellman".

According to Gellman, the opposite was the case: on January 31, 2013, Laura Poitras already asked him for advice and on May 7, they agreed to work together. She introduced Gellman to her source, who still called himself Verax, and they started encrypted chat conversations. On May 20, Snowden sent them the full PRISM presentation, after which they signed a contract with The Washington Post on May 24.*

But Snowden was under severe time pressure and urged Gellman to rapidly publish the full PRISM presentation, which he had signed with a digital signature using his Verax alter ego. Only gradually Gellman realized the implications of this. Snowden's plan was to ask political asylum at a foreign diplomatic mission in Hong Kong, where he wanted to use the cryptographic signature to identify himself as the source of the PRISM document (and didn't rule out to "provide raw source material to a foreign government").*

As a journalist, Gellman protected the identity of his source, but publishing the digitally signed PRISM presentation would make him and The Washington Post complicit in Snowden's flight from American law. After consulting Poitras, Gellman decided not to do so. On May 27, Snowden withdrew the exclusive right for the Washington Post and turned to Greenwald, who until that moment didn't know who Snowden was, nor had seen any of the documents.*




This time Greenwald managed to get PGP working and Snowden sent him a zip-file with some 25 documents, including the 41-slide PRISM presentation. Greenwald started writing his own story about PRISM, which was published by The Guardian on June 6, 2013.* Just an hour earlier, The Washington Post had released its own PRISM story.

The most controversial part of these stories was the claim that "the National Security Agency has obtained direct access to the systems of Google, Facebook, Apple and other US internet giants", which those companies vigorously denied.

That "direct access" was taken from one of the slides, but it's unclear why both Gellman and Greenwald stuck to the most simple interpretation of it. Fact is that they had the accompanying speaker's notes of almost 7000 words, which said: "PRISM access is 100% dependent on ISP provisioning".*

They also had all the other PRISM slides, including two that were published later on, which clearly show that the FBI is in between the NSA and the internet companies:

PRISM-slide published by Le Monde on October 22, 2013


In Dark Mirror, Gellman admits that "In retrospect, I do not love the way I wrote the [PRISM] story. I knew a lot less then than I learned later, with more time in the documents and many more interviews". A well-informed source told him that the systems of a company like Facebook are too complex to let the NSA plug a cable in. Only Facebook knows how to pull things out, which they can hand over upon a valid request.* Google did that through secure FTP transfers and in person.

Another interesting addition provided by Gellman is about the date of the PRISM presentation, April 2013, which is less than one and a half months before Snowden left the NSA:
"Nothing Snowden had seen until now better suited his plan. He had been talking to Poitras for three months, but he still did not feel confident that his disclosures would seize attention from a public that had seldom responded strongly to privacy warnings. Most of the NSA programs that worried him were legally and technically intricate, not easy to explain. He needed examples that ordinary people would recognize. Along came [the PRISM] presentation, festooned at the top of every slide with iconic logos from the best-known Internet companies in the world "PRISM hits close to people's hearts", he told me."*



Overcollection

While PRISM is no mass surveillance, but targeted collection against individual foreign targets, it still has a problematic aspect: overcollection. Snowden was eager to draw public attention to this issue and, according to Greenwald, took his last job at NSA Hawaii only in order to get access to the NSA's raw data repositories.* Snowden declined to repeat or explain that to Gellman though.*

He succeeded and was able to exfiltrate a cache of ca. 22,000 collection reports, containing 160,000 individual conversations (75% of which instant messages), which the NSA collected via the PRISM program between 2009 and 2012.*

Snowden handed them over to Barton Gellman who reported about these files in July 2014. Researchers at The Washington Post found that the intercepted communications contained valuable foreign intelligence information, but also that over 9 out of 10 account holders were not the intended surveillance targets and that nearly half of the files contained US person identifiers.

It's probably technically impossible to prevent such overcollection, but instead of deleting irrelevant personal content, the NSA only "minimizes" it, which means that names of Americans are redacted before they are distributed. Gellman saw that NSA personnel takes these procedures seriously, but when he confronted former NSA deputy director Rick Ledgett with his unease, Ledgett's only reply was that the NSA really doesn't care about ordinary people.*




The NSA's Mission List

Ledgett's answer is confirmed by a comprehensive listing of the tasks of the NSA in the Strategic Mission List from January 2007. It was published by The New York Times in November 2013, but got hardly any attention, despite that it clearly contradicts the claims by Snowden and Greenwald that the NSA has just one single goal: collect all digital communications from all over the world.

The Mission List lists China, North-Korea, Iraq, Iran, Russia and Venezuela as "Enduring Targets", which means they are of long-term strategic importance and therefore require a holistic approach. Next there were 16 "Topical Missions", which are subject to some change, but can be considered legitimate targets for any large intelligence agency:
- Winning the Global War on Terrorism
- Protecting the U.S. Homeland
- Combating Proliferation of Weapons of Mass Destruction
- Protecting U.S. Military Forces Deployed Overseas
- Providing Warning of Impending State Instability
- Providing Warning of a Strategic Nuclear Missile Attack
- Monitoring Regional Tensions that Could Escalate
- Preventing an Attack on U.S. Critical Information Systems
- Early Detection of Critical Foreign Military Developments
- Preventing Technological Surprise
- Ensuring Diplomatic Advantage for the U.S.
- Ensuring a Steady and Reliable Energy Supply for the U.S.
- Countering Foreign Intelligence Threats
- Countering Narcotics and Transnational Criminal Networks
- Mapping Foreign Military and Civil Communications Infrastructure



Screenshot of the BOUNDLESSINFORMANT tool showing where the NSA collected most data



Spying among friends

For its mission of "Ensuring Diplomatic Advantage for the U.S.", the NSA intercepts the communications of numerous foreign governments and government leaders. Based upon documents from the Snowden trove, media reported about eavesdropping operations against the Mexican candidate for the presidency, Enrique Peña Nieto, Brazilian president Dilma Rousseff, the Venezuelan oil company PdVSA and many others.


The NSA interest in Germany's chancellor Angela Merkel had the most far-reaching consequences. Merkel herself made clear to president Obama that "spying on friends is not acceptable" ("Ausspähen unter Freunden, das geht gar nicht") and the German parliament started an official investigation into the spying activities of the NSA (NSA-Untersuchungsausschuss or NSAUA). This inquiry lasted from March 2014 to June 2017, but soon shifted its focus to Germany's own foreign intelligence agency BND.

