Inside the Insider Threat

Found to be plotting the mass murder of liberal politicians and cable news hosts, former U.S. Coast Guard Lieutenant Christopher Hasson received a 13-year sentence in federal court in late January 2020. He came under investigation after Coast Guard software flagged his computer searches for committing mass shootings, poisoning food supplies and releasing biological agents, which led to the discovery of a spreadsheet of potential targets.

Shinji Aoba, a 41-year-old software artist at Kyoto Animation in Japan, was charged in July 2019 with setting fire to his company’s building and killing 33 staff members. His motive? Other staff had plagiarized his work.

In mid-2018, an inside saboteur changed code to “the Tesla Manufacturing Operating System under false usernames and [exported] large amounts of highly sensitive Tesla data to unknown third parties,” according to a statement by CEO Elon Musk.

And in 2010, former Boeing engineer Greg Chung was sentenced to more than 15 years in prison for stashing 300,000 pages of sensitive information about the U.S. space shuttle in his home with the intention of sharing it with the Chinese government.

Terrorism. Arson. Computer sabotage. Corporate espionage. Four very different and destructive crimes, but united by a common thread: all were committed by insiders.

The insider threat costs organizations billions of dollars every year. It is arguably the biggest threat to the U.S. (and global) economy, global security and critical infrastructure. But the “insider threat” is a misnomer: it is actually a thousand separate issues, crimes, situations, industries, personalities, tactics, professions, targets, motivations and consequences. The authors of this article, who have compiled a database of more than three million distinct crimes and security incidents, have scrutinized insider threat cases to dispel misconceptions and to aid law enforcement and security professionals to identify trends, tactics and targets. They have identified and recorded more than 400 jobs from which insiders have done their dirty work, from IT managers to interns and volunteers.

Threat Trends

One of the most alarming trends is the extent to which extremists are lurking in plain sight, working for corporations and institutions that would be aghast if they knew who they were employing. Members of al-Qaeda and their affiliates have infiltrated public and private organizations as translators, telemarketers, guards, lab technicians, first responders, pilots and under the cloak of many other guises. They have skulked through the corridors, warehouses, mailrooms and offices of Elizabeth Arden, Prudential Securities, Lehman Brothers, the World Bank, the International Monetary Fund and Bally’s Total Fitness, to name a few of their victims. Most alarmingly, on dozens of occasions, terrorists and their abettors have secured employment in sensitive positions with government agencies and their contractors. Both the FBI and CIA took on Nada Nadim Prouty, an illegal immigrant from Lebanon, as an agent. She turned out to be funneling cash and government documents to her Hezbollah comrades.

Islamist extremists are far from the only extremist insider threats. As in the case of Coast Guard officer Hasson, hundreds of white supremacist, neo-Nazi and extreme right-wing militia members are biding their time in organizations that citizens know and trust. A former Brinks employee, for example, provided members of the Order, a white supremacist group, with the route map of an armored car, enabling them to rob the vehicle of $3.6 million near Ukiah, Calif. Much of that money went to attempt the creation of an Aryan nation in the Pacific Northwest.

Self-aggrandizement schemes – in which employees stage incidents so they can step in as heroes – also appear regularly. These would-be saviors phone in false threats, set up innocent customers, vandalize property, adulterate products, sabotage computers, plant bombs, pretend to suffer attacks from assailants and so much more.

Cases abound in the retail industry alone. In Norfolk, Va., a bomb expert and K-9 handler with the Virginia State Police, planted, then heroically “found” two powerful bombs at shopping malls. Falsely claiming to be an expert in retail security with special access to unpublicized secret intelligence, Christian Kerodin was jailed after sending threats to D.C. area malls and then criticizing them for being unprepared for imminent chemical and biological attacks. Hoping to be praised for being the first on the scene, a security guard at Walt Whitman Shopping Mall in New York set three fires, including one that killed two employees at a McCrory’s store.

Arsons are a favorite tactic of insiders. A sampling of 641 insider arson – including 242 blazes set by firefighters, security guards, police officers and U.S. park personnel – reveals hundreds of deaths, thousands of lost businesses, laboratories, offices and homes and individual price tags of $400 million, $375 million and $257 million.

Insiders stealing blueprints to corporate facilities, government buildings, military aircraft and other sensitive material is another underreported and overlooked trend observed by the authors. As technological advances allow designs, maps, photographs and other sensitive information to be electronically duplicated and disseminated, blueprints are increasingly being emailed, stolen in flash drives, hacked and displayed – intentionally and inadvertently – on the Internet. Lockheed Martin’s plans for the F-22 and F-35 stealth fighters were stolen by Su Bin, a Chinese national who obtained unauthorized access to protected computer systems to land his prey. He received a sentence of 46 months in federal prison for his efforts.

