INTELLIGENCE AND SURVEILLANCE
Companies Ill-Prepared to Fend Off Insider Threats
Government agencies have had to contend with so-called “insider threats” from the beginning of their existences. Espionage is not new.
But the two high-profile cases are putting a spotlight on insider threats in the private sector, particularly companies that do business with the Defense Department, intelligence agencies and other government organizations.
“It doesn’t happen very often, but when it does, it is very ugly. It has taken companies down,” said Douglas Thomas, head of corporate counterintelligence at Lockheed Martin Corp.
“If you have a person with unfettered access, who is motivated to do harm and is handled by a sophisticated intelligence service, the amount of damage that one person can do is unbelievable. Just look at Snowden,” he said at an Intelligence and National Security Association (INSA) panel in Washington, D.C.
Snowden, a Booz Allen Hamilton contractor working for the National Security Agency, has admitted handing over classified secrets to a London newspaper. Manning, an Army specialist, was convicted of passing large files of data to the anti-secrecy organization WikiLeaks.
Whether the two men are considered spies or whistleblowers is beside the point, panelists said. Such actions can do serious damage to companies as well.
Dawn Cappelli, director of insider risk management at Rockwell Automation, and the leader of an INSA task force that produced a report on these threats, said there are several categories of those who may harm a company.
There are, of course, those spying for a foreign government. There are disgruntled workers looking to commit an act of sabotage. Some might abscond with company trade secrets, strategic plans or other confidential information as they leave for another job. Others may simply be out for financial gain, and embezzle money or commit fraud, she said.
The recent high profile incidents show that “no one is immune, and it should really be a heads up that in the private sector we need to pay attention and follow the example of the federal government because anyone can be a victim,” she said.
The report, “A Preliminary Examination of Insider Threat Programs in the U.S. Private Sector,” surveyed 13 companies on their practices. The reason why there were so few participants was because many companies the task force approached had no insider threat program to discuss, she said.
“The private sector doesn’t have any mandate right now. There is no law that says that you have to have a formal insider threat program,” Cappelli said. There is also a belief that rooting out spies is the purview of the government.
While there has been a focus on foreign hackers trying to steal trade secrets over the past few years from the comfort of their home countries, “attackers motivated by greed, revenge, ego and ideology can come from both sides of the front door,” the report said.
Thomas said national security and economic security are the same thing, and corporations are clearly a target.
To wage an effective campaign against insider threats, senior company leaders must first get onboard and acknowledge that it is a potential problem, Thomas said.
The solution is not going to be solely a technical one, Thomas and Cappelli said.
“Don’t think that if you have a good data loss prevention program, that that is an insider threat program,” Thomas said.
Cappelli said one of the key findings of the report is that the problem must be attacked from many angles. Software that looks for suspicious behavior on the part of employees is a good start, she said.
“But an insider threat program needs to be holistic. It needs to look at the person. It needs to look at technical behaviors as well as non-technical,” she added.
Stephen Band, former chief of the FBI behavioral unit, which studies the psychology of those who betray their country or carry out other illegal acts, said there are certain markers. First, a person has to have the intention of doing something wrong. They engage in planning, and then they have to access what they need to carry out the illegal act. They must engage in deception.
In the case of “pure espionage,” there would have to be contact with a foreign agent to exfiltrate the information, he said.
The key is to spot these behaviors, he said.
Insider threats can be headed off before they happen. That is where motivation comes in, he said. Employees may be unhappy with their supervisors, or their station in life. They may be undergoing personal or financial stress.
Corporate culture should allow a supervisor who sees somebody struggling with personal or professional loss, who is coming off a terrible performance evaluation, to take steps to assist him, Band said.
“Is there a culture that permits changing and shaping that behavior in an adaptive path as opposed to maladaptive set of behaviors which later is defined as an insider threat?” he asked.
Cappelli said: “If the manager knows an employee has severe financial problems, something has to be done. You don’t want this employee backed into a corner where they feel they have no other way out.”
She has been involved in several insider threat investigations where she wondered why no one took action when an employee was obviously disgruntled. “How could they let that go on? Why didn’t they do something with that person?” she wondered.
Thomas said after senior leaders buy into an insider risk management program and create a company policy, everyone needs to be brought on board. Human resources, the legal department, the information security and information technology departments all need to be a part of the holistic solution.
Band said human resource departments have to know what to look for before hiring? Who should they “let into the palace gates?” he asked.
For example, it once seemed like a good idea to the older generation of executives who didn’t understand technology to hire former hackers who were good at illegally breaking into systems to protect their own.
“Well, ladies and gentlemen, that is a false premise because a leopard doesn’t change its spots,” Band said. “What rock did Mr. Snowden crawl out from under? What were his predispositions?” What does the intelligence community know now about him that makes them say, “Holy smokes. We actually let this guy into our perimeter?”
There must be a company wide, robust communications strategy to let employees know about any counter-insider threat program, Thomas said.
“You want transparency. You want people to understand what the program is as a deterrence factor,” Thomas said.
Band proposed something similar to the Department of Homeland Security’s “If you See Something, Say Something” program. Instead of a member of the public spotting suspicious packages, this would be one employee observing odd behavior on the part of a peer. He acknowledged there are cultural problems with this approach. Nobody likes a snitch, and many people are reluctant to rat on a co-worker.
Band said there are steps to be taken in the “access” part of the equation. Companies need to harden security around their “crown jewels.”
Cappelli said the private sector has to take a broader perspective and think about the risks to their respective companies. “What are our critical assets, our critical systems and what could happen to them?”
Dennis Keith, co-director of the National Insider Threat Task Force, which is part of the office of the national counterintelligence executive, said there is a generational difference in terms of access to information on the government side. The older, cold warrior types want to guard all information. The younger workers want to share, and have more openness. This, combined with new trends in information technology, has created what he called the “super-empowered insider.”
“The physics of the equation has changed.” An employee on a desktop computer has more access to information today than ever, Keith said.
“The ability to do bad things. Or the ability to extract value for unauthorized purposes is greater today than it has been perhaps any time in our collective memories,” Keith said.
The Snowden and Manning cases “has sharpened our focus. It has allowed us to think in a more disciplined fashion about how we control oversight and monitor activity on networks. Particularly classified networks.”