Extensive hearings of BND employees resulted in unprecedented insights into the details of the cable tapping and satellite interception operations which the BND conducted in cooperation with the NSA. Eventually it became clear that the NSA wasn't spying on German citizens, but did try to collect communications from European governments and companies of interest - just like the BND itself, which was also targeting American and French foreign ministers, the interior departments of EU member states, and many others.



German chancellor Angela Merkel holding a secure BlackBerry Z10 in 2013
(photo: Nicki Demarco/The Fold/The Washington Post)



Backdoor tapping Google

A disclosure that caused outrage in Silicon Valley was about MUSCULAR, a collection program in which the NSA cooperates with its British counterpart GCHQ. In October 2013, The Washington Post reported that under this program, the NSA had secretly broken into the main communications links between Yahoo and Google data centers around the world.

A big question was: why would the NSA do that, given that they already had "front door" access to Google and Yahoo via the PRISM program? Gellman asked Snowden, but his only answer was: "Because it could" and: "I'm speculating, but NSA doesn't ignore low-hanging fruit". Eventually Gellman realized that inside the US, the NSA had to specify individual targets, but abroad it was possible to acquire such data in bulk and to search and analyse it with XKEYSCORE.*

The Post didn't mention the XKEYSCORE system by name and it's also not explained in Gellman's book Dark Mirror. That's unfortunate, because while Greenwald and Snowden presented XKEYSCORE as a global mass surveillance tool, it's actually a smart system to find targets who are communicating anonymously and therefore cannot be traced in the traditional way, via identifiers like phone numbers and e-mail addresses.

> More about XKEYSCORE


NSA slide showing where to intercept data from the Google cloud



BOUNDLESSINFORMANT

Where Section 215 was most controversial in the United States, but less-known in Europe, the opposite was the case with BOUNDLESSINFORMANT, which caused fury in Europe, but is hardly known across the ocean. BOUNDLESSINFORMANT isn't a system to collect data, but an internal visualization tool that counts metadata records to provide insights into the NSA's worldwide data collection.

The results are shown in heat maps and charts, for example for countries and collection units. Such charts for Germany and a few other countries were published on July 29, 2013 by Der Spiegel, but on August 5, the German foreign intelligence agency BND said that they collected these data during military operations abroad and subsequently shared them with the NSA.

Despite this statement, Glenn Greenwald interpreted these charts as evidence of American mass surveillance on European citizens and started publishing them in major European newspapers.



BOUNDLESSINFORMANT chart showing the numbers of
metadata which German BND shared with the NSA


On October 21, for example, the French paper Le Monde came with a story saying that "telephone communications of French citizens are intercepted on a massive scale." After a similar story appeared in Spain, NSA director Keith Alexander came with a remarkable clarification, saying: "This is not information that we collected on European citizens. It represents information that we and our NATO allies have collected in defense of our countries and in support of military operations."

Greenwald continued his framing in Norwegian and Italian papers. Only in The Netherlands it was found out that the BOUNDLESSINFORMANT charts were not about content, but about metadata. Dutch interior minister Ronald Plasterk, however, still followed Greenwald's interpretation and assumed the Americans were spying on Dutch citizens. Only a court case forced the government to admit that Dutch military intelligence had collected the data during operations abroad.


It was only in May 2019 that The Intercept put the pieces together and set the record straight: the various BOUNDLESSINFORMANT charts showed cellphone metadata that had been collected by members of the Afghanistan SIGINT Coalition (AFSC, also known as the 9 Eyes) and fed them into the NSA's Real-Time Regional Gateway (RT-RG) big data analysis platform.

When The Intercept confronted Greenwald with this new research, he still tried to blame the NSA: "At the time, Der Spiegel had already reported this interpretation, the NSA wouldn’t answer our questions, and they wouldn’t give us any additional information. I am totally in favor of correcting the record if the reporting was inaccurate."

While Greenwald ignores the declaration by general Alexander, he is right when he said that the NSA's internal documentation about BOUNDLESSINFORMANT was somewhat confusing. Apparently, Greenwald had to rely on that documentation because Snowden was of little help, just like he was for various other programs that journalists did not fully understand.




Slide showing all the collection systems that fed the RT-RG platform
(click to enlarge)



Truth

Many of the documents that Snowden provided to the press have been misinterpreted or exaggerated, sometimes unintentional, but in other cases maybe deliberately. In Dark Mirror, Barton Gellman writes:
"There were signs that Snowden was capable of an instrumental approach to truth. In conversations about my work, when I got stuck on a hard reporting problem, he sometimes suggested that I provoke fresh disclosures from government officials by pretending to know more than I did."

"Another time he went further, proposing that I actually publish informed speculation as fact. If my story outran the evidence, he said, the government would be forced to respond and thereby reveal more. There would be a net gain for public information either way."

"He said misinformation from people like Mike Hayden, supporters of the intelligence establishment, pushed the terms of debate so far off center that only rhetorical counterforce could set the record straight."*

Gellman declined this approach because it would make his reporting unreliable and it undermines confidence in the press if it would turn out that certain things weren't true. However, claims made by Greenwald and Snowden himself showed that his "counterforce" method sometimes did work: the government came up with new facts - but those never got the same attention as the original story, which is already stuck in people's minds.

Snowden gives an example of this in his own book Permanent Record, which is written as if nothing has happened after the day he took the flight to Moscow. Hardly anything about all the things revealed by the press, let alone about things that had subsequently been set straight.



Conclusion

There's no doubt that the Snowden revelations provided unprecedented insight into modern-day signals intelligence as conducted by the NSA and its Five Eyes partners.

In part this was much needed to understand how the legal framework is implemented and where safeguards need improvement. That, however, requires a close examination of the documents, which shows the problems are smaller and more complex than the mythical "global mass surveillance" which Snowden and Greenwald tried to proof.

On the other hand, many things have been published that were merely sensational and weakened the US and its signals intelligence system. By revealing its workings and capacity, the Snowden revelations unintentionally set a new standard which other countries hurried to carry up with.



