Insiders are a clear threat to information systems, proprietary information and company property. It is difficult to defend against an insider who is motivated to go after the company. Insiders, by nature of their positions, have intimate knowledge on where, when and how to strike.
Defined as individuals who have legitimate access to a company’s physical and computer systems, insiders may be current employees, contractors, vendors, suppliers or visitors. They also can include individuals who previously had legitimate access, such as former employees and retirees. Insiders know the organization’s vulnerabilities and how to best take advantage of those vulnerabilities to meet their goals.
A defined espionage process has been identified and is described in An Espionage Primer. According to security and counter-terrorism expert Jim Biesterfeld, “Although technical intelligence such as photography or eavesdropping glean a great deal of information, people remain the best source of information.”
Large-scale surveys, such as the PricewaterhouseCoopers (PWC) Global Economic Crime Survey, consistently find that insiders perpetrate at least half of fraud incidents. Many external attacks, especially cyber-attacks, may be detected more easily than insider attacks.
Internal attacks, on the other hand, may not be detected by internal controls or audits. Instead, customers, supervisors or other non-security personnel were found to alert company authorities to insider attacks, according to research conducted jointly by the U.S. Secret Service and Carnegie Mellon University’s Software Engineering Institute (USSS/CMU-SEI).
The popular press often equates insider threat with employees who are either disgruntled or motivated by financial gain. However, a closer examination of the surveys, as well as actual incidents involving insiders, reveals that the idea of disgruntled or greedy employees accounting for insider attacks may be partially myth.
But as with any myth, there is some element of truth. Disgruntled insiders really are behind some attacks. Certain sectors may be more prone to attacks by disgruntled insiders. In the banking and finance sector, only 19 percent of insider perpetrators were seen as disgruntled, although 27 percent had come to the attention of a supervisor or coworker for behavior before the incident. Examples of these behaviors include increasing complaints to the supervisor about salary dissatisfaction, increased cell phone use in the office, refusal to work for new supervisors, increased outbursts directed at coworkers and isolation from coworkers.
In contrast to the banking and finance sector findings, the most frequently reported motive in critical infrastructure sector attacks was revenge. Insider incidents were triggered by a negative work-related event that presumably caused the perpetrator to hold a grievance prior to the incident.
WHY FOCUS ON DISGRUNTLED EMPLOYEES?
The goal of this article is to present initial evidence for a more refined profile (or set of profiles) of types of insider incidents. Taking an inductive approach of moving from a few specific data points to general conclusions, short case studies illustrate the proposed insider incident types. More comprehensive study is needed to confirm the proposed types.
A disgruntled
employee is dissatisfied or feels discontent toward his or her employer.
Disgruntled employees may attract attention for several reasons. First, when a company reports an insider
incident to local police, for the sake of simplicity, it is easy to attribute
it to a disgruntled employee. The
incident may be less likely to damage the company’s reputation if attributed to
a disgruntled employee. Typically, it is
only the target organization that incurs loss; disgruntled employees want to
harm or embarrass the organization.
Second, cases
involving disgruntled employees may be more easily discovered than other types
of insider incidents. Warning signs of
disgruntlement existed prior to many incidents, so it is possible for companies
to prevent, or at least minimize the damage. Research on insider incidents in
the USSS/CMU-SEI financial services study shows that in 85 percent of attacks
against IT systems, someone — coworkers, friends, or family — had full or
partial knowledge of the insider’s plans, intentions or activities. In the USSS/CMU-SEI critical infrastructure
study, a similar pattern was found in which there was advance knowledge of the
insider incident, in which the incident tended to consist of sabotage to the
company or harm to an individual, rather than greed, as in the first report.
Of course, companies
may not always be willing to see or act upon the warning signs. With proper training, security protocols and
company culture, organizations should be able to prevent or effectively respond
to disgruntled employee attacks.
More importantly,
there may be other types of insiders besides disgruntled employees that should
be of more concern to companies. It is
difficult to develop additional insider profiles (i.e., behavioral profiles
that describe the perpetrator’s motives and actions) because of the limited
number of known incidents and limited information available on many of the
known incidents, according to clinical psychologist and security consultant
Eric Shaw. Thus one goal is to draw attention to insider incidents that do not
involve disgruntled employees by examining a small number of known insider
incidents. By identifying a possible new
or overlooked motivation, it is hoped that future research efforts will attempt
to confirm, disconfirm or refine it.
BEYOND DISGRUNTLEMENT: ADDITIONAL INSIDER MOTIVES
A range of motives besides disgruntlement exist. These additional insider types were developed inductively through review of insider attacks, attempting to generalize from a few limited data points to general categories of motivation. Additional motives include the desire to harm the company by taking revenge or embarrassing the company, nationalistic reasons, ideological motives and refined forms of individual benefit.
