How Insidious Insiders Perfected the Art of Spilling Secrets
Trading in national security secrets and corporate proprietary information has evolved into a different animal that reaches well beyond war and international politics — and the culprits may not be who you think.
It’s been two decades since the Cold War ended, but that conflict’s legacy — the spy game — has been transformed by technology.
With smartphones and social networks recording every aspect of our lives and those around us — whether they know it or not — anybody with the motive and a modem could enter the spy game, or become its unwitting pawn and cost government and the private sector embarrassment in spilled secrets or untold billions.
THEN: Clandestine Spies
It was the feel-good era. Ronald Reagan’s “Morning Again in America” epitomized the ethos of the times, but Cold War tensions were ever-present and running high. It didn’t help that numerous spies in the U.S. government were caught passing secrets to foreign countries, intensifying strains between East and West. In fact, throughout the 1980s, nearly 60 uniformed and civilian employees in the Defense Department, alone, were accused of espionage or serious violations of security regulations.
In 1985 — dubbed the “Year of the Spy” by U.S. media — several high-profile scandals exposed the covert doings of innocuous-seeming civil servants. Jonathan Jay Pollard, a civilian intelligence analyst at the Navy’s Anti-Terrorist Alert Center, was caught leaking sensitive documents to Israel. CIA clerk Sharon Marie Scranage was revealed to have given a relative of the Ghanaian head of state sensitive information. Ronald William Pelton, a communications specialist at the National Security Agency, was sentenced to life in prison after handing over secrets to the Soviet Union.
Even after the Iron Curtain lifted in 1991, the spy war continued. Whereas money had often served as the main motivator for spies of the past 30 years, greed slowly gave way to ideological beliefs as a driving force for nefarious players. Enter the insider.
NOW: Insidious Insiders
Nearly 60 years after Julius and Ethel Rosenberg
were executed for espionage — a crime their judge declared “worse than murder” — the U.S. saw another spying scandal unravel, unveiling a young man accused of stealing and spilling national secrets.
At its center was U.S. Army analyst, Pfc. Bradley Manning, suspected of leaking hundreds of thousands of classified government documents to whistle-blower website WikiLeaks. Manning, like the Rosenbergs, is accused of violating the Espionage Act and aiding the enemy, an offense punishable by death.
His motive for leaking the information was for “people to see the truth, regardless of who they are,” and experts say he exemplified what many see as the most damaging threat — an idealistic insider, hard to spot and hard to stop.
Many questioned how a low-ranking soldier could access such government secrets and download half a million of them without raising any flags. The answer was SIPRNet — the Secret Internet Protocol Router Network, established after 9/11 to promote information sharing between the State and Defense departments.
In the Manning case, many experts lay part of the blame on the environment. Regardless of even the most motivated of insiders, the setting, itself, can present an opportunity for sinister conduct.
“When you have lax environments that haven’t been held to standards, or they don’t have accountability for the standards — be it the technology standards or the personnel standards — that’s when you’ve allowed bad practices to start to evolve into threats,” said Al Kinney, director of defense cybersecurity capabilities at HP Enterprise Services.
Whether it’s a disgruntled person or someone with a financial or espionage motive, he said, those individuals can operate with impunity when there’s a lenient technical and policy situation.
“This is the most damaging form because they can just walk out with or send out all kinds of information,” Kinney added.
Understanding the threat is one step toward preventing it. However, misconceptions in industry tend to originate from the sentiment “not in my backyard.”
“It is dangerous to think that in my neighborhood, nothing bad happens to me — it’s only the people down the street that are facing an insider threat,” said Jeffrey W. Wright, senior vice president of strategic programs and deputy and chief of staff of CACI’s Enterprise Technologies and Services Business Group. “Insider threats can be the most damaging threat of all.”
It’s very clear that most either understand the threat or they completely miss the point, thinking, “Oh, it doesn’t apply to me. It won’t happen here. I’m not in that kind of industry,” Kinney said.
These individuals, he said, believe these threats are minimal because they are not a classified center of government intelligence. In truth, even the most benign types of businesses have proprietary information that can be an attractive target — financial information, business strategies and policies.
“You don’t have to be a major world player to worry about insider threats,” Kinney added.
Bricks and Mortar to Bits and Bytes
With the evolution from bricks and mortar to bits and bytes, the proverbial and
literal door of opportunity opened wider for web-savvy insiders. The Internet and innovations such as the smartphone have created an environment where information can be much more readily shared, sent and managed, said Dr. Michael Gelles, director at Deloitte Consulting LLP.
“Cybersecurity is clearly a component of the insider threat, where an individual may in fact use the Internet or internal systems as a means of exploiting the assets of an organization,” he said. Insiders can also obtain and share information that can compromise national security, public safety or a company’s R&D. Proprietary information can be shared through word of mouth. And individuals can copy information, share information, and audio and videotape information.
