Cyber, cyber, everywhere. Not a day goes by without some discussion, news item, or update about cybersecurity. Strong passwords, encryption, network patches, data breaches and more. The severe effects of data breaches have forced Boards of Directors and enterprise security to devote significant time and resources to mitigating the issue.
With all of the attention placed on cybersecurity, where has physical security gone? Have we gotten too far away from the basic “blocking and tackling” that enterprise security is built upon, which has enabled it to effectively reduce risk within the enterprise? Do Boards of Directors still understand the critical role that physical security still plays in the enterprise?
“I think the reason for the focus on cyber is because, at the boardroom level, it’s perceived as the much more significant risk than routine things like the theft of a wallet from the workspace or a trespasser,” says Jeff Berkin, Senior Vice President and Chief Security Officer for CACI. “Of course, those events do typically involve some kind of response by security, and perhaps an investigation as well. But they’re not really considered to rise to the level of a Board-level risk. So I think that’s why you’re seeing that focus now on cyber and on insider threat, particularly in the defense sector.”
Yet, Berkin acknowledges that smaller incidents could be signs of more potentially damaging incidents, particularly with insider threats.
“I think that’s all part of the whole notion of workplace violence prevention and the insider threat issue being sort of being multifaceted. That is, we often think of insider threat as occurring in the context of a theft of information, of data or confidential information. But it can also be the person with access to your facilities or premises who causes physical harm. And then we typically start to characterize that more in using language around workplace violence rather than insider threat. Yes, I think that small incidents can often be indicators of stresses that might lead to bigger problems down the line if they’re not addressed early. But overall, the reason that cybersecurity gets so much play is because I think that’s where the Board sees the highest headline risk and the greatest potential impact on a stock price. Insider threat is right up there, as well, and the publicity can be terrible if one of your own people does something that ends up in the newspaper.”
“It is interesting how much weight cyber is getting with the amount of investigations that we do,” adds Stan Borgia, Vice President, Corporate Security for Rolls-Royce North America Inc. “Employees are still taking print documents out of enterprises, and that requires an investigation. In almost every single investigation of an insider threat that we have seen, hard copy evidence is found to have been taken.” he says.
Borgia cites the case of former Rolls-Royce Corporation employee, Dr. Mozaffar Khazaee, who pled guilty and was sentenced to serve eight years in federal prison in October 2015 for stealing and attempting to send sensitive and export-controlled technical data on the F-35 Joint Strike Fighter jets to his native country, Iran. Dr. Khazaee admitted that his intention was “…transferring my skill and my knowledge to my nation.” Dr. Khazaee worked variously for General Electric, Rolls-Royce, and Pratt & Whitney. When he was arrested boarding a flight to Iran, he had sensitive Rolls-Royce export-controlled hard copy documents in his possession. Federal authorities also found Dr. Khazaee attempted to smuggle documents and electronic storage devices relating to the Joint Strike Fighter program and other controlled information to Tehran.
Borgia, who reached the level of Deputy Assistant Director Counterintelligence and served as the acting Director of Intelligence and Counterintelligence at the Department of Energy’s nuclear establishment during his career with the FBI, gained significant experience in defending the nation’s critical secrets. At Rolls-Royce, his vast investigative experience, including interviewing persons suspected of potential criminal behavior, is essential to developing prosecutable evidence in a case.
In more than one investigation involving the possible theft of highly sensitive information, successful interviews of suspect employees have resulted in the swift recovery of documents and external electronic storage devices beyond those discovered by forensic analysis.
It is common across the industry, where employees may feel a sense of “ownership” of information and work-product related to projects to which they have been assigned. Conversely, individuals who have gained insider access to highly sensitive information sometimes steal material to which they have no claim at all.
In either case, Borgia notes the purpose of information theft is almost always to support the ambitions of the perpetrator, while the information owner stands to lose in the competitive marketplace, or the loss may compromise U.S. National Security interests.
“Insider threat is the misuse of authorized access,” Berkin adds. “People are given access to do their jobs. Sometimes they’re given excessive access, access they don’t really need, which is a problem area. But the problem for us occurs when someone takes that authorized access and turns it to an unauthorized purpose. And we would anticipate seeing that sort of thing when, for example, people might be leaving employment under any set of circumstances. Whether they’re being terminated voluntarily or involuntarily they might choose to take proprietary information with them that they think will advantage them in a new role. Or if they don’t already have a new role, they might think it will make them more marketable. Or perhaps they’re going to start their own business, and they want to rely on information that is properly the property of the company that employed them. We also look to events that might become criminal activity, such as the example of people who are significantly delinquent in their corporate credit cards. They may pay their personal bills with a corporate credit card because they don’t have access to credit themselves because they’re in financial distress. Eventually they may be able to pay it back. But there’s certainly a risk to the company. The advantage of looking at those kinds of incidents is that a progressive company might look at these things as an opportunity to assist the employee before things really go off the rails.”
