May 18, 2023

New details about the Pentagon Leak

(Updated: December 12, 2023)

Last month it became clear that junior airman Jack Teixeira had posted highly classified military intelligence information on a Discord server, which became known as the Discord or Pentagon Leak.

Here I will discuss some additional details from the documents filed by the public prosecutor on April 26 and May 17, which provide some more insight into Teixeira's training, clearance and working environment.

Technical training

Op September 26, 2019, Teixeira had joined the Massachusetts Air National Guard and started working at the 102nd Intelligence Wing as a "Cyber Transport Specialist" - according to a letter he wrote to a local law enforcement officer on November 15, 2020.

In that letter, Teixeira tried to convince the officer that he had matured and changed since he was suspended for a few days at his high school in March 2018 after making racial threats and remarks about guns and Molotov cocktails. After having enlisted and obtaining a Top Secret clearance, he thought he was eligible again for the Firearms ID that was denied after the incident.

A few months after joining the National Guard, on November 15, 2019, Teixeira had registred at the Community College of the Air Force (CCAF), which offers a variety of courses and programs to earn an Associate of Applied Science (AAS) degree. According to the transcript shown below, he completed the following courses:

- US Air Force Basic Military Training at Lackland Air Force Base on August 13, 2020
- Information Technology Fundamentals at Keesler Air Force Base on February 16, 2021
- Cyber Transport Systems also at Keesler Air Force Base on April 29, 2021

Transcript of the courses which Jack Teixeira took at
the Community College of the Air Force (CCAF)
(click to enlarge)

Sensitive Compartmented Information

Sometime in fall 2020, after he finished his basic military training, Teixeira was granted a regular ("collateral") Top Secret clearance. This was required for starting technical training and just over two months after completing that in April 2021, his clearance was extended to Top Secret/SCI, which gave access to even more closely guarded information.

The prescribed Sensitive Compartmented Information Nondisclosure Agreement (SCINA) was signed by Teixeira and an undisclosed witness on July 7, 2021. This form has 12 spaces where the particular control systems for Sensitive Compartmented Information (SCI) or Special Access Programs (SAPs) can be filled in:

Jack Teixeira's Sensitive Compartmented Information Nondisclosure Agreement
(click to enlarge)

According to the form, Teixeira was briefed for access ("indoctrinated") to the following Sensitive Compartmented Information control systems:

- SI = Special Intelligence (communications intelligence)
- TK = TALENT-KEYHOLE (intelligence from satellite collection)
- G = GAMMA (sensitive communication intercepts)
- HCS-P = HUMINT Control System-Product (intelligence from human sources)

This shows that Teixeira had legitimate access to all the SCI compartments seen in the documents that he leaked, so apparently the only thing he lacked was the specific need-to-know.

According to the book Dark Mirror by Washington Post-journalist Barton Gellman, Edward Snowden had an SCI clearance for SI, TK, GAMMA and HCS as well - "the worst-case scenario for the NSA's internal defenses" according to Gellman.*

A week later, on July 15, 2021, Teixeira digitally signed the General Information Systems Acceptable Use Policy and User Agreement of the 102nd Intelligence Surveillance Reconnaissance Group, which says that his actual workplace was at the 102nd Intelligence Support Squadron (ISS).

Another two weeks later, on July 28, he also signed the Information Technology User Agreement of the 102nd Intelligence Wing, with numerous rules for using the organization's computer systems, including "I will not disclose any non-public Air Force or DoD information to unauthorized individuals."

Finally, on March 3, 2022, after one hour of e-learning, Jack Teixeira also completed a course about Unauthorized Disclosure (UD) of Classified Information and Controlled Unclassified Information (CUI), as provided by the Defense Counterintelligence and Security Agency.

The Intelligence Support Squadron

On October 1, 2021, Teixeira started as a Cyber Transport Systems Journeyman with the rank of Airman Basic (AB) and pay grade E-1 at the 102nd Intelligence Support Squadron (ISS).

The ISS comprises more than 100 military, civilian and contractor Cyberspace Support professionals who maintain their part of the Air Force Distributed Common Ground System (AF-DCGS), also known as the AN/GSQ-272 SENTINEL weapon system. This includes ensuring the availability and integrity of networks and equipment, software installation and support, information system security, communications security, and everything related.

The ISS is part of the 102nd Intelligence Surveillance Reconnaissance Group (ISRG), which in turn is part of the 102nd Intelligence Wing (IW). This wing was established in 2009 after the Air National Guard's 102nd Fighter Wing had lost its flying mission due to the 2005 Base Realignment and Closure (BRAC).