Links

- The Guardian: Snowden, MI5 and me: how the leak of the century came to be published (June 2023)
- The Guardian: What’s really changed 10 years after the Snowden revelations? (June 2023)
- Schneier on Security: Snowden Ten Years Later (June 2023)
- System Update: SNOWDEN REVELATIONS 10-Year Anniversary: Glenn Greenwald Speaks with Snowden & Laura Poitras on the Past, Present, & Future of Their Historic Reporting (June 2023)
- neues deutschland: 10 Jahre Snowden-Leaks: Enthüllungen nicht mehr erwünscht (June 2023)
- neues deutschland: Snowden-Leaks: Geheimdokumente belegen globale Massenüberwachung (June 2023)
- Der Tagesspiegel: Edward Snowden und die Whistleblower-Frage Feiert die Verräter! (June 2023)
- Netkwesties: Barton Gellman herziet NSA-onthullingen (Dec. 2020)
- See also: Timeline of Edward Snowden

May 18, 2023

New details about the Pentagon Leak

(Updated: June 5, 2023)

Last month it became clear that junior airman Jack Teixeira had posted highly classified military intelligence information on a Discord server, which became known as the Discord or Pentagon Leak.

Here I will discuss some additional details from the documents filed by the public prosecutor on April 26 and May 17, which provide some more insight into Teixeira's training, clearance and working environment.






Technical training

Op September 26, 2019, Teixeira had joined the Massachusetts Air National Guard and started working at the 102nd Intelligence Wing as a "Cyber Transport Specialist" - according to a letter he wrote to a local law enforcement officer on November 15, 2020.

In that letter, Teixeira tried to convince the officer that he had matured and changed since he was suspended for a few days at his high school in March 2018 after making racial threats and remarks about guns and Molotov cocktails. After having enlisted and obtaining a Top Secret clearance, he thought he was eligible again for the Firearms ID that was denied after the incident.

A few months after joining the National Guard, on November 15, 2019, Teixeira had registred at the Community College of the Air Force (CCAF), which offers a variety of courses and programs to earn an Associate of Applied Science (AAS) degree. According to the transcript shown below, he completed the following courses:

- US Air Force Basic Military Training at Lackland Air Force Base on August 13, 2020
- Information Technology Fundamentals at Keesler Air Force Base on February 16, 2021
- Cyber Transport Systems also at Keesler Air Force Base on April 29, 2021


Transcript of the courses which Jack Teixeira took at
the Community College of the Air Force (CCAF)
(click to enlarge)



Sensitive Compartmented Information

Right at the start of his training at the CCAF, Teixeira was apparently already granted a regular ("collateral") Top Secret clearance. Just over two months after completing his last course, this clearance was extended to Top Secret/SCI, which means he got access to even more closely guarded information.

The prescribed Sensitive Compartmented Information Nondisclosure Agreement (SCINA) was signed by Teixeira and an undisclosed witness on July 7, 2021. This form has 12 spaces where the particular control systems for Sensitive Compartmented Information (SCI) or Special Access Programs (SAPs) can be filled in:


Jack Teixeira's Sensitive Compartmented Information Nondisclosure Agreement
(click to enlarge)


According to the form, Teixeira was briefed for access ("indoctrinated") to the following Sensitive Compartmented Information control systems:

- SI = Special Intelligence (communications intelligence)
- TK = TALENT-KEYHOLE (intelligence from satellite collection)
- G = GAMMA (sensitive communication intercepts)
- HCS-P = HUMINT Control System-Product (intelligence from human sources)

This shows that Teixeira had legitimate access to all the SCI compartments seen in the documents that he leaked, so apparently the only thing he lacked was the specific need-to-know.

Update:
According to the book Dark Mirror by Washington Post-journalist Barton Gellman, Snowden also had an SCI clearance for SI, TK, GAMMA and HCS - "the worst-case scenario for the NSA's internal defenses" according to Gellman.*

A week later, on July 15, 2021, Teixeira digitally signed the General Information Systems Acceptable Use Policy and User Agreement of the 102nd Intelligence Surveillance Reconnaissance Group, which says that his actual workplace was at the 102nd Intelligence Support Squadron (ISS).

Another two weeks later, on July 28, he also signed the Information Technology User Agreement of the 102nd Intelligence Wing, with numerous rules for using the organization's computer systems, including "I will not disclose any non-public Air Force or DoD information to unauthorized individuals."

Finally, on March 3, 2022, after one hour of e-learning, Jack Teixeira also completed a course about Unauthorized Disclosure (UD) of Classified Information and Controlled Unclassified Information (CUI), as provided by the Defense Counterintelligence and Security Agency.





The Intelligence Support Squadron

On October 1, 2021, Teixeira started as a Cyber Transport Systems Journeyman with the rank of Airman Basic (AB) and pay grade E-1 at the 102nd Intelligence Support Squadron (ISS).

The ISS comprises more than 100 military, civilian and contractor Cyberspace Support professionals who maintain their part of the Air Force Distributed Common Ground System (AF-DCGS), also known as the AN/GSQ-272 SENTINEL weapon system. This includes ensuring the availability and integrity of networks and equipment, software installation and support, information system security, communications security, and everything related.

The ISS is part of the 102nd Intelligence Surveillance Reconnaissance Group (ISRG), which in turn is part of the 102nd Intelligence Wing (IW). This wing was established in 2009 after the Air National Guard's 102nd Fighter Wing had lost its flying mission due to the 2005 Base Realignment and Closure (BRAC).

Men and women from the former flying units were transitioned to the new Intelligence Wing and trained to work on the DCGS, learning to run its computers and analyze intelligence from spy planes and the ever-increasing number of drones. One of them was Jack Teixeira's stepfather.


Military personnel operating the Air Force Distributed Common Ground System
(photo: US Air Force - click to enlarge)



The Distributed Common Ground System

The Distributed Common Ground System (DCGS) is a system-of-systems for passing data from intelligence collection platforms along to combatant commanders and warfighters. There are separate versions for the Navy (DCGS-N), the Army (DCGS-A), the Air Force (AF-DCGS), the Marine Corps (DCGS-MC) and the Special Operations Forces (DCGS-SOF).

In 2015, the DCGS of the Air Force exploited more than 50 manned and unmanned aircraft sorties, reviewed over 1200 hours of motion imagery, produced approximately 3000 signals intelligence reports, exploited 1250 still images and managed a total of 20 terabytes of data each day.

The AF-DCGS had started small at Langley AFB in Virginia, Beale AFB in California and Osan Air Base in South Korea, but expanded in the early 2000s as demand for airborne surveillance surged. Soon, Ramstein Air Base in Germany and Hickam AFB in Honolulu were added, which make a total of five core sites, or Distributed Ground Stations (DGS).

The system is also installed at 16 additional sites: DGS‑Experimental at Langley AFB, 7 Air National Guard (ANG) sites and 8 Distributed Mission Sites (DMS). These DGS and DMS sites are manned by a mixture of active-duty, Air National Guard, Air Force Reserve and coalition partner units working to provide an integrated combat capability.