Blueprints have been obtained from architects, engineers, bidders, builders, lawyers, copy shops, postal and delivery services, bureaucrats and government workers. They’ve been stolen in sophisticated burglaries, hacked by cyber forces and surreptitiously photographed. But most thefts of tactically important blueprints have been stolen with insider help: planting a mole or sleeper agent, or bribing, threatening, or blackmailing an employee already in place. In fact, 16 days after the Oklahoma City bombing, ATF agents charged Darwin Michael Gray with a plot to blow up the federal building and courthouse in Spokane, Wash. According to law enforcement sources, Gray stole the blueprints to his target while employed by a company that installed insulation there.

Organizations entrust fire departments, police departments and SWAT teams with their blueprints in case of an emergency, but sometimes these protectors are themselves the villains. Members of the West Virginia Mountaineer Militia who tried to blow up the FBI’s Criminal Justice Information Services Facility in Clarksburg, W.Va. received the blueprints to the building from a Clarksburg fire department lieutenant.

Ahmed Amin Refai, an Egyptian accountant employed by the New York Fire Department, was a confidant and follower of Sheikh Omar Abdel Rahman, who was convicted in 1995 of conspiring to blow up bridges, tunnels, 26 Federal Plaza and the United Nations building in New York. Prior to the first attack on the World Trade Center, Refai obtained blueprints and architectural renderings from the NYFD of several high-threat targets in New York, including those of bridges, tunnels and the Port Authority complex commonly referred to as the World
Trade Center.

Trainees killing trainers is another recurring phenomenon, as in the December 2019 case of a Saudi airman who killed three people at the U.S. Naval Station in Pensacola, Fla. The authors have identified 22 cases in which non-U.S. military personnel have leveraged their insider access to kill U.S. soldiers. At least three times in 2011 alone, Afghan soldiers being trained by Australian troops turned their weapons on their mentors. In fact, Afghanistan and Iraq have been hunting grounds for local troops to murder American or coalition forces.

But the U.S. military isn’t just a target of insiders – it often poses the threat. Though the overwhelming majority of soldiers are loyal and law abiding, the authors have accumulated and reviewed more than 1,200 cases in which U.S. military personnel committed murders, rapes, treason, terrorism, espionage and other crimes.

Security Officers and Aviation, Too

Another group entrusted to protect the public – security officers – also has its share of rotten apples, though these incidents represent a minority of officers. The authors have documented almost 500 cases in which guards committed murder, rape, arson, robbery and theft of information and trade secrets. In February 2013, for instance, a civilian guard at a U.S. Consulate compound under construction in Guangzhou, China, was sentenced to nine years in prison for attempting to peddle secrets to the Chinese. Materials included photos of sensitive areas and documentation of access points, surveillance cameras and locations of security upgrades.

Aviation proves to be another area of fertile ground for insider malfeasance. Hundreds of baggage handlers have been convicted of theft and corruption, including cases in which individuals or groups of workers stole $25 million, $5.5 million, $5 million, $4.3 million and $4 million before being fired. And in hundreds of cases, airport insiders have stolen airplanes, gone on shooting rampages and used their positions to smuggle bombs, weapons and drugs.

The authors have also identified thousands of cases in which background checks were incomplete, fraudulent, negligent, or just failed to flag someone who later victimized their employer. From 1995 through August 2013 alone, thousands of security, intelligence, and law enforcement personnel in the U.S. who had passed background checks were charged with major felonies. Scores of “cleared” traitors have betrayed the U.S. Many who slipped through the pre-employment screening process used someone else’s name, identification and social security numbers. Oscar Antonio Ortiz, a Mexican citizen, used a fraudulent birth certificate to join the U.S. Navy and become a U.S. Border Patrol agent. He was eventually sentenced to prison for smuggling illegal immigrants into the U.S. – the polar opposite of his sworn duty.

Analysis of such incidents can predict future attacks, tactics and perpetrators. The authors believe that chronicles of related events reveal red flags and are the source of foreknowledge and practical wisdom. It is critical that homeland defense, corporate security and law enforcement prevent incidents by “connecting the dots” in advance. But they can’t connect the dots without having and understanding the dots – the incidents that reveal motives, attacks, tactics and other crucial factors.

ON DEMAND: In this webinar, Regina Lester, Vice President of Security & Safety Operations at Toledo Zoo, will share her insights on implementing security technologies in the entertainment sector and the challenges all organizations face — large and small — when it comes to balancing budget and security.