There has been a news media frenzy about the recent batch of classified documents (or rather, photographs of classified documents) that were posted to gaming chat rooms, message boards, and social media platforms like Discord, 4Chan, Telegram, and Twitter in late February and early March, and possibly earlier. Some of the documents concern Russia’s invasion of Ukraine, and some reportedly pertain to other countries such as China, Egypt, Haiti, Iran, Israel, South Korea, Turkey, and the United Arab Emirates. Reportedly, over 100 pictures of classified material were posted before they were removed from some platforms. A few thoughts on the leaks:

1. The leaks are a serious breach. But the sky is not falling.

In the words of Executive Order 13526-Classified National Security Information, the unauthorized disclosures of these leaks could cause “serious damage” or “exceptionally grave damage” to national security. Based on pictures posted on social media that I have seen and news reports on the documents, some of the material is classified as Secret, the unauthorized disclosure of which could cause serious damage to national security, per E.O. 13526. The leaks also include Top Secret information, which could cause exceptionally grave damage to national security if disclosed.

Some of the Top Secret documents photographed are clearly derived from some of the most sensitive signals intelligence (SIGINT), based on classification markings and other indicators (SIGINT was one of my intelligence specialties and I have had two National Security Agency assignments). SIGINT is derived from electronic signals and systems used by foreign targets, such as communications systems, radars, and weapons systems. The unauthorized disclosure of this material risks these SIGINT sources and methods “going dark”, causing exceptionally grave damage to U.S. (and allied) national security. This SIGINT might take a long time to replace or might even result in permanent loss of these sources.

Based on other classification markings, at least one document I have seen on social media includes Human Control System (HCS) information; the product was based on human intelligence (HUMINT). Specifically, it was HCS-P (Product), “an HCS compartment used to protect intelligence information disseminated to IC [Intelligence Community] consumers.”

Even more sensitive and damaging than the disclosure of HCS-P information would be HCS-O (Operations), which “is used to protect exceptionally fragile and unique IC clandestine HUMINT operations and methods that are not intended for dissemination outside of the originating agency.” [my emphasis]. Think of HUMINT source identifiers, source meeting-related information, etc. (Disclaimer: I was never a HUMINT officer or case officer but as an “all-source officer” my subordinates and I were consumers of HCS information, submitted feedback on HUMINT reports, and occasionally submitted tasking requests to case officers). As the leaked information seems to comprise finished intelligence, it is unlikely to contain HCS-O.

Regardless, these leaks could expose extremely valuable human sources in Russia and other countries, resulting in their imprisonment or even death, according to a Pentagon spokesman. The government almost always cries “wolf” with dire warning of lives lost because of leaks. After former Army Pfc. Bradley Manning leaked U.S. Department of State classified cables and other information to WikiLeaks during the Iraq war, then-U.S. Secretary of Defense Robert Gates said in a letter to Sen. Carl Levin that he was concerned that the documents named Afghan partners, whose lives could be endangered. Five months later, internal U.S. government reviews determined that the leaks caused only limited damage to U.S. interests abroad.

But lives have been lost in the most extreme cases of compromise.

• The Chinese government reportedly executed at least a dozen C.I.A. sources between 2010 and 2012.
• FBI special agent Robert Hanssen spied for Russia and the former Soviet Union between 1985 and 2001. A review of FBI security programs after Hanssen’s arrest found he compromised over 50 FBI human sources and potential recruits and many technical sources; several sources were executed or imprisoned.
• CIA officer Aldrich Ames spied for Russia and the former Soviet Union from 1985 to 1994. By 1986 Ames’ betrayal was likely responsible for the compromise of “45 Soviet and East European cases and two technical operations that were known to have been or were evidencing problems” and the execution of 10 CIA assets, according to a CIA memorandum and an assessment by the U.S. Senate Select Committee on Intelligence.

As with many intelligence leaks, the most recent compromise has been embarrassing to the U.S. government and also presumably embarrasses a few other countries. And the leaks could cause tensions between the U.S. and some of these allies, partners, and friends. For example, the world now knows that:

• Contacts in Turkey, a NATO ally, were reportedly in discussions with Russian private military contractor Wagner to provide arms to the group.
• U.S. partner Egypt, which usually receives over $1 billion USD from the U.S. annually (historically the fourth most in the world after Afghanistan, Israel, and Jordan), reportedly sought to produce and covertly sell to Russia 40,000 artillery rounds and gunpowder.
• Russian intelligence officers reportedly boasted that they convinced the United Arab Emirates, which “hosts the Gulf Air Warfare Center at Al Dhafra Air Base, where approximately 3,500 U.S. personnel are based“, “to work together against US and UK intelligence agencies.”

However, as with previous leaks, there will likely not be permanent damage to U.S. relations with its allies and partners.

The U.S. government will almost certainly conduct a damage assessment of these leaks, as it has done with previous unauthorized disclosures. The numerous organizations reportedly affected by the disclosures will likely all be directed to conduct or take part in such an assessment.

2. The leaks include more than intelligence.

Maybe news media reporters and editors know this, but for simplicity they have categorized all the leaked information as “intelligence”. Or it could be because the most damaging portions of the leaks are the intelligence information. Or there might be confusion of what “J3/J4/J5” means on some of the leaked documents. But some of the information, from the Joint Staff, is operational instead of intelligence information. This material is outside the purview of intelligence personnel.

