September is #InsiderThreatAwarenessMonth. And while the risk category of insider threat encompasses a wide range of actors, motivations, and actions, I want to focus our attention this month on the high-tech insider.
Individuals with authorized access to your most sensitive corporate data and who are intent on causing your company harm or seeking personal gain pose a real and present danger. But if you train your workforce to understand the psychology of the dangerous, malicious insider, and deploy an anonymous, crowdsourced reporting system, you can effectively detect and prevent insider threats.
In 2005, I wrote a book (The Insider) that explored the history of high-tech insider crimes until that time. Many of the more recent cases are based on exclusive access to anonymized, real-world data loss threat assessments at major Fortune 1,000 companies. But in the 10 years that followed my research for that book, I went on to cover the intelligence community as a journalist and editor through many of the major cyber incidents targeting U.S. government data, including China’s hack of the Office of Personnel Management and, most notably, Edward Snowden’s insider attack against the National Security Agency.
What follows is what I’ve learned about the psychology of the malicious, high-tech insider and how organizations can leverage the eyes and ears of their loyal employees to detect and prevent the theft of intellectual property.
The motivations of malicious insiders are as varied as the techniques used to commit sabotage, espionage, theft or extortion. However, the most well-known studies of the psychological profiles of malicious insiders have revealed several common characteristics that make information technology professionals (particularly system administrators) an “at risk” population for malicious insider activity. In addition, these common traits make this group more vulnerable to outside manipulation by other criminals or international espionage efforts.
The most notable study was “Inside the Mind of the Insider,” conducted by Eric Shaw, a former CIA psychological profiler, and Jerrold Post, a former CIA psychologist and a noted expert on the psychology of terrorism and political violence. Post, who developed the Camp David Profiles for former President Jimmy Carter, characterizes internal cyber crime as a subset of workplace violence.
“In almost every case, the act which occurs in the information system era is the reflection of unmet personal needs that are channeled into the area of expertise,” Post said in an interview I conducted with him in July 2001.
“Almost all of these people are loyal at the time of hiring. So, this isn’t a matter of screening them out.”
Former CIA Pyschological Profiler Jerrold Post.
According to Post, while the majority of hackers are little more than garden-variety criminals, the world of cyber-crime does have its share of Lee Harvey Oswalds. One example is Abraham Abdallah, a 32-year-old Brooklyn busboy who in March 2001 managed to pull off the biggest Internet identity heist in history, stealing the online identities of 200 of the richest people in America. There is little difference in motivation between criminals like Abdallah and Oswald, Post said during our interview in 2001.
“To steal somebody’s identity is to escape from one’s place of insignificance. It’s a special species of assassination,” he says.
Increasingly, however, identity theft is simply a means to a criminal end, usually illicit financial gain. And again, those we should be most concerned about are the very individuals we entrust with managing critical data and systems. “Almost all of these people are loyal at the time of hiring,” Post said, “so this isn’t a matter of screening them out.”
It is, however, a matter of knowing who is at risk of malicious insider activity, how to recognize the warning signs, and how to manage and relieve workplace stressors that may push an employee over the edge.
Although there are studies dating back to the early 1990s that show malicious insiders have often suffered long periods of personal and professional failures, and have demonstrated little in the way of moral inhibitions when it comes to hacking, cracking, or espionage for retribution or personal gain, even some of the more recent cases in U.S. history point to the same stressors and pyschological weak points in dangerous insiders.
In 2014, I interviewed Dr. Harley Stock, a clinical forensic psychologist who’s taught at the FBI Academy in Quantico, Va., and asked him about his assessment of Edward Snowden, the former National Security Agency system administrator responsible for the 2013 theft and release of highly classified NSA surveillance program information. According to Stock, although many view Snowden as a whistleblower, his personal history tells a far different story.
“He’s very rare as an insider,” said Stock, pointing out most insider espionage cases have involved a desire for financial gain. “But when we look at Snowden, he has a very high need for attention and affection. This has shaped his life.”
For example, Snowden was ill as a teenager and failed to graduate high school. Then, his early college studies would fail to produce a degree. An attempt to join the U.S. Army Special Forces would fail in injury.
Transcripts of many of Snowden’s chat sessions, published by Ars Technica, show signs of somebody struggling to overcome a long string of personal and professional failures, and reveal a highly moralistic personality.
“Great minds do not need a university to make them any more credible: they get what they need and quietly blaze their trails into history,” he wrote.
Snowden brags in the anonymous online forum about his hacking skills and his ability to land sensitive government work without a formal education. He joined NSA in 2009, at which time he reappears on the chat boards of Ars Technica, complaining about leaks of classified information and criticizing The New York Times for printing it. “Those people should be shot,” he wrote.
Jim Van Allen is a Risk Assessment Consultant for Investigative Solutions Network Inc. and a former manager of the Criminal Profiling Unit of the Ontario Provincial Police who’s undergone behavioral sciences training at the FBI Academy. According to Van Allen, Snowden’s media interviews at the time reveal valuable information about his state of mind.
From a psychological point of view, Snowden seems to be moralistic and grandiose.
“When you look through Snowden’s interview with the Guardian, there was some very emotional, concrete and absolute language used,” Van Allen said during an interview I conducted with him in 2014. “Things were black or white, right or wrong. There’s very few areas of gray.”
Snowden also reveals paranoid thinking, according to Van Allen.
“His underlying thesis that the government could frame an innocent person by intercepting their communications and weaving it into a fraudulent storyline, that’s right out of ‘The Pelican Brief,’” said Van Allen, referring to the 1993 legal thriller by John Grisham. “Whether or not you want to call Snowden a whistleblower, when you get that type of personality coming into an organization, you are more at risk than if he wasn’t there.”
Studies of insider threats have shown that most individuals responsible for insider crimes were known to have committed some form of concerning or problematic behavior before acting directly against their organization. These actions included violations of policy and standard procedure, professional conduct, rules, regulations, or law through actions that had been observed by managers, supervisors and coworkers.
Although the national security community has moved to an approach called continuous evaluation, such data-intensive monitoring isn’t always the most effective way to detect a person who is heading down the path of criminal conduct. An engaged workforce, on the other hand, can observe, assess and report concerning behaviors that could prevent an insider from doing significant damage to an enterprise’s intellectual property, reputation and market competitiveness.
High Risk Behaviors That Your Employees Can Observe and Report:
However, an effective insider threat program doesn’t stop there. You need to make sure you have clear reporting guidelines that match your insider threat policy, and have a way for employees to report anonymously.
At LiveSafe, we know from studying years of risk data that phone, email and website hotlines are not as effective as mobile-app based anonymous reporting platforms. In addition, anonymous reporting platforms must have the ability to dynamically route information to key officials and decision makers, including HR, legal and other supervisors.
But above all else, training and educating your workforce to understand the baseline norms for your environment is critical. Your workforce is best positioned to know what doesn’t look right. At the end of the day, the best insider threat programs function in a culture where all employees understand the threat and have a way to engage with security officials.