Men and women from the former flying units were transitioned to the new Intelligence Wing and trained to work on the DCGS, learning to run its computers and analyze intelligence from spy planes and the ever-increasing number of drones. One of them was Jack Teixeira's stepfather.

Military personnel operating the Air Force Distributed Common Ground System
(photo: US Air Force - click to enlarge)

The Distributed Common Ground System

The Distributed Common Ground System (DCGS) is a system-of-systems for passing data from intelligence collection platforms along to combatant commanders and warfighters. There are separate versions for the Navy (DCGS-N), the Army (DCGS-A), the Air Force (AF-DCGS), the Marine Corps (DCGS-MC) and the Special Operations Forces (DCGS-SOF).

In 2015, the DCGS of the Air Force exploited more than 50 manned and unmanned aircraft sorties, reviewed over 1200 hours of motion imagery, produced approximately 3000 signals intelligence reports, exploited 1250 still images and managed a total of 20 terabytes of data each day.

The AF-DCGS had started small at Langley AFB in Virginia, Beale AFB in California and Osan Air Base in South Korea, but expanded in the early 2000s as demand for airborne surveillance surged. Soon, Ramstein Air Base in Germany and Hickam AFB in Honolulu were added, which make a total of five core sites, or Distributed Ground Stations (DGS).

The system is also installed at 16 additional sites: DGS‑Experimental at Langley AFB, 7 Air National Guard (ANG) sites and 8 Distributed Mission Sites (DMS). These DGS and DMS sites are manned by a mixture of active-duty, Air National Guard, Air Force Reserve and coalition partner units working to provide an integrated combat capability.

The Air Force Distributed Common Ground System (AF DCGS) in 2015
(source - click to enlarge)

The AF-DCGS core site at Ramstein Air Base is backed-up by the Distributed Ground Station-Massachusetts (DGS-MA), which was established in December 2009. This site is operated by the 102nd Intelligence Surveillance Reconnaissance Group (ISRG), which performs near-real-time exploitation and analysis of video feeds from the U-2 spy plane, as well as from the RQ-4 Global Hawk and MQ-9 Reaper surveillance drones.

Ramstein is a crucial hub for drone operations, first for those in Iraq and Afghanistan, and now in support of Ukraine in its war with Russia. Because of moral doubts about the American drone program, NGA intelligence analyst Daniel Hale leaked The Drone Papers to The Intercept in 2014.

Suspicious behaviour

Teixeira said that at the 102nd Intelligence Support Squadron he was initially "assigned to middle eastern intelligence gathering tasks". In November 2022 he wrote in his Discord server that he worked with "NRO, NSA, NGA, and DIA people mostly", that he was "on JWICS weekly" and "knowing what happens more than pretty much anyone else is cool."

JWICS stands for Joint Worldwide Intelligence Communications System and is a highly secured computer and communications network for collaboration and sharing intelligence up to the classification level Top Secret/SCI among US intelligence agencies.

According to documents filed by the public prosecutor on May 17, 2023, Teixeira had been observed looking for classified intelligence information in the Sensitive Compartmented Information Facility (SCIF) of the 102nd Intelligence Wing, which is located in building 169 at Otis Air National Guard Base on Joint Base Cape Cod.

The entrance to Joint Base Cape Cod in Pocasset, Massachusetts
(photo: CJ Gunther/EPA - click to enlarge)

The first time was in September 2022, when a staff sergeant saw that Teixeira had taken notes of classified information and put the note in his pocket. The staff sergeant asked Teixeira if he planned to shread it and informed a master sergeant. They discussed the incident with Teixeira, who was "instructed to no longer take notes in any form on classified intelligence information."

On October 25, it became clear that Teixeira was "potentially ignoring the cease-and-desist order on deep diving into intelligence information", because five days earlier he had attended the ISS morning meeting where the weekly Current Intelligence Briefing (CIB) was being given, after which Teixeira proceeded to ask very specific questions.

Teixeira was once again instructed to cease-and-desist any deep dives into classified information and to focus on his job in supporting Cyber Defense Operations (Air Force Specialty Code 1D). Additionally, he was offered the opportunity to explore cross training for All Source Intelligence Analyst (1N0) or Cyber Intelligence (1N4), which he declined.

All this didn't stop him, because a third memorandum for the record filed by the prosecutor says that on January 30, 2023, a master sergeant "was walking the Ops [Operations] floor when she observed A1C [Airman 1st Class] Teixeira on a JWICS machine viewing content that was not related to his primary duty and was related to the intelligence field."

The Desktop Environment (DTE), a uniform platform for the
US Intelligence Community, running on the JWICS network.