The Air Force Distributed Common Ground System (AF DCGS) in 2015
(source - click to enlarge)


The AF-DCGS core site at Ramstein Air Base is backed-up by the Distributed Ground Station-Massachusetts (DGS-MA), which was established in December 2009. This site is operated by the 102nd Intelligence Surveillance Reconnaissance Group (ISRG), which performs near-real-time exploitation and analysis of video feeds from the U-2 spy plane, as well as from the RQ-4 Global Hawk and MQ-9 Reaper surveillance drones.

Ramstein is a crucial hub for drone operations, first for those in Iraq and Afghanistan, and now in support of Ukraine in its war with Russia. Because of moral doubts about the American drone program, NGA intelligence analyst Daniel Hale leaked The Drone Papers to The Intercept in 2014.




Suspicious behaviour

Teixeira said that at the 102nd Intelligence Support Squadron he was initially "assigned to middle eastern intelligence gathering tasks". In November 2022 he wrote in his Discord server that he worked with "NRO, NSA, NGA, and DIA people mostly", that he was "on JWICS weekly" and "knowing what happens more than pretty much anyone else is cool."

JWICS stands for Joint Worldwide Intelligence Communications System and is a highly secured computer and communications network for collaboration and sharing intelligence up to the classification level Top Secret/SCI among US intelligence agencies.


According to documents filed by the public prosecutor on May 17, 2023, Teixeira had been observed looking for classified intelligence information in the Sensitive Compartmented Information Facility (SCIF) of the 102nd Intelligence Wing, which is located in building 169 at Otis Air National Guard Base on Joint Base Cape Cod.


The entrance to Joint Base Cape Cod in Pocasset, Massachusetts
(photo: CJ Gunther/EPA - click to enlarge)


The first time was in September 2022, when a staff sergeant saw that Teixeira had taken notes of classified information and put the note in his pocket. The staff sergeant asked Teixeira if he planned to shread it and informed a master sergeant. They discussed the incident with Teixeira, who was "instructed to no longer take notes in any form on classified intelligence information."

On October 25, it became clear that Teixeira was "potentially ignoring the cease-and-desist order on deep diving into intelligence information", because five days earlier he had attended the ISS morning meeting where the weekly Current Intelligence Briefing (CIB) was being given, after which Teixeira proceeded to ask very specific questions.

Teixeira was once again instructed to cease-and-desist any deep dives into classified information and to focus on his job in supporting Cyber Defense Operations (Air Force Specialty Code 1D). Additionally, he was offered the opportunity to explore cross training for All Source Intelligence Analyst (1N0) or Cyber Intelligence (1N4), which he declined.

All this didn't stop him, because a third memorandum for the record filed by the prosecutor says that on January 30, 2023, a master sergeant "was walking the Ops [Operations] floor when she observed A1C [Airman 1st Class] Teixeira on a JWICS machine viewing content that was not related to his primary duty and was related to the intelligence field."


The Desktop Environment (DTE), a uniform platform for the
US Intelligence Community, running on the JWICS network.


The fact that apparently no further action was taken against Teixeira might have led to the suspension, last April, of the commander of the 102nd Intelligence Support Squadron and the detachment commander overseeing administrative support.

Teixeira's behaviour is very similar to that of Edward Snowden, who also had an almost insatiable desire for information regardless of whether he was entitled to it. In his book Permanent Record, Snowden proudly recalled how easy it was to circumvent auditing controls and internal monitoring systems.

Whether Teixeira circumvented such control systems as well is still unclear. While he could apparently access intelligence information on the JWICS network, he definitely didn't have the need-to-know for the material he eventually posted on his Discord server, which included intelligence briefings for senior military commanders and civilian policy makers.



Title of the Daily Intelligence Update for the Secretary of Defense and
the Chairman of the Joint Chiefs of Staff from February 28, 2023
(leaked by Jack Teixeira - click to enlarge)



Network monitoring

After Jack Teixeira had been arrested on April 13, 2023, various agencies started an investigation into his case. One was an audit of an "Intelligence Community-wide system for which U.S. Government Agency 2 acts as a service provider", which most likely refers to the Defense Intelligence Agency (DIA) and the JWICS network.

This audit, which yielded results dating back to February 26, 2022, revealed that Teixeira had accessed hundreds of classified reports and documents and conducted "hundreds of searches on the classified network on a number of subjects, many of which related to the Russia-Ukraine conflict."

In addition, on or around July 30, 2022, he also searched for the terms "Ruby Ridge", "Las Vegas shooting", "Mandalay Bay shooting", "Buffalo tops shooting", and "Uvalde" which are all (related to) mass shootings in the United States, which Teixeira had an unhealthy interest in.

While it's definitely useful to have these audit results for a criminal investigation, there's apparently still no insider threat detection system that is capable of near-real-time anomaly detection. The NSA, DISA and large defense contractors were already working on that over a decade ago, but this turned out to be rather difficult.

The DIA seems to be lagging behind even more, as only by the end of 2021, the agency came up with plans to modernize the JWICS network with for example Comply-to-Connect access control and behavioral-based vulnerability detection.
Update:
On May 19, 2023, a federal magistrate judge ruled that Jack Teixeira has to remain in prison pending his trial because he poses a continuing threat to national security and public safety.



Links and Sources

- Court Listener: United States v. Jack Douglas Teixeira
- The Washington Post: Amid leak of U.S. secrets, Pentagon hunts how documents left air base (May 20, 2023)
- Emptywheel: Jack Teixeira’s Polish (or Croatian) Missile (May 18, 2023)
- Christian Science Monitor: Jack Teixeira, Edward Snowden, and plugging intelligence leaks (May 17, 2023)
- The Washington Post: Leak suspect shared classified secrets with foreigners, prosecutors say (May 17, 2023)
- The New York Times: Airman in Leaks Case Worked on a Global Network Essential to Drone Missions (April 30, 2023)
- US Air Force Unit History: 102 Intelligence Wing (Jan. 19, 2022)
- AutoNorms: Shortening the Kill Chain with Artificial Intelligence (Nov. 28, 2021)


April 21, 2023

Everything you want to know about the Pentagon/Discord Leak

(Updated: May 22, 2023)

Two weeks ago, a few highly classified military maps from Pentagon appeared on social media. As more and more of such documents surfaced, this became the most significant leak since the exposure of NSA and CIA hacking tools in 2016 & 2017.

Because the content of the leaked documents has already been extensively discussed by the press, I will summarize the events, take a close look at the form of the documents and assess how the leaker might have been able to access them.

