insider threats

The Insider Threat Dilemma

The U.S. Committee on National Security Systems describes an “insider threat” as an individual that uses authorized access, wittingly or unwittingly, to do harm to the security of the U.S. Our focus will be on the former group of individuals. A very recent case of a malicious insider became publicly known on February 13, 2019, when the United States Department of Justice issued an indictment against former Air Force counterintelligence officer Monica Witt. She is accused of leaking the codename of a top-secret Department of Defense program as well as important information about her former intelligence associates to the Iranian Islamic Revolutionary Guard. Four Iranian nationals were also indicted for collaborating with Witt in social engineering attacks directed at her former military and contractor associates for the purposes of gathering intelligence. The attacks were aimed at the social media accounts of Witt’s former colleagues. Witt defected to Iran in 2013 and still resides there today. This event demonstrates the dangers of the insider threat dilemma that has persisted in governments for centuries. However, the “insider threat” applies to the private sector as well. In dealing with malicious insiders, the federal government has more tools at its disposal, such as the polygraph test and background investigations carried out by agencies such as the FBI and the intelligence community. The public sector must rely on monitoring the online activities of employees, changes in employee behavior, and other technical countermeasures.

Most background reinvestigations conducted on the federal government as well as contract employees take place every 5 years. For those holding a certain top-secret clearance, a polygraph is required as well. The CIA has mandatory reinvestigation polygraphs every 5 years for its employees. In most cases, a lie detector test can be used to mitigate the insider threat risk. Some may argue that the case of Aldrich H. Ames is proof polygraphs do not work. Ames was convicted of spying for the Russians in 1994. This is a perfect example of why the background investigation is meant to complement the polygraph examination. Clearance investigators failed to find that Ames paid $540,000 cash for a house in a prominent Arlington neighborhood. The CIA’s security office also missed his $445,000 credit card purchases over the span of 8 years, while earning a salary of $70,000 a year. These are obvious signs that someone is living outside their official means. This demonstrates the significance of checking an individual’s finances during clearance reinvestigations. Not to mention, one of Ames’ polygraphs came back inconclusive. Perhaps if reinvestigations were done in a shorter time interval, maybe 2.5 years instead of 5, and, like drug tests, polygraphs were done at random, Aldrich Ames would have been caught and two of our agents inside of Russia may still be alive. Also, if FBI agent Robert Hanssen had been polygraphed just once in his 25-year career, maybe he would have been caught sooner. Hanssen spied for over 20 years for the Russians and his deceit cost the lives of 3 Russians who were put to death after he revealed they were working for American intelligence services. Further evidence polygraphs work was provided when in 1995, Harold J. Nicholson a CIA agent flagged for deception in several polygraphs. Nicholson indicated deception when asked if he had been in contact with foreign spies. Almost a year later he was arrested for spying for Russia.

Critics may argue that instances of false positive test results should limit the use of polygraphs in clearance reinvestigations as well as hiring decisions. However, creating a standard policy for retaking the test should allow for employees and new hires to clear the air and get their careers back on track. In the case of Monica Witt, she probably would have been caught with a reinvestigation polygraph or maybe not have spied in the first place if a consistent polygraph program had been in place. The ranking Democrat on the Senate Intelligence Committee, Bob Graham (Fla.) stated “lie detectors can be compared to metal detectors, which are more likely to prevent someone from taking a weapon to an airport or public building than actually catch someone with one”. For legal reasons, the private sector has mostly been prohibited from the use of polygraphs and must rely on other means of mitigating the “insider threat”.

Often organizations are limited by privacy constraints when monitoring the online activities of employees. So, employers must use technologies that comprehend the aspect of behavior to prevent the high occurrences of false positive alerts, which lead to burnout. Also, when it comes to employee behavior, the psychological aspect comes into play. Management can implement observation techniques through training of employees to monitor peer behavior and environmental stressors. Flags could include recent ideological changes, financial hardships, and promotional disappointments leading to open resentment towards the organization. Changes in work routine could be observed. These changes could include abnormal working hours, probing company databases, and other technical abnormalities. Together with technologies (ex: data loss prevention, data encryption, key loggers, etc.), organizations can isolate individuals with repeated occurrences of suspicious activity observed both online and amongst coworkers and place them under increased surveillance. All these steps could help improve detection of data exfiltration. However, with all these measures in place, it can be near impossible to predict with certainty who the next “insider threat” will be. If you want to be sure who will be the next employee to act with malicious intent, management can set up an internal “Honeypot” (K. Hu). An employee with the desire to act, is more likely to act when presented with the right circumstances. Presenting a “Honeypot” of perceived valuable data could be too tempting for malicious insiders, offering organizations an opportunity to catch the culprit as well as offer a valuable deterrent at the same time.

In conclusion, the government will always have the law and the power of the federal budget behind their efforts to prevent the “insider threat”. Therefore, companies must improvise to overcome or at least mitigate this type of threat. And with the ever increasing occurrences of the malicious insider, a “Honeypot” can be as useful a tool as the polygraph and the background investigation


Roger Colinger

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.