“The erosion of the security boundary is a game changer,” said Ken Ammon, chief strategy officer at Xceedium. “Historically, a spy must infiltrate your border to intercept signals or get inside of the organization. Now, data spans the globe; mobility and wireless blur traditional security boundaries. You must evolve a security position beyond the firewall approach of the ‘90s.”
Alongside the explosion of information, there’s also the abundance of tools originally designed for good that can be also used for evil, whether they are cameras within cell phones, USB memory sticks, CD-ROMs or the like, Wright said.
With unprecedented access to information and advances in networking storage and search, the insider now has a multitude of avenues and exploits to choose between. Technologically experienced Generation Y also adds a new dimension, blurring the line between work and personal life and using Facebook and mobile communications platforms, Ammon said.
Couple these elements, he said, and it becomes easy to draw a huge lens on the insider threat.
“Insider threat has become a bigger issue for commercial providers in recent years as the term ‘insider’ has expanded to include third-party vendors, outsourced providers, supply chain and outsourced contractors,” Ammon explained. “These resources mix in with your direct employees and it’s difficult to draw the line for granting a greater level of privilege and access. In most cases today, they share equal privileges inside of the environment.”
As opposed to traditional spies, who primarily engage in espionage and turn perfidious for cash, the insiders range from disgruntled employees to saboteurs, whistle-blowers, idealists, opportunists, narcissists, negligent workers and terrorists.
And in many cases, they don’t need sophisticated tools and technology to carry out their misdeeds.
A 2008 CERT/U.S. Secret Service report on insiders in government highlighted how unsophisticated most culprits were: Some convinced coworkers to disclose passwords; others simply kept work laptops after being fired. A step above regular social-engineering schemes, some insiders employed password crackers, altered source code or exploited backdoors to gain access to systems and networks.
“Sometimes, it doesn’t need high tech — people just carry papers out,” noted Rodney Joffe, senior vice president and senior technologist at Neustar. “When people talk about insider threat, they really don’t think about the fact that it’s no different than traditional tradecraft and spying.”
Case in point: A 2009 CERT report detailed one particular insider carrying large bags, multiple books and a binder from the office the evening before resigning; another insider absconded with more than 20 boxes of research material from a supposedly “secure” environment.
But not all insiders are malicious. An oft-forgotten aspect of the insider threat is the negligent or careless employee who leaves his or her company computers unsecured, talks too loudly on a cell phone about sensitive information or simply forgets a company Black-Berry in a cab. Although the opposite of calculating and callous, these unintentional threats could still prove disastrous.
“The largest insider-threat risk is someone who’s not devious, but someone who makes an unintentional error that puts your system at jeopardy; someone who clicks on an email attachment he shouldn’t or accepts something he shouldn’t,” said Steve Hawkins, vice president of Information Security Solutions at Raytheon.
But what makes an insidious insider act? Project Slammer, a now-partially declassified CIA report based on prison interviews with 30 spies convicted during the Cold War, offers a rare glimpse into how a subject perceived himself. Often, the perpetrators viewed themselves as “special” and “deserving,” but not necessarily a “bad person.”
“He finds that it is easy to go around security safeguards,” the Slammer report said. “He belittles the security system, feeling that if the information was really important, espionage would be hard to do. This ‘ease of accomplishment’ further reinforces his resolve.”
A more recent Deloitte report noted that in most cases, the actions of an insider are not impulsive but intentionally pursued over an extended period of time. The malicious behaviors are often the end result of a multifaceted set of problems, conflicts and disputes, or a crisis in the person’s personal life.
“We’ve always seen individuals who tend to become insider threats are those who tend to not feel valued in their organizations at the level they feel they should be valued,” said Gelles, one of the co-authors of the report. “Generally, you see this with individuals who have larger- than-life egos — someone who is self -aggrandized, someone who believes they are above the rules and above other people.”
When those individuals do not feel valued, Gelles said, they tend to feel disgruntled and may look for other ways for people to value them. A financial crisis may lead an individual to exploit assets because they see they have information that could derive them some financial reimbursement and a solution to their economic situation. This has been bolstered by the Internet’s black market, where purloined information can often draw a hefty price tag.
In addition, employees or contractors who don’t leave under the best conditions may feel aggrieved and “believe they have a right to take intellectual property with them or leave behind a logic bomb [code that under the right — or wrong — circumstances triggers software malfunctions],” Ammon said. “Political motivation may blur the lines between good corporate citizen and socioeconomic whistle-blowers.”
TOMORROW: Industry Partners to Stop Insiders
Experts agree: Insiders exist in every sector, in every industry and have for a while.
“But the volume of critical and sensitive information has grown exponentially because of the digital means we are using to generate it, so the potential losses are bigger and can take place at a faster pace,” said Robin Lineberger, CEO of Deloitte Federal Government Services.