The leak    The leaker    The documents    The access

Updates:   #1   #2   #3   #4





The leak     Discord - 4chan - Telegram

The Pentagon or Discord Leak came to light on Thursday, April 6, when The New York Times reported on Top Secret US defense documents that had been shared on Russian Telegram channels.

How this leak developed becomes clear from research by Aric Toler from Bellingcat and Shane Harris from The Washington Post, as well as from the affidavit which the FBI submitted to the district court of Massachusetts.

According to these sources, the leak started in October 2022, when someone who called himself OG (for Original Gangster) began posting classified information in a Discord server, which he eventually named "Thug Shaker Central" and was controlled by OG as the administrator.

This server had been created in 2020 by someone who called himself Vakhi, a now 17-year-old high school graduate, and consisted of some 20 to 30 gamers from various countries, including Russia and Ukraine. They had been locked in their houses during the Covid-19 pandemic and were "united by their mutual love of guns, military gear and God".

Initially, OG made transcriptions of classified documents he had brought home from his job on an unnamed military base. By sharing this information, OG apparently wanted to show off his insider knowledge and offer the other server members unique insights that could provide protection from the real-world troubles.

Similar to Snowden, OG ranted about "government overreach" and saw law enforcement and intelligence agencies as "a sinister force that sought suppress its citizens and keep them in the dark."

When transcribing classified documents by hand proved too tiresome and not very attractive for the server members, OG began posting photos of the original documents in January 2023. Eventually, he posted some 350 of such photos in his Discord server.

Then, from February 28 to at least March 2, a 17-year-old user called Lucca secretly posted 50 to 100 of the photos from Thug Shaker Central on another Discord server, which was affiliated with a British-Filipino YouTuber called wow_mao:


  
Screenshots of several photos posted in the wow_mao Discord server on March 1, 2023
(screenshots by - click to enlarge)


On March 4, 2023, ten photos from the wow_mao server appeared on yet another (and meanwhile deleted) Discord server called "Minecraft Earth Map", which was dedicated to the popular computer game Minecraft. A zip file of 32 photographs also included a photo of a handwritten piece of paper that appeared to be a character sheet for a roleplaying game (RPG), which seems unrelated to the leaked documents.


(Screenshot and pixelation by Bellingcat - click to enlarge)


On April 5, three of these photos were posted on the message board platform 4chan and five of them on a pro-Kremlin Telegram account called Donbass Devushka. One of the images, showing a March 1 Ukraine status update (marked "Pg 7"), had been altered to inflate the number of Ukrainian casualties and downplay those on the Russian side.

The Donbass Devushka account has some 65,000 followers and one of its administrators appeared to be former US Navy electronics technician Sarah Bils from Washington-state. She said that she later deleted the four photos, but they had already been picked up by other Russian Telegram channels and were eventually noticed on Twitter.

Meanwhile, OG had stopped sharing images in the Thug Shaker Central server in the middle of March. On April 6, shortly before the New York Times first reported on the leak, he learned that his photos had been spilled into other social media, which made him confused and distraught. He then shut down his Discord server and urged its members to delete any information that related to him.

UPDATE #1:

On April 21, 2023, The New York Times reported that from February 25, 2022 (which is one day after Russia invaded Ukraine) to March 19, 2023, the leaker also posted classified information an another, easily accessible Discord server with some 600 members.

There he called himself "unknowing" and provided insights into the development of the war, mainly in the form of detailed written accounts, but he apparently also posted pictures of some documents, which have since been deleted.

On March 19, 2023, unknowing wrote: "I was very happy and willing and enthusiastic to have covered this event for the past year and share with all of you something that not many people get to see", but: "I've decided to stop with the updates."


Motives and damage

Looking back at the leaks of the past 10 years, we see quite some variation in motives: while Edward Snowden assumed he would provide proof of mass surveillance (2013), Daniel Hale leaked the Drone Papers to inform the public (2015), Harold Martin was simply hoarding everthing he could get (2016), Nghia Pho wanted to improve his programming skills (2016), Reality Winner also wanted to inform the public about Russian election interference (2017), Joshua Schulte leaked the Vault7 files because he was angry at the CIA (2017), but Jack Teixeira wanted to impress his online chat group (2023).


However, as emptywheel explains in an extensive blog post, the motive of the leaker is something different than what's actually inside the leaked files and what subsequently happens with them: "many [contemporary leakers] don't have expertise on the specific files they're leaking".

This is demonstrated in a piece by PwnAllTheThings, who analyses the damage done by the military intelligence about Ukraine ("acute damage potential, but very short-lived"), the political analysis using non-fragile sources ("embarrassing, but quickly forgotten"), and the foreign intelligence from highly sensitive sources ("fragile and opaque longer-term damage").



The leaker     Jack Teixeira

Based upon a very close examination of items that could be seen in the background of the leaked photograhps, "OG" was identified as the 21-year old airman Jack D. Teixeira. On Thursday, April 13, he was arrested by the FBI at the home of his mother in North Dighton, Massachusetts, and accused of "alleged unauthorized removal, retention and transmission of classified national defense information."

Teixeira grew up in the suburbs of Providence, Rhode Island, and attended Dighton-Rehoboth High School in Massachusetts where he graduated in 2020. He appeared to be a loner and according to several of his former high school classmates, he had a fascination with the military, guns and war.

Op September 26, 2019, Teixeira had joined the Massachusetts Air National Guard, and after finishing technical training, he entered active duty at the 102nd Intelligence Wing on October 1, 2021. This unit is located at Otis Air National Guard Base on the southern portion of the Joint Base Cape Cod (JBCC).


The entrance to Joint Base Cape Cod in Pocasset, Massachusetts
(photo: CJ Gunther/EPA - click to enlarge)


In his first job, that of a Cyber Transport Systems Journeyman, Teixeira was responsible for keeping the communications networks secure and operational, including installing, maintaining and repairing hardware and cables. Since May 2022, his job title was Cyber Defense Operations Journeyman. This is remarkably similar to Edward Snowden, who started as a systems administrator and then became a cyber defense analyst.

Since he entered active duty in 2021, Teixeira held a Top Secret clearance with access to Sensitive Compartmented Information (SCI), which usually includes signals intelligence (SI) and information collected by satellites and airborne surveillance platforms (TK). For which information he had the necessary need-to-know depended on the specific duties of his job.