The fact that apparently no further action was taken against Teixeira might have led to the suspension, last April, of the commander of the 102nd Intelligence Support Squadron and the detachment commander overseeing administrative support.

Teixeira's behaviour is very similar to that of Edward Snowden, who also had an almost insatiable desire for information regardless of whether he was entitled to it. In his book Permanent Record, Snowden proudly recalled how easy it was to circumvent auditing controls and internal monitoring systems.

Whether Teixeira circumvented such control systems as well is still unclear. While he could apparently access intelligence information on the JWICS network, he definitely didn't have the need-to-know for the material he eventually posted on his Discord server, which included intelligence briefings for senior military commanders and civilian policy makers.

Title of the Daily Intelligence Update for the Secretary of Defense and
the Chairman of the Joint Chiefs of Staff from February 28, 2023
(leaked by Jack Teixeira - click to enlarge)

Network monitoring

After Jack Teixeira had been arrested on April 13, 2023, various agencies started an investigation into his case. One was an audit of an "Intelligence Community-wide system for which U.S. Government Agency 2 acts as a service provider", which most likely refers to the Defense Intelligence Agency (DIA) and the JWICS network.

This audit, which yielded results dating back to February 26, 2022, revealed that Teixeira had accessed hundreds of classified reports and documents and conducted "hundreds of searches on the classified network on a number of subjects, many of which related to the Russia-Ukraine conflict."

In addition, on or around July 30, 2022, he also searched for the terms "Ruby Ridge", "Las Vegas shooting", "Mandalay Bay shooting", "Buffalo tops shooting", and "Uvalde" which are all (related to) mass shootings in the United States, which Teixeira had an unhealthy interest in.

While it's definitely useful to have these audit results for a criminal investigation, there's apparently still no insider threat detection system that is capable of near-real-time anomaly detection. The NSA, DISA and large defense contractors were already working on that over a decade ago, but this turned out to be rather difficult.

The DIA seems to be lagging behind even more, as only by the end of 2021, the agency came up with plans to modernize the JWICS network with for example Comply-to-Connect access control and behavioral-based vulnerability detection.


On May 19, 2023, a federal magistrate judge ruled that Jack Teixeira has to remain in prison pending his trial because he poses a continuing threat to national security and public safety.

On June 15, 2023, the Justice Department filed the indictment against Teixeira, with six counts of "willful detention and transmission of national defense information". While Teixeira leaked at least some 60 documents to his Discord server, the indictment includes only six of them: one classified Secret, the other five Top Secret/SCI.

On June 30, 2023, US secretary of Defense Lloyd Austin issued a memorandum with a range of actions the prevent compromise of classified information. One of those actions is the establishment of a Joint Management Office for Insider Threat and Cyber Capabilities to oversee user activity monitoring and improve threat monitoring across all DoD networks.

On December 11, 2023, the US Air Force released a report by its Inspector General which identified a range of deficiencies at Otis Air National Guard Base:
- Four cases of suspicious behaviour by Jack Teixeira weren't properly reported to security officials;
- IT specialists received weekly intelligence briefings to better understand the importance of their work, but this "know your why" effort was improper in that it provided higher level classified information than was necessary;
- Some personnel believed having a TS-SCI clearance meant users had approval to examine any information they could find on JWICS;
- No permission controls were in place to monitor print jobs, so any night shift member had ample opportunity to access JWICS sites and print a high volume of products without supervision or detection;
- Unit members described trusting their coworkers without verifying access or need to know and inconsistently practicing certain disciplines;
- Unit leaders created a critically permissive culture that reinforced risk-accepting behaviors at inappropriate levels.
As a result of the investigation, no less than 15 Air National Guardsmen have been disciplined, including the wing and group commanders, as well as more junior officers and noncommissioned officers.

Links and Sources

- PBS Frontline documentary: The Discord Leaks (Dec. 12, 2023)

- The Washington Post: Amid leak of U.S. secrets, Pentagon hunts how documents left air base (May 20, 2023)
- Emptywheel: Jack Teixeira’s Polish (or Croatian) Missile (May 18, 2023)
- Christian Science Monitor: Jack Teixeira, Edward Snowden, and plugging intelligence leaks (May 17, 2023)
- The Washington Post: Leak suspect shared classified secrets with foreigners, prosecutors say (May 17, 2023)
- The New York Times: Airman in Leaks Case Worked on a Global Network Essential to Drone Missions (April 30, 2023)
- US Air Force Unit History: 102 Intelligence Wing (Jan. 19, 2022)
- AutoNorms: Shortening the Kill Chain with Artificial Intelligence (Nov. 28, 2021)

No comments:

In Dutch: Meer over het wetsvoorstel voor de Tijdelijke wet cyberoperaties