Insider status
allows the perpetrator advantages to pursuing acts to achieve these motives.
Employees, especially those who wear a badge or employee ID are often
overlooked by security, according to Tomer Benito, a principal at Synergy, a
security and training firm that focuses on the human element of threat. Insider threat is difficult to address for
several reasons. Security personnel
often work under the implicit assumption that employees do not pose a threat to
the company, Benito stated.
Some perpetrators
may seek employment with the intent to do harm after they get the job. An
aggressor who seeks company resources or information places him/herself at risk
when going through the application process, Benito further explained. Breaking in to the company is one option
presented to the aggressor, but limits the time available for locating and
stealing the desired property or information. However, an inside position
increases the odds that the aggressor reaches his goals—a terrorist can be sure
to select an optimal target and a thief can easily access company resources.
Below are additional
types of insider threats that may be overlooked by security and organizations.
Harm to the company
via revenge or embarrassment — This motive is demonstrated by an insider
seeking revenge on the company, such as by publicly embarrassing the company or
causing it financial harm. Some key
triggers include:
- A career or salary setback. For example not getting a promotion, being laid off, being reassigned to a lower-level position, or not getting an expected raise or bonus may prompt an insider to seek retribution. Neal Cotton, an employee of computer consulting company , was told by management that he would be fired. Cotton admitted to perpetrating a computer intrusion attack against the company the same night. In a similar attack, Patrick Angle allegedly became disgruntled when he was told by Varian Semiconductor Equipment that his contract would be terminated. He logged onto Varian’s computer server and intentionally deleted the source code for the e-commerce software that he had been developing for the company, taking steps to cover his tracks and make it difficult to repair the damage.
- Conflict with a supervisor. Steven Davis, employed by a subcontractor working for Gillette, attempted to pass Gillette trade secrets about the Mach 3 razor to its competitors because he was mad at his boss.
- Concern over company practices. Justen Deal, a Kaiser Permanente project supervisor, sent an e-mail to 180,000 employees detailing his frustration with the company’s electronic health record system. The e-mail resulted in uncovering Kaiser’s projections that it would stand to lose as much as $7 billion over two years. Deal explained, “What I’m doing is working to ensure the waste and abuse stops.” He was fired for sending the e-mail.
NATIONALISTIC REASONS
Foreign insiders may feel a sense of loyalty to their home country. They may believe that companies there face an unfair competitive playing field. companies are often perceived as having vast research and development budgets as well as resources to obtain and enforce patents. Further, cultural differences regarding the legitimacy of theft may play a role in justifying the theft. Some countries expect their citizens to help their home country when working or studying in the laws and ethics, while at the country level, government-coordinated efforts have been underway for decades.
Espionage is
sometimes sanctioned — or even carried out — by foreign governments, which may
view helping local companies keep tabs on foreign rivals as a way to boost the
country’s economy. Over the years, ,
, Latin America and the
former have all developed
reputations as places where industrial espionage is widely accepted, even
encouraged, as a way of promoting the country’s economy. Many other countries
are worse. A good resource for
evaluating the threat of doing business in different parts of the world is the
Corruption Perceptions index published each year by Transparency International.
These types of
insiders may not necessarily aim to harm the company but instead seek to help
their foreign counterparts get an advantage in the marketplace. For example, in the oft-cited Avery Dennison
case, a Taiwanese competitor, Four Pillars Enterprises, recruited Avery
employee Ten Hong Lee. It is believed
that Four Pillars’ executive Pin Yen Yang, his wife and daughter specifically
targeted an individual, with whom they could relate on an ethnic basis,
leveraging Lee’s desire to help his fellow countryman and playing to his ego by
giving him “recognition” for his intellect.
Four Pillars also paid him $150,000 over several years, depositing the
money with Lee’s relatives in
Research and
development (R&D) units may be particularly vulnerable, as R&D is the
starting point of a product’s lifecycle.
Reverse engineering is another, albeit legal, form of benefiting from investment
in R&D and product design. Obtaining
R&D plans, however, give the foreign competitor the ability to shortcut the
design process.
Jungsheng Wang, for
example, was accused of copying the architecture for an ultrasound machine
developed by Acuson Corporation. Wang’s wife worked as an engineer at
Acuson. She brought the architecture
document home, and he copied it, taking it with him on business trips to the
People’s Republic of
for Bell Imaging, a
based company that was involved in a manufacturing partnership with a Chinese
company.
In at least one
instance, scientists’ sense of loyalty was leveraged in an attempt to
circumvent costly R&D investment:
Immigrant scientists
from who were working on an
American defense project kept getting unsolicited invitations from their home
countries to speak at seminars or serve as paid consultants. The invitations appealed to them as
scientists — they wanted to share information about their work with peers. The
countries saw this kind of intelligence gathering as cheaper than research and
development.