Investigative Skills and Tools
Borgia and Berkin both stress the importance of having specialist staff and teams with investigation skills to conduct the correct investigations necessary to mitigate insider threat actions.
“Insider threat and counterintelligence is a pretty specialized area,” Berkin says. “It benefits from staff who have worked those kinds of issues, typically in government because that’s where you normally find the investigative response in the FBI and in the military service counterintelligence agencies. Professionals with that kind of background understand how hostile intelligence services and other adversaries function. And consequently, they know what sorts of indicators to look for. And they also are typically trained and experienced investigators and interrogators, which are not skills that necessarily are present in other types of staff.”
One tool to mitigate insider threat that Berkin suggests is Employee Assistance Programs that include financial counseling or other forms of assistance to help people overcome whatever issues they’re facing. “What we don’t want to have happen is that people start to see that they have no alternative but to act badly to save themselves from whatever their situation is,” he says. “We don’t want that to progress to the point where our range of options becomes very, very limited.”
Other key elements to a comprehensive insider threat program, according to Berkin, include not only educating the workforce on what behaviors are acceptable and which aren’t, what to look for and how to report, but also consist of getting to know employees and what’s going on with them that might reflect on their propensity to do something untoward.
“Most companies these days do pre-employment screening,” Berkin notes. “But that’s a single snapshot in time. So an evolving trend in industry is to monitor employees on an ongoing basis. Any one of a number of services are available, which will notify the company if an employee is arrested, declare bankruptcy or if they have a lien placed on their assets. None of those things by themselves are necessarily disqualifying for employment at all. But they might be indicators that an employee is under stress or is getting themselves into a position where they might benefit from helpful and supportive intervention. That information can also be a useful adjunct to an investigation which has already been started based on something else with predication. It might give some insight and help an investigator understand the totality of the situation and construct an interview strategy that is more likely to be successful later on. But my philosophy is that detection is a late-stage intervention. And I prefer that companies take an approach where they treat their employees well and employees understand that misbehavior hurts not only themselves, but also their colleagues and their employer.”
Borgia says that continuous monitoring via physical security and IT security is vital in addressing threats to the enterprise posed by malevolent persons who gain insider access by any means. In his experience, a risk-based security plan tailored to place emphasis on sensitive programs, while focusing mitigation efforts around critical assets, works best. The Rolls-Royce Security team utilizes a collaborative model, partnering internally with Supply Chain, Human Resources, Strategic Export Control, Legal-Ethics-and-Compliance, and Information Technology functions to maximize internal resources and efficient information-sharing.
The importance of training programs, particularly for those employees with access to the most sensitive information, also cannot be overestimated. Borgia states: “We want employees to understand the techniques and trade-craft that hostile intelligence agents may use. These techniques may include soft personal introductions, often at trade shows or conferences, to the daisy chain of recruitment in which an intelligence agent induces the in-place defection of a trusted insider to betray the trust of the company.”
Borgia also credits success in both exposing and responding to the security threat to industry, to the Department of Defense, Defense Security Service (DSS), the Department of Homeland Security, and the FBI. He says, “…the law enforcement and intelligence communities are essential partners in our efforts to defend industry against tradecraft perpetrated by hostile intelligence collectors.” Borgia recognized DSS as a valuable partner to the defense industry where they are engaged in advances in the design and development of strategic threat analysis planning and new focus measures addressing risk to critical defense programs.
Suspicious online activities in industry, including abnormal of irregular information loading or downloading of emails with attachments, are key factors in identifying possible insider threats. Borgia recognizes, “Behavioral analysis is a very important tool. We are fortunate to have tools available to examine online activities to help us identify when there is a deviation from the norm. It is interesting –employees sign non-disclosure agreements and are educated about their obligation to protect the company’s information, but usage analysis exposes an insider’s intentions to betray that trust. ”
Employee “buy-in” is tremendously important in addressing security threats. Borgia notes, “Rolls-Royce employees are credited with alerting Corporate Security in more than 70 percent of our insider-threat cases that have resulted in action taken by the company or law enforcement.” Long-term analysis confirms that, “a strong security culture results in reduced risk.” Rolls-Royce fosters a security culture based on personal engagement on the part of employees at all levels, to include the direct support of corporate executive management, including the President and CEO and the Government Security Committee.
Overall, says Berkin, “I think sometimes insider threat actors can become so egocentric; caught up in their own concerns and looking for a way out that the adverse impact to their employer and to their co-workers perhaps isn’t really considered or is viewed just as incidental. Where a company has a really good employee assistance program and employees know that if they have issues or concerns they can go to their manager or they can go somewhere else, that the company cares about them; there’s at least the potential for intervention before misconduct even occurs.”