Location of Joint Base Cape Cod and Teixeira's hometown
(graphic: The Washington Post - click to enlarge)


The 102nd Intelligence Wing

The 102nd Intelligence Wing consists of over 20 squadrons and groups. The 102nd Intelligence Surveillance Reconnaissance Group (ISRG), for example, performs near-real-time exploitation and analysis of video feeds from the U-2 spy plane, as well as from the RQ-4 Global Hawk and MQ-9 Reaper surveillance drones, which are put together so it can be used by military commanders.

Other units are involved in cyber missions, like the 267th Intelligence Squadron (IS), which conducts "signals intelligence exploitation in the cyber domain for 25th Air Force and US Cyber Command", providing "finished Cyber ISR products, and direct support for consumers across multiple agencies."

Besides supporting combat operations overseas, the 102nd Intelligence Wing also provides defense support to civilian authorities during national and regional emergencies, as is shown in this video from 2017:



102nd Intelligence Wing Airmen provide disaster relief
in response to Hurricane Harvey in August 2017
(click the image to start the video)


Meanwhile, the US Air Force has ordered the 102nd Intelligence Wing to halt its intelligence mission as the service's inspector general investigates the leak. Its duties have been temporarily reassigned to other Air Force units.

UPDATE #2:

On April 26, 2023 the US Air Force said that the commander of the 102nd Intelligence Wing temporarily suspended his subordinate commander of the 102nd Intelligence Support Squadron and the detachment commander overseeing administrative support.

> See also: New details about the Pentagon Leak



The documents     intelligence briefings

Reportedly, Jack Teixeira posted some 350 photos in the Thug Shaker Central Discord server, but it should be noted that each photo only shows a single page, so the actual number of complete documents is much lower.

The maps and charts seem to come in sets of up to 8 pages and an unpublished intelligence summary also consists of 8 pages. This means the number of documents may be somewhere around 60.

Various media outlets have gained access to around 100 photos, likely those that were shared to the wow_mao Discord server. Just over 50 of them have been shared more widely and were also available on some websites. On April 16, Newsweek published 20 of these photos with comments by William Arkin.

Most widely available are eight out of the ten photos that made their way to the Minecraft Discord server and from there to 4chan and Telegram. They are shown down below (click the image to enlarge):

Russia/Ukraine | Status of the Conflict as of 1 Mar (Pg 7)
TOP SECRET//HCS-P/SI-G/TK//FGI//RSEN/ORCON/NOFORN/FISA
March 1, 2023

IVO = In the Vicinity Of      ICOD = Intelligence Cut-Off Date
PCN = Product Control Number      UAF = Ukraine Armed Forces


Assessed Operations in Kharkiv (Pg 8)
TOP SECRET//HCS-P/SI-G/TK//FGI//RSEN/ORCON/NOFORN
March 1, 2023



Bakhmut Axis (Pg 10)
TOP SECRET//HCS-P/SI-G/TK//FGI//RSEN/ORCON/NOFORN
March 1, 2023



Donetsk Axis (Pg 11)
TOP SECRET//HCS-P/SI-G/TK//FGI//RSEN/ORCON/NOFORN
Date unknown



Ukraine | Freeze Favorable To Vehicle Maneuver (~16 Inches) Projections (Pg 13)
SECRET//REL TO USA, FVEY
February 28, 2023



Russia/Ukraine Joint Staff J3/4/5 Daily Update (D+370) (Pg 17)
SECRET//NOFORN
March 1, 2023

AOR = Area of Responsibility      Pax = Persons
CAO = Current As Off      SIGACT = Significant Activity
CCIR = Commander’s Critical Information Requirement
SOF = Special Operations Forces


US. Allied & Partner UAF Combat Power Build (Pg 24)
SECRET//REL TO FIN, UKR, FVEY, NATO
February 28, 2023

CAO = Current As Off      BDE = Brigade


BDA From Recent Strike? Damage GBU BBCARD (Pg 37)
SECRET//REL TO USA, FVEY
February 15, 2023

BDA = Battle Damage Assessment      OSINT = Open Source Intelligence
BBCARD = ?      RFI = Request For Information
GBU = Guided Bomb Unit      SAG-U = Security Assistance Group - Ukraine


The following video provides a detailed explanation of four of the leaked documents:




Addtional page numbers

Among the set of 50+ photos are more of these military maps and a close look reveals that in the lower right corner of most of them there's an additional page number that was printed over the original text. The highest page number is 59, which indicates that maybe even more of these maps and charts (with dates from February 27 to March 2) had apparently been part of one package:



It seems that all the documents with an additional number are about the war in Ukraine, so they were probably put together to provide a comprehensive overview of the current situation ("to inform senior military and civilian government officials during briefings at the Pentagon in Arlington, Virginia" as the affidavit says?)


The classification markings

More eye-catching than the additional page numbers are the classification markings. Especially the map in the first photo (marked "Pg 7") has one of the longest classification lines seen so far:

Classification line of the document marked "Pg 07" (colors enhanced)


These official classification lines consist of different types of markings, separated by a double slash. The meaning of the various parts is as follows:

- TOP SECRET (release would cause exceptionally grave damage to national security)

- HCS-P = HCS Product (intelligence reports based on human sources)
- SI-G = Special Intelligence GAMMA (sensitive communication intercepts)
- TK = TALENT-KEYHOLE (intelligence from satellite collection)

- FGI = Foreign Government Information (classified info from foreign partners)

- RSEN = Risk Sensitive
- ORCON = Originator Controlled
- NOFORN = No Foreign Nationals
- FISA = Foreign Intelligence Surveillance Act


The markings HCS-P, SI-G, TK and FGI show that this document contains information from all the main intelligence sources: human intelligence (HUMINT, marked HCS-P), signals intelligence (SIGINT, marked SI-G), imagery intelligence (IMINT, marked TK) and intelligence provided by foreign partners (marked FGI). The result is a so-called "all-source intelligence product".

In this case, this product was created by the Defense Intelligence Agency (DIA), which is responsible for fusing intelligence from multiple sources for military purposes, just like the Central Intelligence Agency (CIA) creates all-source intelligence reports for the president and senior civilian policymakers.


The last part of the classification line consists of the dissemination markings:

- Risk Sensitive, which is used by the National Geospatial intelligence Agency (NGA) to "protect especially sensitive (satellite) imaging capabilities and exploitation techniques".

- Originator Controlled, which means the originator of the information controls to whom it is released. It allows originators to maintain knowledge, supervision, and control of the distribution of the information beyond its original dissemination.

- No Foreign Nationals, which means the information may not be disclosed or released to foreign nationals, foreign governments, or international organizations without permission by the originator of the information.