This type of motive is especially difficult to identify and
prevent. Some perpetrators of foreign
economic espionage have been reported to be outstanding, even “star”
performers, giving their employers’ no reason to suspect illicit activity. To illustrate, two former distinguished
members of Lucent Technologies’ staff — Hai Lin and Kai Xu, legal — along
with an unnamed third perpetrator were indicted for stealing trade secrets for
transfer to a joint venture with a Chinese telecommunications company.
Professional and
corporate ethics as well as discrimination laws prohibit companies from
treating workers differently based on their national origin or other protected
class. Instead, indicators of observable
behavior that are linked to specific attack methods must be developed by
companies. In some instances, the
foreign perpetrator may be genuinely unaware of Jiangyu Zhu and Kayoko Kimbara were
conducting post-doctoral research at the
. When they left to
take jobs at the , allegedly taking over 20 cartons of materials
with them, they were charged with trade secret theft in the form of stolen
property from
They fully cooperated with the investigation
and the charges were dropped as long as the couple did not break any more laws.
In some instances,
individual gain can be seen as interacting with nationalistic motives. Two incidents appear to illustrate this:
- Takashi Okamoto was accused of stealing genetic research materials from the Cleveland Clinic Foundation, providing the material to the Japanese Institute of Physical and Chemical Research (RIKEN). The U.S. Department of Justice is still unsuccessfully seeking extradition of Okamoto from It is not known whether Okamoto sent the materials to RIKEN to help it start up its research efforts on Alzheimer’s disease or for more self-interested reasons in order to propel himself to the forefront of the Japanese research community.
- Qingqiang Lin, a researcher with ’s animal science department, was arrested in 2002 at the after security officers found more than 100 vials and other laboratory equipment inside six pieces of luggage belonging to him and his wife. The material was identified as bacteria and yeast cultures used to produce the enzyme phytase, which the university was developing and licensing the patent to a company in Lin was convicted of stealing the material and giving a false statement to the FBI after he was stopped at the airport. In a letter to his former supervisor at Cornell, Yin had promised to bring bacteria, genes, and other material for commercial phytase production with him if he were offered a job in.
IDEOLOGY
Ideology, although related to nationalist reasons, can be considered a distinct form of insider motivation. Insiders may act against the company to further their own ideological goals. For example, an insider could engage in a terrorist act that targets the company in order to harm others who do not believe in the same ideology.
In ongoing
investigations, suspected plots have been broken up domestically and
internationally:
- Amin Asmin Tariq, arrested as part of the Fall 2006 liquid explosives plot uncovered in the , worked as a security guard at Heathrow airport.
- In 2004, terrorists reportedly planned to poison the drinking water of a major city during the chlorinating process by recruiting insiders to work with them, according to the Associated Press.
- A de Gaulle Airport employee was arrested with explosives and guns in his car. He worked for an airport contracting company for three years, never drawing attention to himself.
- Two British terror suspects planned to bomb a nightclub by getting a job there. The club was seen as a softer target for attack.
- In early 2002, suspects linked to an al Qaeda plot to bomb the U.S. Embassy in through their jobs and badges.
- An Egyptian-born Canadian citizen was arrested in 2001 when Italian police discovered him stowed away in a container on a ship. In his possession was a security pass for a Thai airport and a certificate indicating he was an aircraft mechanic.
INDIVIDUAL BENEFIT
A third motive is the time-old individual benefit. Whereas most previous research identifies monetary gain as a primary motivator, other means exist to advancing one’s position. Three variations of the individual benefit motive can be identified — monetary gain and financial need, career benefit and starting one’s own company.
Greed is often cited as motivation for theft, especially of
proprietary information. Although greed,
a personal characteristic in which one desires more money for its own sake, is
no doubt a factor; the perpetrator’s lifestyle and financial situation also
play a role. The PWC survey identified the desire to maintain an expensive
lifestyle as a specific motive. Being in
debt also may play a role.
Xingkun Wu was
accused of taking trade secrets with him when he left for a job at a competing fiber-optics
maker. Wu allegedly admitted to taking secrets with him
when FBI agents interviewed him at his home.
According to special agent Paul Moskul, “We would characterize this as a
case of somebody out for personal economic gain, as opposed to the traditional
foreign intelligence kind of investigation or an espionage case.”
Greed is a slightly
different motive from financial need. In
the latter instance, the individual finds him/herself in debt that cannot be
repaid. Personal debt may be incurred or
in some instances, the debt may be owed to the company, as in the case of
insider stock trading.