When a document originates in the “J3/J4/J5”, it usually is not an intelligence document. The “J” is means joint (multi-service), as in the Joint Staff at the Pentagon or the joint staff at any combatant command such as U.S. European Command. J3 is the Operations Directorate, J4 is Logistics, and J5 is Strategy, Plans, & Policy. J2 is Intelligence, where I spent three years on the Joint Staff. (Substitute the “J” for the services–“G” for Army and Marine, “N” for Navy, and “A” for Air Force”–and it’s the same structure throughout the U.S. military and the militaries of many other countries). The incident command system used in the U.S. by emergency and incident managers in the private sector and in various levels of government has a very similar structure (e.g., operations, planning, logistics, and sometimes intelligence/investigations sections).

Equipment and munitions flows to Ukraine? Primarily a J4 (Logistics) job. But the lower classification of the J3/J4/J5 material in the leaked documents, and the news media’s focus on the intriguing intelligence aspects of the leaks, can be misleading. There are variations of a famous saying in the military: “Amateurs talk tactics, but professionals study logistics.” With innovative thinking, the correct intelligence and operational prioritizations, and precision offensive operations, the Russians could exploit Ukrainian operational, supply chain, and logistics weaknesses and vulnerabilities disclosed by the leaked documents. I know this because I used to do that type of thing.

3. Disinformation?

An adviser to the head of the Office of the President of Ukraine reportedly stated on Telegram that he believes Russia is behind the purported leak. Ukraine would be inclined to downplay the leak or promote a Russian disinformation explanation, as the documents reportedly highlight Ukrainian shortfalls and weaknesses. However, statements by U.S. government officials clearly indicate that the U.S. government believes crimes were committed in the disclosure of the documents. The leaks are real.

Regardless, an entity, presumably pro-Russian, apparently manipulated some of the documents and reposted them. Reportedly, casualty figures in the original documents were crudely swapped, lowering Russian losses and increasing Ukrainian losses. I think it is highly unlikely Russian intelligence services were involved in the original leak. It is more likely they took advantage of a very early Christmas gift from a U.S. citizen who illegally posted the pictures in gaming chat rooms and message boards.

4. To catch a leaker

Finding the perpetrator of the leaks will likely be very difficult and time consuming, but possible. Thousands or even tens of thousands of people likely have access to the documents that were leaked. And possible culprits include intelligence personnel (civilian, military, and contractors), non-intelligence personnel, and politicians/appointees (including permanent civil servants). Former Defense Intelligence Agency civilian intelligence analyst Ana Montes, who was arguably the U.S. government’s leading Cuba analyst, betrayed the U.S. for almost two decades prior to her arrest days before the 9/11 attacks. Both Edward Snowden and Reality Winner were contractors when they leaked TOP SECRET intelligence to news organizations (Prior to their contractor jobs, Snowden served in an Army Reserve Special Forces training program for less than five months before his medical discharge, and Winner was an enlisted Air Force service member).

If the leaker made mistakes, that could significantly shorten the time it takes government investigators to narrow their search. An indicator of this leaker’s amateurism is the quality of the photographed classified material. It will not surprise me if training courses for case officers in the future include these pictures as examples of how to not clandestinely photograph material. Likewise, the leaker might have established a trail if he or she printed the material they photographed; a few pictures of the material I have seen were print outs, and some computer networks record what is printed and by whom (the search might still be narrowed even if the print outs were intended for someone else, like a senior official). And some of the documents were reportedly CIA reports. The CIA restricts access to some of its products based on the user’s job area. So that is one possible thread for investigators, especially if the documents included original CIA reports (instead of summaries) about different regions and topics unrelated to each other.

Another potential investigative avenue is metadata from the uploaded pictures, unless the culprit deleted the metadata (which is possible with free software). Access to the servers which contain or contained the pictures would probably be necessary–with the server owners’ cooperation and knowledge or not. Related, social media platforms retain various types of information about their customers’ registrations, which could lead to leaker’s identification. For example, if the leaker did not use a VPN to obfuscate his or her actual IP address every time they used the platform, that could be his or her downfall. At least one news media organization has already identified the Discord user who shared dozens of the images on a Discord server. That Discord user is not the original source of the leak, but this scoop shows how even open-source techniques without subpoena power can be used to identify people who post on social media.

Things to watch

1. Any additional leaks.
2. Definitive proof some of the information was posted prior to late February.
3. U.S. intelligence losses and Ukraine operational losses resulting from the leaks (any public acknowledgment of damage will likely be brief, vague statements from anonymous government officials).
4. Turkey’s and especially Egypt’s actions (outside of public denials) regarding reported discussions about and or plans on selling weapons to Russia.
5. Security measures the U.S. government implements as the result of this security incident. Security is important, but information is useless (a “self-licking ice cream cone”) if the right intelligence and operational personnel do not have it at the right time. How many of the thousands or even tens of thousands of people with access to the leaked material do not need it? Will bureaucratic knee-jerk reaction or over-reaction prevail?
6. The amount of time it takes for the leaker to be identified–by law enforcement or the news media.

If the leaker is found, the specific charges that the U.S. government brings against him or her. For example, will the charges relate to mishandling of classified documents, and or violations of the Espionage Act? If the culprit is a military service member and is court-martialed, will he or she be charged with “Aiding the Enemy”, for which Manning was charged but acquitted?