- The Pentagon and Department of Justice are investigating how classified documents were shared online and who was behind the leak.
- Investigators are likely examining the Discord platform where the documents may have been first shared.
- Cybersecurity experts say investigators will be looking closely at IP addresses, but human error could be a deciding factor in the probe.
The Justice Department has opened an investigation into the classified Pentagon documents that were recently leaked online, and cybersecurity experts who spoke with Newsweek said there are some critical clues investigators will be examining.
The highly classified documents from the Pentagon spread across social media last week. They contain photos of materials with details about U.S. intelligence updates, including sensitive information about the war in Ukraine. On Monday, Pentagon spokesperson Christopher Meagher told reporters that Defense Secretary Lloyd J. Austin III had been holding department-wide meetings about the leak. Meagher also shared that the Pentagon is leading another investigation.
“We’re still investigating how this happened, as well as the scope of the issue. There have been steps to take a closer look at how this type of information is distributed and to whom,” Meagher said.
U.S. Secretary of Defense Lloyd Austin listens during the Senate Appropriations Committee Subcommittee on Defense at the U.S. Capitol on May 3, 2022, in Washington, D.C. The Defense Department and the Department of Justice are investigating who leaked classified Pentagon papers online.
Bruce Schneier, a cryptographer and computer security professional, told Newsweek that since the leak contained photographs of the intelligence documents, investigators will be looking closely at “things on the paper that tell you something about the printer.”
Possible clues they will be searching for include anything that indicates a time or location, as well as any metadata.
Schneier mentioned Reality Winner as an example of similar government investigation. Winner is the former NSA translator who leaked a classified report that alleged the Russian military interfered in the 2016 U.S. presidential election. A central part of FBI‘s investigation that led to identifying Winner was the documents she leaked appeared to be folded, which suggested they had been printed and hand-carried out of a secure location.
“They got Winner, because she was sloppy,” Schneier, who is also a fellow at the Berkman Klein Center for Internet and Society at Harvard University, said.
According to Schneier, human error—more than actual digital clues—could be the key that reveals the source of the Ukraine documents leak. He mentioned that former Army intelligence analyst Chelsea Manning, who shared a trove of military and diplomatic records about the wars in Iraq and Afghanistan to WikiLeaks, was caught because she had told someone what she had done, and that person later alerted authorities.
Schneier noted that while investigators will certainly be checking the IP address of where the classified files were uploaded, the person behind the initial leak could have been at a public place during the upload. In such a scenario, the IP address that would turn up in the investigation could be from a place like a Starbucks.
Rebecca Slayton, an associate professor of science and technology studies at Cornell University, also said IP addresses may not be entirely useful.
“IP addresses would not be a very reliable clue in an effort to attribute the attack, because IP addresses are easily spoofed,” she said.
“My understanding of the comments by folks like [former senior U.S. counterterrorism official] Javed Ali, as quoted in The New York Times, is that clues like IP addresses are useful only based on the assumption that the leaker was sloppy and therefore did not obscure their IP address,” Slayton said.
She added, “While this is certainly possible—and Ali and others cite evidence of sloppiness—it’s not a slam dunk. The appearance of sloppiness can itself be a form of obfuscation.”
Reports have said that the Pentagon documents may have first been shared on the video game chat platform Discord during an argument about the war in Ukraine. Shambhu Upadhyaya, a professor of computer science and engineering at the University of Buffalo, told Newsweek that searching Discord may be instrumental in the investigation.
“In my opinion, the Discord platform will hold the key for the forensic investigation since uploads can be accounted for and traced back to an IP address,” Upadhyaya said. “But it may not be very straightforward because the uploader can use a spoofed IP address, if they are smart. The federal investigation probably will start with the Discord platform.”
Upadhyaya said the leak appears to have been the work of an insider who had legitimate access to the documents, “rather than an external hack.”
“The success of the investigation will depend upon the skill level of the perpetrator,” he said.
When contacted for comment, the U.S. Department of Defense directed Newsweek to Meagher’s remarks made on Monday.