For example,
Nicholas Leeson, a futures market trader for Barings Bank in the mid 1990s, ran
up over £200 million in debt, hiding the losses in a secret account. When he attempted to recoup his losses by
making a series of risky trades, increasing the debt to over £800 million,
twice the bank’s available trading capital, it led to the bank’s collapse. His
insider trading was facilitated by serving as chief trader and having the
authority to settle his own trades, jobs usually performed by two people.
Leeson’s initial motivation may have been greed, but his later actions were
prompted by a desire to erase his losses and avoid detection.
CAREER STEPPING STONE
The desire to obtain a better job or advance one’s career is another way in which the individual perpetrator attempts to benefit from the incident. This type of perpetrator may desire monetary benefit, but only indirectly through a job with a different employer or by pursuing a different career. In this case, the incident, which often involves proprietary information theft, is aimed at “earning” a position with the new employer.
Caryn Camp was
unhappy with her employer Idexx Laboratories, a producer of animal
vaccines. Camp met Stephen Martin on the
Internet and passed along Idexx secrets to him in the hope of obtaining a new
job with his company in Although other motives were also involved
(e.g., she claims to have fallen in love with Martin), she also was seeking a
chance to improve her career.
A related motivation
is to benefit by starting one’s own company.
The perpetrator may not be satisfied with the target company’s
management or policies. The perpetrator
may feel that he or she can do a better job providing the product or service or
treating employees fairly. Although some
element of harming the target company may be at play, the perpetrator may
intend to do so through the marketplace by competing directly against it.
Harold Worden, a
retired Kodak manager, pleaded guilty in 1997 to stealing formulas, drawings,
and blueprints. After retiring, he
retained drawings, plans, and manuals and set up his own business as a front
for selling stolen Kodak documents to Worden recruited more than 60 Kodak retirees
who had access to trade secrets.
CONCLUSION
As noted, these types of motivations are not mutually exclusive. While one type may be at the forefront, the other motivations may also be operating more indirectly.
Motives are
complex. The PWC survey describes the
intersection of three underlying reasons for committing fraud — incentive,
opportunity, and ability to rationalize.
The cases described also illustrate the several motives can be operating
at the same time.
Motives are also
difficult to infer. It is hoped that
this article can influence chief security officers as well as company and law
enforcement authorities whose job it is to gather information on insider
incidents. Without more detailed
information on motives and reasoning behind attacks, it will be difficult to
improve our understanding, and thus our ability to prevent and respond to
insider attacks. For security
professionals, it also is hoped that an awareness of additional possible
motives can be translated into improved security.
By increasing
awareness that numerous types of insider threats exist, practitioners and
researchers can begin to identify indicators or “red flags” of each type. Examples of new indicators of potential
threats may include an awareness of employees’ whose career aspirations have
not been met, frequent trips to foreign countries, and requests to work late
shifts. Companies need to reconsider
their pre-employment screening practices and managerial awareness training
practices as well as how their human resources, legal and security functions
can best work together to effectively address insider threats.
SIDEBAR: An Espionage Primer
Espionage is defined as the act or practice of spying or of using spies to obtain secret information about another government or a business competitor. The two main methods of conducting espionage — human intelligence and technical intelligence — have remained fairly consistent throughout the centuries.
In order to get into
a denied area, the Collector (sometimes referred to as the “spy,” case officer,
or agent handler) must have two attributes to be successful — Placement and Access. Placement is proximity to the information or
technology desired. Access is the ability to obtain and move that information
or technology,
The information can be obtained by Infiltration or
Subornation. The advantage of
Infiltration is that the Collector will attempt to obtain information
personally by becoming a part of the target organization. The problem with Infiltration is that there
is no guarantee that the Collector will achieve the placement and access
necessary to retrieve the information or technology.
Subornation, on the
other hand, allows the Collector to identify and recruit as many insiders as
deemed necessary to obtain the desired information or technology. The recruitment of such insiders follows a
basic method:
- Identify. The Collector identifies insiders with placement and access to the desired information. Typically, several insiders will meet these requirements.
- Assess. The Collector meets each potential insider. Both a professional and personal, or social, relationship may occur, allowing the Collector the chance to ascertain the character of the insider — including political views, social consciousness, finances, weaknesses (e.g., drugs, sex), ego and religious conscience — and decide how to exploit the insider’s character weaknesses.
- Recruit. The Collector informs the insider about his true motives. The Collector promises to compensate the insider with money, drugs, sex or other material objects in return for the desired information.
- Run (Collect). The Collector tasks the insider with very specific requirements, often “easing” the insider into the job with initial requests for less sensitive information and building up to the desired information.
Source: Jim Biesterfeld, a retired counter-intelligence special agent who now provides security consulting, provided input into this section.