Insider Threat Bias
Dave McMahon - Chair CADSI cyber council and CEO of Clairvoyance Cyber Corp - Posted 16 March 2021
I have seen my fair share of espionage and criminal investigations over 30 years, in both the security intelligence business, and as a Chief Security Officer in industry.
Many people fail to appreciate that an insider threat could be sitting right next to them, while others might see threats everywhere. All threat assessments should be evidence-based.
Before I begin, it is important that we clarify what is meant by insider threat. For simplicity, let’s say that it is any threat emanating from within your organization or trusted network. In this case, all successfully externally sourced attacks will become insider threats at some point. This includes both human and technical means of penetrating your organization. The human insider threat can manifest themselves in a number of forms: the professional operative (spy) that has always worked for your adversary, a trusted individual that has been recruited or has since chosen to secretly work for the competition, the typical disgruntled employee who may not be working for anyone but is definitely working against you, the person that writes that tell-all book or leaks sensitive information to the World with a self-righteous rationale whilst harbouring vindictive objectives, or the criminal who is stealing for personal game and the unwitting accomplice. Many of the insider threat detection methods are very similar, not something that can be easily automated, but that is something for another blog.
The professional spy or sophisticated technical threat are the most problematic to catch and are usually only compromised by a double-agent, whereas the other types of insiders often leave clear indicators with the benefit of hindsight.
Frequently, we fail to see the indicators or read the warning signs. As a social animal, it is in human nature to trust the people we work with. Often we deny or rationalize what we may observe. I remember one case where an individual regularly came to work with swastika tattoos and Hells Angels paraphernalia. It should have been no surprise that he was later discovered to belong to an extreme right wing neo-Nazi group and was up to no good.
In another case, we had an executive whose entire persona was completely made up. Nothing in his CV stood up to scrutiny. All his identification was counterfeit. Unfortunately, no background check was ever done before he was hired. All his stories started to unravel during the fraud investigation which ended up costing the company millions. No one in the office could believe that someone would be that bold. Subsequent, to his investigation, we reviewed everyone the company - thousands of personal files and CVs, re-checked references, work experience, education and backgrounds. What we found was alarming. While, 30% of the people embellished the truth, 10% had lied about something significant. For several employees, it was serious enough to warrant dismissal.
It is my experience that a great many cases of inside fraud and betrayal are swept under the carpet, either because the organization is embarrassed or wishes to save face. This does a great disservice to the enterprise because it leaves the impression that instances of insider threats are far less frequent then they actually are.
Estimates just for espionage suggest that Western counties catch less that 1% of cases and only 10% of those cases are prosecuted or become public.
Conversely, we have read of examples of institutional paranoia and mole hunts that tore organizations inside-out. I have seen the reputations of innocent people or businesses ruined by innuendo without evidence.
Often we, as humans, tend to naturally assign risk based upon most egregious impact that we can imagine, while ignoring likelihood. This is a precautionary and instinctive approach that has allowed us to survive. Perhaps, it was better for our early ancestors to run from sticks on the ground then for one of them to be a snake. However, this is not effective use of one’s time and resources.
It is true that a well-placed insider can do catastrophic damage to an organization either through espionage or sabotage. And I have seen both. But that does not necessarily mean that insider-risk is always high by default.
I remember on more than one occasion, sitting in a room with a project team reviewing a threat risk assessment for a major system that was about to go operational. Only to have the project delayed because the specter of the evil insider was raised in a threat risk assessment. I would ask the author why they had assigned high-risk to the insider threat on the project and then ask them to point out who in the room we should be investigating and what evidence they had. Everyone on the project had undergone exhaustive background checks, continuous security vetting and there was a robust personnel, physical and technical security program in place. They would predictably be dumfounded when we put it in those terms.
Insider risks need to be put in perspective. These days you are far more likely to be compromised through a cyber attack and advanced malware then by a vetted insider. That being said, an insider is a potentially high-impact event that needs to be taken seriously.
The third major bias is when the organization protects the insider risk onto another party. Too often I hear, “the threat is not from within my organization or from my people”.
This is more common in the context of espionage, breach of trust or conflict of interest.
Who is a threat is a function of who is the target. The government tends to be targeted for ideological reasons, political intelligence, military operational secrets and indirect access to industrial trade secrets and technology. Whereas, industry is targeted for wealth and technology, intellectual property and industrial trade secrets. Academics are exploited owing to open culture to gain access to both sensitive industrial and government information as well as being a lucrative target for advanced research.
There is naturally a free flow of individuals between competing businesses and academics who tend to frequently collaborate and partner in a process colloquially referred to as co-opetition. Knowledge tends to be shared. It is far easier for a competitor to hire talent away from your business, or obtain information through merger, acquisition or joint venture, then to conduct outright industrial espionage. This is more difficult when exploiting public sector, although it does occur. Thus human espionage tends to be more prevalent within the public sector.
A version of this bias is that: regular force members are more reliable than reservists, employees in uniform are more honourable than civilian or part time member, and employees are more trustworthy than contractors.
All these people can be sitting next to each other, with access to same systems doing the same jobs. The only real difference between these groups, is the means by which they get paid and file their taxes.
In point of fact, a contractor goes through as much or more exhaustive security vetting than a public sector employee for the same access. The notion that a full-time employee is lower-risk or inherently more-trustworthy is simply not supported by the evidence.
One will need to use relevant indicators supported by evidence, if one is to successfully hunt a threat inside the organization.
Espionage by the Numbers
Espionage cases in Canada are similar to the US experience. There have been significantly more cases of espionage involving public sector employees compared with private sector in Canada.
The following is a statistical overview of the unclassified Espionage Database ( https://www.wrc.noaa.gov/wrso/security_guide/numbers.htm ) maintained by the Defense Personnel Security Research Center (PERSEREC).
Disclaimer: The views and opinions expressed in this blog post are those of the authors and do not necessarily reflect the official position of the Professional Development Institute of the University of Ottawa.
Dave McMahon has an honours degree in computer engineering from the Royal Military College of Canada and 35 years experience in defence, security and intelligence. Dave was a CSO, COO to defence, telecommunications and intelligence organizations, co-chair or the Interdepartmental Committee on Information Warfare, expert witness to the Senate and special advisor to the Privacy Commissioner of Canada, and intelligence oversight and review. Dave is currently the Chair of the CADSI cyber council, and the CEO of Clairvoyance Cyber Corp.