So, I have to get this out of the way immediately and say that we don’t know (at the time of this writing) if these documents are entirely legitimate. The Pentagon has declared that they believe they have arrested the leaker. However, without a valid chain of custody, something I wrote extensively about when the Hunter Biden laptop story broke, we do not know exactly if the documents posted to Discord are the ones now circulating around the world. Are they real without alterations, meaning whoever put these out to the wider public did not change anything? Are they real but have been tampered with, like one of the early document finds that appeared to have changed death toll numbers in the Ukraine war? Could they be well-done fakes based on those originals from Discord? We don’t know yet.
The Washington Post shared an article discussing a Discord user, alleged to be a leaker, based on a “friend’s” account. The legitimacy of the leaked documents and the person’s motivation are uncertain. As a cyber forensics expert, one could not testify without a proper chain of custody and more information than what’s currently available in news reports.
So, then, if these were real, why didn’t the Department of Defense immediately get alerted that their highly classified data was put on the internet for a bunch of gamers to see in a Discord channel?
The answer is more complicated than you think.
To start with Discord, it’s pretty much impossible to monitor it fully, unlike Facebook would be. With Facebook, anything a user does, like connect to a friend or join a group, can be seen by Facebook relatively easily. If I created a closed group on Facebook called “Let’s Leak Pentagon Documents” and invited only three of my closest friends, the only people that could see that group is myself, my friends, and about 80,000 Facebook employees since Facebook is structured to centralize administration.
Discord, though, is quasi decentralized. This means that anyone can, right now, go start a Discord server for any purpose. Unless you know where that server is, how to get to it, and then be accepted by the administrator, you do not see the content within that Discord server. Discord isn’t recommending it to you as a group to join as Facebook does through their advertising to users.
According to Discord, it’s logistically impossible for them to monitor everything, and their policy is not to monitor what happens within these servers. In other words, if law enforcement shows up with a warrant, Discord itself would have a much more difficult time identifying which server law enforcement needed unless the warrant was very specific and named the server directly instead of the content they were looking for that could be anywhere within the ecosystem.
There are many legitimate uses for Discord. Gamers go there where they can chat with each other, live stream their games, and send messages. Many people and organizations will set up Discord accounts for other reasons. I’m the president of a non-profit, and we use Discord to coordinate with our volunteers. Everyone from bird-watching groups to flat earthers have set up shop on Discord and created their own ecosystems.
Unfortunately, it’s also been a haven for extremism; however, that is shifting over to the encrypted platform Telegram which is considered more private than Discord. Discord was also home to the Tops Supermarket shooter in Buffalo, New York. He streamed his drive to the supermarket and then his horrific executions of the innocent people inside. Fifteen people joined his livestream to watch the terror unfold, and the video eventually made the rounds on the dregs of the internet and was viewed millions of times. If that shooting proves anything, it’s that all it takes is one of those people watching it in real-time to copy it and put it out into the greater public sphere. This Pentagon leak is no different. So unless the arrested suspect also spread these documents elsewhere, a core question has to be; if he didn’t go beyond posting to Discord, then which other member of that Discord server disseminated them further?
Discord itself has had an extremism problem over the years. Neo-Nazis, extremists, and others all use Discord to both hang out and talk and collaborate for potential future violence or crimes, such as the “Unite the Right” rally in Charlottesville that lead to violence and the death of an innocent. Even searching for Discord servers for terms like “Jihad” still show active servers promoting their version of extremism.
Unlike the standard messaging boards like the now defunct 4Chan or the revamped 8Kun, Discord offers extremism the ability to form an online community where members feel more comfortable expressing themselves more freely and opening up about who they are. Since most of these servers have a vetting process to join, its members are more comfortable being expressive. Plus, like the Tops Supermarket Shooter, it also connects them with like-minded people who encourage this behavior. Shooters posting manifestos to 4Chan or 8Chan is unfortunately common, but on Discord, you can live stream your rampage and even get encouragement from your deranged followers. Combine this with the near anonymity and invisibility a Discord server brings to the table, and even the Pentagon simply could not monitor the entirety of that infrastructure for specific leaks from specific people.
Discord is not the only issue in this situation, though. The next are the documents themselves. There were reports that these documents appeared to be pictures of the actual documents, not direct copies of files like PDFs or Microsoft Word documents. Apparently, these leaked documents had visible folds, which increased their credibility, and here’s why.
In the wake of the Edward Snowden leak case, the Department of Defense (like the NSA and other agencies) would have implemented new security controls on their digital classified data so they could no longer be simply copied onto another medium like a flash drive and walked out of the building. Cybersecurity professionals have been building secure ecosystems like this for years, and here are some of the key defensive approaches taken to prevent documents from leaking or even being stolen.
Data Loss Prevention (DLP) is the core of this philosophy. Putting systems in place that read and understand the information being sent in and out of an organization is critical to stopping accidental and intentional leaks.
At the most basic level, email platforms like Microsoft Office 365 have DLP baked in for customers to turn on and use. For example, suppose an employee were to fall for a phishing scam and attempt to send out their credit card information via email, Microsoft’s AI will read the email. In that case, if credit card information is included, it will block it from being sent while alerting the proper staff to respond. Intelligence agencies will have this in place, so I’d be caught if I tried to email out classified documents.
On top of this, many ecosystems also have Digital Rights Management (DRM) in place to prevent the removal of digital files. Essentially, that classified PDF is tagged with a cryptographic signature that only allows authorized computers or devices to open it. If I were to copy a document and try and open it from my home computer, I wouldn’t be able to, as my home computer is not part of that cryptographically secured ecosystem and there would be a log in the system of my attempt to copy the data that could be traced back to my user.
This leads us to the third and final point, which is the more concerning here because of those folds: Physical security and training. All Pentagon personnel are trained in the proper handling of sensitive information. They know it can only be handled in designated areas and that outside technology like personal phones is forbidden. They understand the disciplinary actions against them when they break these rules, as they are required to sign off on them. The wild card here, though, is the motivation of the person. Knowing the consequences fail to be a deterrent when a person, for whatever reason, deems taking the documents to be more important than jail time. In this case, physical security failed because a device with a camera was allowed near classified material (again, assuming my initial statements). Whether the camera was smuggled into a secure area or the documents were folded, hidden, and removed (more likely given all the info), physical security was bypassed in some way.
One of the biggest problems we have with security is complacency. Whether we don’t keep up to date on technological defenses because we’re used to using older products or physical security fails when the security guard stops checking the personnel he or she knows as they see them constantly without concern, complacency in security controls was the failure here.
So, here’s hoping this is the last time this happens. Sadly, I wouldn’t put money on it.
__________________________________________________________________________________________________________________________
Nick Espinosa
An expert in cybersecurity and network infrastructure, Nick Espinosa has consulted with clients ranging from small business owners up to Fortune 100 level companies for decades. Since the age of 7, he’s been on a first-name basis with technology, building computers and programming in multiple languages. Nick founded Windy City Networks, Inc at 19 which was acquired in 2013. In 2015 Security Fanatics, a Cybersecurity/Cyberwarfare outfit dedicated to designing custom Cyberdefense strategies for medium to enterprise corporations was launched.
Nick is a regular columnist, a member of the Forbes Technology Council, and on the Board of Advisors for both Roosevelt University & Center for Cyber and Information Security as well as the College of Arts and Sciences. He’s also the Official Spokesperson of the COVID-19 Cyber Threat Coalition, Strategic Advisor to humanID, award-winning co-author of a bestselling book, TEDx Speaker, and President of The Foundation.
