“But what is new is that the small fry also have the power of betrayal…Science, adding to our armoury, continually demands more mechanics and more clerks and with every demand makes the problem of security more difficult to solve.” - Rebecca West, The New Meaning of Treason (1966)
When West wrote that passage, she was describing treasonous banalities, citizens of western democracies who had betrayed their countries in service of Soviet tyranny. Her words, however, have a quality of prescient timelessness in that they are as applicable today as they were almost 50 years ago. In the Cold War era, the damage even the most proficient and motivated spy could inflict was constrained by the relative inaccessibility of sensitive information in comparison with access afforded by today’s IT systems. The murders of heroic CIA Soviet agents ascribable to the treachery of Ames, Hanssen, and their ilk aside, the damage such turn-coats could inflict, albeit great, was bounded both by compartmentation and by the fact that much of the data to which they had access was retained in paper form. That reality imposed operational constraints on those seeking to fully exploit the traitors’ access. The time, effort, and potentially alerting nature of copying, photographing, or carrying documents out of the workplace forced the spy and his handler to consider the risk inherent in any such activity, a calculus that almost invariably served to limit the scale of damage they might otherwise have inflicted. That is no longer necessarily the case.
The post-9/11 Revolution in Intelligence Affairs has allowed the collection, processing, analysis, and dissemination of information at a pace unimaginable to those of us who served in the East Bloc in the 1980s. The resulting advantages accruing to U.S. intelligence in working against both our Islamic terrorist enemies and more traditional intelligence targets have been readily manifest in the unprecedented rapidity with which action can now be taken in response to intelligence reporting. At the same time, the aggregation of data necessary for that exploitation has greatly increased the potential harm that can be done to an organization by a malicious insider abusing authorized access to its sensitive data. That threat is further compounded by cloud computing and linked networks, which make detection of anomalous behavior more difficult and can facilitate wide propagation of the impact of such actions if not quickly uncovered.
The Traitor now sitting in Moscow, whose 2012 leaks did such damage to crucial U.S. collection operations, is a painful reminder of the injury a trusted insider who willfully violates his sworn oath can inflict upon even a hardened target. The Traitor’s public revelations, coupled with the unnecessarily apologetic reaction to and imprudent self-imposed collection limitations resulting from those exposures, did great harm to U.S. national security and have put American and Allied lives at increased risk. As such, the Traitor’s actions, together with the actuarial certainty (to paraphrase one of my predecessors as CIA’s Chief of Counterintelligence, Paul Redmond) that his case will not be the last of its kind, serve to underscore the import of an effective Insider Threat Program.
The challenge of Insider Threat is, of course, not limited to classified networks. American industry faces increasing instances of Insider Threat ranging from espionage, intellectual property theft, and loss of proprietary information to industrial sabotage, fraud, and workplace safety issues. According to the FBI, while Insider Threat is not the most frequently reported threat to U.S. business IT networks (that dubious honor goes to advanced malware), it is the most costly challenge for U.S. industry in terms of both financial impact and damage to business reputation. FBI information compiled over the last decade indicates that Insider Threat incidents cost an average of $412 thousand to resolve and resulted in an average business loss of more than $472 million (with multiple incidents exceeding one billion dollars). Of particular interest, in an echo of West’s warning about a small fry with the power of betrayal, the FBI found that 90 percent of IT saboteurs over last decade were system-administrators.
During the final three-plus years of my CIA career, I had the honor of leading what has been termed the Intelligence Community’s “Gold Standard” Insider Threat program. That experience defending CIA against potential moles and other Malicious Insiders, in conjunction with the fact that I spent much of the first 30 years of my career seeking out and exploiting such threats within foreign intelligence targets, gives me a unique perspective on some of the necessary prerequisites for a successful Insider Threat program. First, and foremost, Insider Threat is not simply a cyber or a security problem, although both can and should play a role in countering it. Second, as Insider Threats are not hackers, outward-facing defenses alone will not suffice to protect against them. Third, while automation can help by reducing the number of humans with access to data, there are no technological silver bullets that can “solve” Insider Threat. Finally, responding to Insider Threat requires more than the establishment of a compliance shop. It is a problem of human behavior, the answer to which involves the ongoing contextual analysis of that behavior.
Consequently, an effective Insider Threat Program should focus on both deterrence and detection, thereby creating an environment wherein being a Malicious Insider is not easy. To build such a Program, one must:
- identify and prioritize the data and other organizational equities to be protected, with the understanding that not everything can be defended with equal effect for, as Frederick the Great famously said, "He who defends everything defends nothing."
- clearly articulate to leadership the value of keeping organization data secure, as well as the potential implications for the organization of a loss of sensitive data, intellectual property and proprietary information.
- clarify leadership’s intent with respect to the mandate and scope of the Program, and their commitment to its resourcing. One of the biggest challenges in this regard, is that the value of the Program will be difficult to quantify and its product (almost invariably bad news) never wholly welcome. This is a quandary reminiscent of former CIA Director Richard Helms’ lament regarding counterintelligence (CI): “If your CI Service finds spies, you have a bad CI Service; if your CI Service doesn’t find spies, you also have a bad CI Service.”
- designate a Chief Risk Officer (CRO) with responsibility for overseeing the Insider Threat program. The CRO should have, if not control over, at least insight into the organization’s Security and IT programs; should report directly to company senior leadership; and should take charge of the management, investigation and adjudication of any incidents related to Insider Threat.
- develop and institute guidelines and procedures for the Program in accord with organization policies and the law. Those procedures should make employee agreement to audit a precondition for employment, should not impede business productivity, and should include provisions for protection of individual privacy and the confidential investigation of detected anomalies.
- direct particular attention to monitoring the network activities of privileged users who, by virtue of their extensive access, represent the highest level of potential Insider Threat.
- put together a multi-disciplinary team that includes experienced CI, Security, IT, HR, legal and investigative personnel, thereby facilitating the best possible contextual analysis of employee data usage and conduct.
- utilize audit tools designed to detect anomalous activity on the organization’s IT system, tools that are as robust, adaptable, and comprehensive as possible, and that incorporate an automated alert capacity.
- understand he first line of protection against Insider Threat is deterrence, and therefore implement an education, training and messaging strategy that focuses on employee responsibilities and obligations regarding the protection of sensitive data and ensures their understanding of the necessity for, and general scope of, the Program.
- answer the age-old Roman question: “Quo Custodiet Ipsos Custodes?” The response to that question of ‘Who guards the guards?’ should include provisions for careful oversight of the Program's implementation, thereby reassuring both the organization’s leadership and workforce of strict adherence to stated guidelines by those involved in the Program.
And a successful Insider Threat Program must also include a capacity for analyzing available information on who could be targeting an organization, what data an adversary might want to steal and which individuals within an organization might be an object of adversary interest. That analysis should also consider perceived adversary intent and capabilities, combining that knowledge with lessons learned from detected events and ongoing cases so as to ensure the Program’s capacity to adapt over time to counter real and potential Insider Threats.
Finally, as current industry and government emphasis on protecting cyber attacks continues, and the effectiveness of defense against them consequently improves, adversaries will have every incentive to redouble their efforts to exploit access potentially afforded them by Malicious Insiders as well as to use insights those Insiders might provide to improve the effectiveness of cyber attacks. Consequently, if we are to blunt the ‘power of betrayal’ now in the hands of real and potential Malicious Insiders, it behooves the U.S. government and American business to act now to put in place effective Insider Threat Programs.
As for that traitor in Moscow, let him stay there. Short of capital punishment (which is, alas, likely not in the cards), I cannot think of a more fitting fate for him.
