The Vices and Virtues of Insider Threat
In a long-standing tradition of transitioning Presidents, Barack Obama issued 64 pardons and commuted 209 sentences as one of his last acts as President in January. What was most interesting to me about this, was that two high-profile individuals both charged with crimes stemming from insider threat activity made the list. Chelsea Manning and General James Cartwright certainly come from vastly different pedigrees, but were both accused of leaking classified government information and represent the modern day ‘insider threat’. From the Army Private fresh out of Basic to the highest echelons of military and civilian command authority, insider threat defense requires new ways of thinking about this problem and systems that recognize the complexity of human motivation.
As security practitioners, we’re taught that to determine the presence of a threat, one must prove both intent and capability. When applying this formula to determine insider threat within an organization, we have the advantage of having a priori knowledge of threats; our employees. While a variety of models can be used to determine an employee’s capability to conduct an insider attack, this is typically an objective task of assigning value to a variety of definitive data points such as an individual’s rank within the organization, security clearance level and access to critical systems. Determining which employee(s) has the intent to disrupt or destroy the integrity of his/her own organization is far more difficult.
Discerning intent requires an acute understanding of human motivation- probably more art than science. Motivation is deeply personal- a set of essential vices and virtues that drive each of us to action. What drivers move the insider to jeopardize the very environment from which s/he benefits? Perhaps there are seven of them to be explored…
This is an obvious one, especially as it concerns financial greed. In both commercial and government settings, all sensitive data holds essential value, and it’s not hard to understand how those who have access to it could find themselves getting ‘hooked’ on the rewards they receive after the first leak. Former CIA Case Officer Aldrich Ames was a classic example; his lengthy, nine-year stint selling secrets to Russia began as somewhat of an “experiment” that netted him $50,000 in exchange for disclosing two names. Citing boredom and greed, Ames admitted he knew he had “crossed a line and would never go back”. He would eventually turn over roughly 30 names and 100 operations to make over $2 million, allowing him to live well beyond the means of a public servant and earning himself the title of most compromising agent of his time.
Per recent media reporting, NSA contractor Hal Martin III, hoarded 50 terabytes of confidential or classified documents from his post over a period of twenty years before his arrest last year. So far, there has been no documentation nor anecdotes regarding his intent to sell or leak this massive store of information, so it can only be assumed that walking out the door with America’s crown jewels was to Martin III, feeding some insatiable, perhaps implacable, desire.
The term lust may spark thoughts of exotic histories like Mata Hari’s but, this driver remains an effective one in the world of stealing and leaking secrets. The United States government experienced a rather shocking scandal in 2012 when our nation’s highest-ranking intelligence official-, CIA Director and four-star General David Petraeus- resigned after it was revealed he had passed an estimated 300 classified document to his biographer with whom he was having an extramarital affair. Petraeus was certainly aware of the risk he was taking when sending those documents; but it appears he was blinded by his feelings for the recipient and likely wanted to impress her.
Long the envy of the world in technical and military superiority, attacks against American business by known state actors in an effort to “catch-up” with US capability is well known. In fact, in 2015 the Department of Justice announced the arrest of a Chinese professor and the indictment of five other Chinese citizens (the largest since the indictment of members of the PLA in absentia) in a decade-long scheme to steal intellectual property and trade secrets from American companies on behalf of the Chinese government; a sobering reminder of the lengths our adversaries are willing to go to in order to gain a competitive edge. Whether it’s a Chinese spy working on behalf of a foreign intelligence agency, or a simple act of sabotage committed by a disgruntled employee passed up for a promotion, a number of insider threat risks begin with some degree of coveting another’s valued assets.
On November 5, 2009 Virginia-born US Army psychologist Nidal Hassan killed 13 of his fellow officers in a shooting rampage at Ft. Hood in Killeen, Texas. The investigation that followed the shooting suggested that Mr. Hassan grew more religious after suffering the personal loss of his parents. Later, as he struggled to deal with the emotional burden of hearing accounts of war from clients suffering from post-traumatic stress disorder (PTSD), that religious devotion twisted into fanaticism, and eventually rage over America’s presence in Iraq and Afghanistan. As his anger swelled, Hassan’s bias to action resulted in his taking up arms against the country he’d sworn an oath to protect.
One might expect a deliberate insider to be on the confident, if not narcissistic, side. Robert Hanssen, a former FBI agent who sold secrets to Russia and acted as double agent for twenty-two years, seems to fit the bill here. To start, Mr. Hanssen begun spying for Russia of his own accord, after only three years of public service. Though Hanssen claimed he started on his path of espionage because he needed money to support his family, Eric O’Neill (an FBI investigator that helped take him down) explained, “He had a way of looking at you like, “I see right through you, you’re dirt, you’re nothing to me, I’m smarter than you”. When he was finally caught in 2001, after earning over $1 million in cash, diamonds, and other goods from his Russian friends, Hanssen famously replied with one last chide, “What took you so long?”. This is an individual who took pleasure in his ability to fool the world. This abandonment of duty and lack of remorse landed him 15 consecutive life sentences.
This post wouldn’t be complete without a mention of Edward Snowden. Snowden reflects a modern-day insider threat, motivated by a righteous indignation towards government surveillance activities and their impact on privacy. Snowden says of himself, “”I have no intention of hiding who I am because I know I have done nothing wrong….My sole motive is to inform the public as to that which is done in their name and that which is done against them”. Clearly, he takes pride in his decision to leak thousands of sensitive government documents. In his mind, the benefits outweighed the costs. Whether he cares to admit it or not, Mr. Snowden has achieved an unprecedented amount of fame because of his insider activity, and his continued Tweets and other public appearances suggest he’s not quitting the game any time soon. Instead, many are left questioning whether can he truly be considered a martyr as he hides in a country with its own methods of spying on its citizens.
Finally, we have the absence of intent, and lack effort to course correct. In the context of insider threat prevention, this two-punch combination of complacency can be just as dangerous as malicious intent if it permeates an organization. Whether it’s leaving login and password information out on one’s desk, or sending a file to a personal computer over wi-fi to finish a project, nearly 65% of documented insider threat incidents are attributed to employee negligence, according to one study.
Obviously, I’ve been having a little fun with this post and none of the cases, nor their subjects cited above fit neatly in a box. But intent to commit insider attacks will never cease to exist, and intent will evolve along with societal, corporate and political climates.
Because insider threat risk management is a human-influenced phenomenon, training of employee populations to handle information properly, detect insider threats, and how to report suspicious activity will remain the best defense. Persistent monitoring of data and employee behavior will become an increasingly important layer of protection.
At PlanetRisk, we take a holistic approach to insider threat risk (or as we called, ITX) that focuses on behavioral indicators both at the individual and organizational level. Blending client data with our own unique mix of publicly-available information (PAI), we try to shed light on the nexus between virtual and real world activity that helps our clients prioritize resources against their most vulnerable populations.
Machines can help with insider threat detection, but it’s society’s job to assign punitive sentencing to go along with the severity of an offense. Considering this year’s commutations, it would appear we missed the mark. Maybe someone out there will develop a formula to determine remorse?