- Foreign Intelligence Surveillance Act, which is the law that allows the collection of foreign intelligence at facilities inside the United States (i.e. PRISM and Upstream collection). Information from this source may not be used in criminal investigations without approval by the attorney general.


A similar, but much less visible classification line (without the FISA-marking) is found on some other maps:

Classification line of the document marked "Pg 08" (colors enhanced)


Intelligence briefings

For most of the maps and charts it's not clear what their exact origin is, but a photo published by Newsweek shows a document with the header of the Daily Intelligence Update for the Secretary of Defense and the Chairman of the Joint Chiefs of Staff.

This briefing is dated February 28, 2023 and was prepared by the Directorate for Intelligence (J2) of the Joint Staff, which is managed by the DIA:


Title of the Daily Intelligence Update from February 28, 2023 (colors enhanced)


Besides the military maps and charts, the set of 50+ photos also contains text documents. These appear to be daily intelligence briefings which consist of one-paragraph summaries of particular events from all over the world. Four different briefings can be distinguished:

- CIA Operations Center Intelligence Update (March 2, 2023; 2 pages)

- Signals Intelligence briefing (March 1 or 2, 2023; 8 pages)

- Multiple source intelligence briefing (probably March 1, 2023; 2 pages)

- Multiple source intelligence briefing (March 2, 2023; 5 pages)


Covering events from all over the world and based upon all available sources of intelligence, these briefings are clearly intended for high-level military commanders and civilian policymakers, although they are likely also distributed among watch centers like the NSA's National Security Operations Center (NSOC).

The briefing that only contains signals intelligence appears almost identical to the NSA's Global SIGINT Highlights. Parts of the Global SIGINT Highlights from 2004 to 2012 were published in 2015 by Wikileaks, which had obtained them from a still unknown source. They were considered more embarrasing for the US than most of the Snowden documents.



NSA report about an intercepted conversation of French president Hollande.
From the Global SIGINT Highlights, published by Wikileaks in 2015
(click to enlarge)


The Global SIGINT Highlights succeeded the SIGINT Digest, which also included maps, graphics and images. By the end of 1994, the NSA started to share content of the SIGINT Digest on the JWICS version of Intelink, in order to make its intelligence products available for other agencies. However, Intelink may include information from the SCI compartments SI and TK, but not from HCS and GAMMA.



Serial numbers

In the unpublished intelligence briefings, each paragraph has one or more serial numbers which refer to the source of the information, usually an intelligence report by one of the US intelligence agencies. Here's a selection of the serial numbers from these briefings (with classification level and topic):

NSA serialized reports:
3/55/120969-23 (TS/SI, about Jordan)
Z-G/OO/121581-23 (TS/SI-G, about Israel)
3/O5/121275-23 (TS/SI, about Colombia)
3/OO/122012-23 (TS/SI, about North-Korea)
Y-G/OO/122008-23 (TS/SI-G, about Brazil/Russia)
G/RG/122297-23 (TS/SI-G, about Russia)
3/OO/122310-23 (TS/SI, about the IAEA)
Z-G/OO/122198-23 (TS/SI-G, about South-Korea)
3/IR/122434-23 (TS/SI, about Central African Republic)
G/RA/122097-23 (TS/SI-G, about Russia in Africa)
3/RT/122431-23 (TS/SI, about Nigeria)

(The format of these SIGINT serial numbers is explained here)

Australia's ASD serialized reports:
3/EE/718-23 (TS/SI, about China)

Canada's CSE serialized reports:
3/UU/442-23 (TS/SI, about Russia & Canada)

DIA reports:
DIA_F_24OUB_A (TS/SI-G, about Nicaragua)
DIA_F_24O3A_A (Secret, about war in Ukraine)
DIA_F_24OR2_A (Secret, about ISIS)
DIA_F_24ON5_A (Secret, about China)
DIA_F_24OLT_A (TS/SI, about Russia)

CIA reports:
WIRe2023-04119 (Secret/HCS-P, about Ethiopia)
WIRe2023-27480 (Secret, about satellite interference)
WIRe2023-04601 (TS/SI-G, about China)
WIRe2023-03684 (Secret, about North-Korea)

Other CIA reports:
CIA 50125415520 (Unclassified, about Israel)
CIA-DA-IA-2023-01909 (TS/SI, about nuclear security)
CIA Intel Update [date]

INR reports:
INR Night Owl Notes [date]

DEA reports:
DEA-NN-IIR-3998-23 (Secret, Haiti/Russia)

National Intelligence Council:
NIC-NICM-2023-04600 (Secret, about West/Central Africa)
NIC-NICM-2023-04261 (?, about Ukraine)

Unknown:
AFP202302281614370370 (Unclassified, about Israel)
EUW2023030116612750 (Unclassified, about Nigeria)
LIW2023022771195902 (Unclassified, about Israel)
EUW2023030167988335 (TS/SI, about Iran)
AFW2023030163657742 (Secret, Nigeria)

Compilation of NSA serial numbers found in the briefings (source)


Dates of the documents

If we look at the dates of the aforementioned documents, we see that all the text briefings are from March 1 and March 2, 2023. Some of the maps and charts have dates from the second half of February, but they seem to be part of the "Ukraine package", the latest date of which is March 1.

Some screenshots from the wow_mao Discord server show that the user called Lucca already posted the photos of these documents there on March 1 and March 2.

That means Teixeira took the printed briefings home at the end of the same day that they had been released, photographed tens of pages, posted them on his own Discord server, after which Lucca reposted them almost immediately, or ultimately the next day on the wow_mao server.

This was repeated on March 2, when Lucca reposted documents dated February 28 and March 1, mostly from the "Ukraine package". This shows how eager both Teixeira and Lucca were to share the Top Secret information.

The earliest date seen so far is January 13, 2023, which is found on a chart that was published by The Washington Post on April 18:


Leaked document that "highlights capabilities and notional flight paths
of China's supersonic reconnaissance drone, along with satellite images
of its home base at Liuan Airfield", January 13, 2023.



The access     JWICS

A frequently asked question is whether a low-level airman like Jack Teixeira had legitimate access to the documents he leaked. Given his Top Secret/SCI clearance he was allowed to work with intelligence information, but even if his unit was involved in (cyber) operations in Ukraine, it's unlikely that he had the need-to-know for high-level briefings covering events from all over the world.

But where did he get them from? The easiest way would have been that a senior commander at Otis Air Base asked Teixeira to print out his daily briefings, and that Teixeira was able to grab those papers afterwards and took them home, instead of throwing them into the burn bag to be safely destructed.

