The drama of the still-unfolding Edward Snowden affair has brought the subject of insider threats back into focus.
Regardless of whether you believe Snowden is a hero or a traitor, the fact is that almost every organization has sensitive information – including the private data of its customers – and most of the people who try to steal that information are financially motivated. A high-profile incident like this is an opportunity to reflect on how these incidents occur in general and what organizations can do to mitigate them.
Journalist Glenn Greenwald referenced a report by newspaper publisher McClatchy about the U.S. government's Insider Threat Program as “the vital, indispensable context for the NSA/Snowden story.” This report raises concerns that the U.S. government and the Department of Defense are going too far in attempting to identify employees who might steal sensitive information or commit other kinds of malicious acts. The report explains that government employees are being asked to “watch their co-workers for ‘indicators' that include stress, divorce and financial problems,” and the authors express the concern that this might lead to “toxic work environments poisoned by unfounded suspicions and spurious investigations of loyal Americans.”
It should not be surprising that the government operates an insider threat program. As the saying goes, loose lips sink ships. There can be serious national security consequences associated with the theft or disclosure of classified information. It should also not be surprising that this program attempts to identify employees who exhibit concerning behavior.
The CERT Insider Threat Program at Carnegie Mellon's Software Engineering Institute has studied hundreds of real-world insider threat incidents over the course of the past 10 years. According to CERT, insiders who commit crimes often engage in certain behaviors prior to or in the course of committing a crime, such as threatening the organization or bragging publicly about how much damage they could do. If managers are trained to recognize and report these kinds of behaviors, they may identify a potential problem before it becomes a serious security incident.
Of course, it is also very important to differentiate between expressions of the normal frustration that people sometimes feel with their jobs and their corporate policies versus the sort of statements and behaviors that are made by people who are planning to commit a crime.
CERT emphasizes in its “Common Sense Guide to Mitigating Insider Threats” that “employees must be able to openly discuss work-related issues with management or human resources staff without fear of reprisal or negative consequences.” I would add that channels for raising formal complaints need to be able to address legitimate issues effectively or the underlying problems will continue to fester.
In many of the cases CERT studied, significant personal and financial stress may have motivated people to commit crimes at work. In some cases, these crimes may constitute a failure by a person to successfully navigate a challenging set of circumstances.
There are a number of steps that organizations can take to help employees find constructive approaches to handling difficult personal circumstances, such as establishing a confidential Employee Assistance Program that can provide counseling and advice. These programs can mitigate risks to the organization by providing an outlet that helps employees who are struggling with personal matters meet those challenges in an appropriate way.
Another recommendation that CERT makes is to take special care regarding privileged users. It has been reported that Snowden was a systems administrator and, therefore, may have had privileged access to systems and information. It has also been reported in the wake of these leaks that the NSA will begin implementing a two-person rule for access to sensitive systems – meaning that two people will need to authenticate in order to unlock critical data.
Although most network systems are not designed to require two-person authentication for administrative access, it is important that organizations have multiple people who retain administrative access to their infrastructure. This policy is often overlooked in practice, and that can become a significant headache if a person with privileged access leaves the organization suddenly, and no one else is easily able to gain control of operational systems.
Insider threats are challenging to prevent because the person who is looking to steal or manipulate data often has authorized access to that data. It is not possible to anticipate and stop every crime that an employee might commit.
In the case of Snowden, it has been reported that he may have taken his last position with the specific intent of gaining access to information that he intended to steal. If an individual takes a position with the covert intent of stealing information, and they manage to get past the pre-employment screening process, they may be very difficult to identify as a potential risk.
Ultimately, part of the framework of controls that mitigates the danger of malicious insiders is the deterrent effect of potential criminal prosecution. The key to successfully deterring insider attacks is to ensure that the organization can connect that party with the crime that was committed. In general, this means having logs of activity at both the network and the system level that potential attackers cannot modify. It is also important to ensure that logs of administrative access are connected with a specific person and not a shared username.
Over the coming months, we're going to hear a lot of debate about whether Edward Snowden should be prosecuted for committing a crime or pardoned for blowing the whistle on illegal activity.
What is not up for debate is that organizations that deal with sensitive information have a responsibility to protect that information from both internal, as well as external, threats.