Joffe put it more bluntly. “If you’re a company that has anything interesting, at some point, you’re going to be hit by the insider threat,” he said. Because of the nature of Advanced Persistent Threats — a stealthy method to access and steal information from compromised computers — Joffe said he anticipates insider threats to become even more crafted and plotted out, with would-be insiders even taking jobs as part of a master plan to gain inside access.
It’s predictions such as Joffe’s that will keep security and technology contractors busy. Kinney said from a comprehensive perspective, new opportunities for government contractors are going to evolve from emerging situational awareness requirements, many of which will involve cloud computing.
Although HP has not established a separate line to prevent insider threats, it offers specific technologies and services that combat insider activities while also establishing a strong security posture as an overall solution for the client.
And in this case, the client happens to be the Defense Department, who Kinney said has issued more than 22 million smartcards to support critical access and identity transactions using HP technology.
Xceedium offers an appliance-based security product called GateKeeper, which enforces a “zerotrust” security model for privileged users by containing, controlling and auditing all privileged actions.
“Our solution doesn’t require a network redesign and interfaces with the existing identity management platform,” Ammon said. “Our current market demand comes from both compliance, such as PCI and NIST 800 series, and insider threat.”
Not only is there an opportunity to implement information-security architectures that focus on securing information, but contractors can also provide thought leadership through assessing and leveraging emerging security models, he noted.
“Government contractors act as trusted advisers to government IT architects and operators and, as such, there exists an opportunity to help generate security requirements for outsourced providers and insider threat,” Ammon added.
As the largest commercial provider of background investigations to the federal government, USIS will continue to provide services targeted at enhancing the government’s approach to the insider threat, said USIS President and CEO William C. Mixon, mentioning examples such as enhancing national vetting, border security and immigration agendas, and more sophisticated construction-surveillance approaches, particularly in support of a classified facility.
“That includes more sophisticated levels of access control particularly with classified facilities, providing enhanced security monitoring type of services as it relates to escorting folks within government facilities and a continued evolution of biometrics services in support of the insider threat,” he said.
In no small part because of WikiLeaks, the market is growing beyond analysts’ predictions, Hawkins said. Raytheon’s revenues were impacted by the visibility of WikiLeaks, for example, and the company received significant contracts. Raytheon’s insider-threat detector SureView is currently deployed on more than 250,000 desktops across various parts of the government, and Hawkins said he is optimistic about the product’s spread, saying it could increase “substantially.”
Customers are interested, he said, because the SureView solution is “an operationally proven and mature technology.” Not only is it a sixth-generation software product, but it has been deployed across “many, many enterprises,” helping clients write policies unique to their situation, Hawkins said.
McAfee, which post-WikiLeaks saw a “definite uptick” in interest from customers in its insider solutions, also predicts a bright future in market opportunities. It’s important to take a lessons-learned approach, said Tom Conway, director of federal business development.
“Don’t go fighting the last battles all the time,” he said. “Learn from the last battle, but prepare for the next. When the thumb-drive incident came out, certain government entities responded to that in a way that dealt with only the problem du jour, as opposed to looking forward a couple of years to other potential avenues where they were vulnerable.”
Instead of plugging security gaps one at a time like the little Dutch boy with his finger in the dike, Conway said, think about what the next threat is, and prepare for that.
Closing the Insider Opportunity Gap
Insiders, whether accidental or planned, have and always will be part of the equation. “I think we’re just seeing the tip of the iceberg,” Joffe said. “I think that the insider threat has been a threat for a long time. We just haven’t been very good at actually finding it.”
The solution is to close the gap of opportunity for insiders, through technological solutions, personnel training and public-private partnerships, the experts who spoke to GovConExec agreed.
However, with much of the talk focused on how industry can help government in battling insider threats, Joffe pointed to a different aspect: What about government helping industry? The government theoretically has had to deal with traditional threats for years, he said, but yet there’s no way for it to share the experience with industry in a logical way.
“I’m absolutely positive that the best knowledge about how to recognize insider threat … really happens within the government,” he said. “The government needs to be able to train private industry on how to recognize it. Private industry, absolutely, also has a part to play; they need to find ways of being able to share information with the government.”
Although government has become much more sensitive to the insider threat, Gelles said, it often sees technology or some type of technological solution as a silver bullet. Government may use analytics to understand business and business processes, but it does not use analytics to better understand risk management and the ways to predict where there may be greater risk.
“The government is beginning to pay attention to the fact that just a blanket security-awareness program is not enough,” Gelles said. “You really have to become
much more specific in terms of how we train different segments of the workforce across the enterprise to mitigate risk in those particular areas of the enterprise rather than just blanket awareness training.”
But prevailing against the insider threat isn’t a sprint; it’s a 24/7 marathon to protect an organization, Wright said.
“Insider threats have been a problem that’s existed since recorded time,” he said, extending even further beyond the heyday of the Cold War.
“The best approach is to have strong practices, systems and risk management within your enterprise to protect your mission, your people, your information and your customers,” he added. “This approach needs to be part of a continuous improvement culture.”