Already during the Snowden-leaks it became clear the NSA and other agencies don't impose universal checks of personnel and their belongings as they enter and leave secure facilities. Security guards only conduct random checks and use their discretion in order to keep and build the trust of the employees: "Anything that could fit in a pocket could go out undetected".

In this case, however, the number of pages Teixeira took home around March 1, 2023 was so high (which is also indicated by the unsharp folds), that they wouldn't have easily fit in a pocket, but he could have put them under his clothes.


Unauthorized access?

In the US, intelligence is disseminated through the Joint Worldwide Intelligence Communications System (better known as JWICS), which is a highly secure communications network for information up to the level of Top Secret/SCI. It has "only" around 200,000 users, so it's not like all 1.25 million people who hold a Top Secret clearance had access to the leaked files, like various press reports suggested.


On the JWICS network, access is further restricted through additional login requirements for the various tools, programs and user groups (Communities of Interest), depending on someone's need-to-know. For example, for sharing intelligence, including from the GAMMA and HCS compartments, there's a collaborative workspace called i-Space (formerly A-Space), but users have to be individually authorized to see data about a particular topic or country.


Security measures

When A-Space was launched (for 10.000 users) in 2007, an intelligence official admitted that "This is a counter-intelligence nightmare. You've got to ask yourself, if there's one bad apple here, how much can that bad apple learn?" To mitigate that risk, A-Space would be additionally secured by looking out for suspiciously anomalous searches.

Given the fact that the leaked intelligence briefings contain information from the GAMMA and HCS compartments, we have to assume that there are similar security measures in place as those for i-Space and that it's not possible to access such documents without a proper individual authorization based upon someone's clearance and need-to-know.


While the US intelligence community is improving intelligence-sharing (not only since the attacks of 9/11, but already since the first Gulf War from 1990-1991), that doesn't mean that security is ignored. How Teixeira was nevertheless able to get hold of the highly classified documents he shared on Discord is something that still has to be clarified.

UPDATE #3:

In the larger Discord server, where Teixeira called himself "unknowing", he explained his knowledge by saying: "I have a little more than open source info. Perks of being in a USAF intel unit".
He also wrote that he was able to access a site run by the NSA and that "I usually work with GCHQ people when I’m looking at foreign countries". On February 28, 2022 he said that "the job i have lets me get privilege's above most intel guys":

Discord post by Teixeira under the nickname unknowing (source)


This sounds very similar to Edward Snowden again, who once said: "What was special about me was I had a special clearance called PRIVAC, which meant I could see across silos. I saw the big picture."
PRIVAC stands for Privileged Access and is described as "a higher level of access than the level of access needed to perform normal processes and system operations", which means these people have the capability to change network addresses, copy data, and install apps without raising red flags.
After Snowden, the NSA intended to reduce the number of PRIVAC users, but in 2016, the DoD Inspector General found that the agency had failed to do so.


UPDATE #4:

From the government's motion for pretrial detention of Jack Teixeira, which was released on April 27, 2023, it became clear that he had a "troubling history of making racist and violent remarks". Teixeira had been suspended from high school in 2018 for alarming comments about the use of Molotov cocktails and other weapons. This behavior was so disturbing that it was flagged by local police when Teixeira applied for a firearms identification card.

Prosecutors also made public a series of social media posts from 2022 and 2023 in which Teixeira expressed his desire to kill a "ton of people" and cull the "weak minded," and described what he called an "assassination van" to kill people in a "crowded urban or suburban environment." In his bedroom, investigators found a small arsenal, including handguns, bolt-action rifles, shotguns, an AK-style high-capacity weapon:

FBI photo of the firearms found in one of Teixeira's bedrooms


This raises serious questions about how it was possible that Teixeira was granted a Top Secret/SCI clearance. Some suggested that his behaviour might not have been very different from what is common among young airman - the investigation of the January 6 attack on the Capitol found that the military services included too many neo-Nazi and white supremacy extremists, including in their intelligence ranks.

Former NSA general counsel Glenn Gerstell said that "repugnant views and having lots of guns in your bedroom are not automatically going to disqualify you for a security clearance", especially because the US government has for decades struggled to attract sufficient IT and cybersecurity talent.

The Defense Counterintelligence and Security Agency (DCSA) confirmed that its background investigations do "not include automated checks of social media or chat rooms." A review of a serving individual's social media is only likely if their superiors have a reason to be alarmed, which is not only due to a lack of manpower, but also because it's difficult to attribute anonymous profiles.



Links and Sources

- Court Listener: United States v. Jack Douglas Teixeira

- The New York Times: The Next Intelligence Leak Could Be Prevented (April 24, 2023)
- The New York Times: Airman Shared Sensitive Intelligence More Widely and for Longer Than Previously Known (April 21, 2023)
- Financial Times: The Pentagon leak: how a low-ranked 21-year-old accessed top US secrets (April 19, 2023)
- Newsweek: Read the Leaked Secret Intelligence Documents on Ukraine and Vladimir Putin (April 16, 2023)
- PwnAllTheThings: Pentagon Leaks: What's the Damage? (April 15, 2023)
- Emptywheel: Jack Teixeira: Leak Dumps Don’t Care about (the Story You Tell about) Motive (April 15, 2023)
- The New York Times: The Airman Who Gave Gamers a Real Taste of War (April 13, 2023)
- The Cipher Brief: Leak Questions Begin To Center Around A Cell Phone (April 12, 2023)
- The Washington Post: Discord member details how documents leaked from closed chat group (April 12, 2023)
- Verschlusssache: Was steht in den Geheimpapieren? (April 11, 2023)
- Emptywheel: The Thug Shaker Leaks (April 9, 2023)
- Bellingcat: From Discord to 4chan: The Improbable Journey of a US Intelligence Leak (April 9, 2023)
- Motherboard: Pentagon’s Ukraine War Plans Leaked on Minecraft Discord Before Telegram and Twitter (April 7, 2023)
- The New York Times: Leaked documents expose US-NATO Ukraine war plans (April 7, 2023)
- Politico: Leaked military documents on Ukraine battlefield operations circulated as early as March (April 7, 2023)
- The Gray Zone: Leaked documents expose US-NATO Ukraine war plans (April 7, 2023)
- The New York Times: Ukraine War Plans Leak Prompts Pentagon Investigation (April 6, 2023)


► Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties (in Dutch)
Some older articles on this weblog that are of current interest: