This first ran in the Georgetown Journal of International Affairs.
Many cyberthreats are not just ‘technical’ problems. They are also leadership, human resources, and employee education problems.
The popular conception of a cyberthreat is often of malevolent outside forces working in darkened rooms overseas, feverishly conspiring to compromise the world’s personal and professional data. While there is some truth to this notion, the most challenging cyber adversary is actually inside the building, not outside the firewall.
A recent survey of 150 federal IT supervisors underscores the “insider threat” challenge. The report indicates that almost half of reported authorized users act inappropriately or even maliciously in the course of their duties. Though some data breaches were accidental, nearly one third of surveyed supervisors reported losses due to an “insider” incident. Furthermore, more than half of employees did not follow appropriate cyber-related protocols and nearly half accessed inappropriate information on a weekly basis. These highlight the very real importance of human decisionmaking — malicious or otherwise — to cyberthreats.
The report’s findings further suggest many security breaches are not the handiwork of elite hackers armed with cutting-edge tools breaking through cyberdefense perimeters. Rather, sales many harmful incidents occur for simpler reasons, such as an employee clicking on a link that infects systems with malware, or a disgruntled employee or contractor who decides to steal or manipulate data for personal reasons. For example, Russia-based hackers used spearphishing techniques to dupe unwitting government officials at the State Department, the White House, and the Pentagon and thereby gained entry to official networks.
The above analysis demonstrates that, although intrusions take place in the digital domain, the solution must extend beyond simply installing the latest system patch. Our networked world has brought with it new ways to exploit human weaknesses, with unfortunate consequences. Accordingly, government and private corporations must consider a top-to-bottom requirement to work with reliable partners, hire the right people, and then train their workforces to be more adept at stopping attempts to crack their systems.
An Old Wine in a New Bottle
The insider threat is nothing new in the world of statecraft. Indeed, much of the world’s second-oldest profession — spying — involves using trusted insiders in the adversary’s camp to acquire useful, actionable intelligence.
Yet the cyber domain adds a new dimension to this particular challenge. People who process information and maintain computer systems can now be profiled and easily approached across great distances. Compared to physical world counterparts, millions of pieces of digital information can be easily obtained and transferred either by using physical storage devices or various networked options.
Leaving aside for the moment traditional nation-to-nation intelligence gathering efforts, such as this year’s OPM data breach, the modern-day insider threat in cyber can roughly be divided into two camps: those who intentionally misuse systems and access privileges for personal gain, and those who assist outsiders in their mission unwittingly. Managers responsible for information security and leadership responsible for strategic decisionmaking must keep an eye out for both.
Recent examples of intentional insider threats range from Chelsea Manning’s leaked diplomatic cables to Edward Snowden’s efforts to disclose the global reach of U.S. signals intelligence. Having disgruntled or maliciously-minded individuals with access to sensitive data on staff is a human resources nightmare, especially in the government. The fact that Manning and Snowden were able to download gigabytes of data without setting off alarms suggests there was not enough accountability for both personnel and systems by relevant authorities.
Furthermore, it does not seem that anyone lost their positions at the NSA or the Pentagon over these breaches, or that major structural changes were actually made as a result. It remains unclear, then, whether protocols have changed to adequately address this issue.
On the other hand, the unintentional insider threat is the result of personnel who have little to no idea that they threaten their host organizations. Employees and contractors who have not been equipped with the knowledge and skills to identify potential social engineering, spearphishing, or watering hole attacks may serve as unwitting insider threats.
It is also noteworthy that current employees make up only one third of the insider threat, according to PwC’s 2015 Global State of Information Security Survey. The rest of the problem stems from lack of proper personnel information lifecycle management—i.e. former employees that still have access to the system, or access rights that are left active. Further, in many cases, external personnel such as employees for cleaning services, caterers, physical security, and consultants contribute more to the insider threat than the current workforce. Ironically, the worst exposures any company might face could be the external consultant conducting a security audit and their laptop containing highly sensitive information on security gaps.
Poor leadership compounds this challenge. Management that does not acknowledge the importance of cyber threats and thus is not making the necessary investments in defensive measures, does not introduce and enforce organization-wide policies, and does not allocate resources to employee education and awareness programs greatly increases the challenge of insider threats to its own organization.
Similarly, the absence of targeted human resources policies and processes can help threats grow within organizations, particularly if inexperienced, incompetent, or untrustworthy individuals staff positions with access to sensitive organizational resources. This is especially true if there is no technology serving as a last line of defense.
What Can Be Done To Mitigate Insider Threats?
A malicious insider is difficult to stop, as their knowledge of how the system’s security operates allows them to circumvent both technological and human resource barriers.
In these cases, the best way to keep bad actors out is not to hire them at all. Aggressive, pre-emptive human resources policies that filter employees and contractors and raise warning flags are particularly important. Similarly, company policies with real teeth to improve vigilance among fellow employees may help spot mischievous or malicious behavior. Behavior that puts an organization’s operations in danger should be reported and stopped. Such policies should also search for behavioral changes among potential perpetrators over a longer period of time. While these previous measures may sound harsh, corporations and governments have an obligation to develop defensive mechanisms to ensure their survival.
Measures that help prevent unintentional insider risks from turning into cyber incidents must also begin with an acknowledgement by the organization’s leadership of the grave threats posed. Identifying insider threats must become a part of an organization’s risk management process.
Ironically, one of the last places the responsibility over cybersecurity should be is where it usually resides – the IT department. Placing responsibility on an IT department first of all signals the belief that cybersecurity is a secondary, non-strategic issue for ‘techies’, not a business issue; second, it exposes security measures to the constant risk of cost cutting; and third, it forces low-level IT staff members to make wild guesses as to where the company’s critical information assets are located given that they lack the authority to make necessary decisions.
Only after business leaders are aware of the reality of cyberthreats and committed to tackle them will the necessary initiatives ? policy enforcement, new technology investments, and meaningful employee education programs ? become reality.
Finally, there is also room for technology-based solutions. However, technology should be the last line of defense, not the first, even when the source of an attack is a simple mistaken click. Technology should take a more proactive role in trying to identify incoming attacks early, before they are launched. This is, for example, one of the major goals of IARPA’s CAUSE-program.
Even When Everything Fails, Life Needs To Go On
As the cyber intrusions at the State Department, White House, and Pentagon suggest, despite even the best intentions and relatively good resourcing, information will get stolen and potentially even sabotaged. Yet people still go to work at these places and still use computers to perform their jobs.
This brings us to our last recommendation: underscoring the importance of organizational resilience and ability to adapt.
Even if outcomes are highly damaging, operations must continue, mistakes must be corrected, and processes and technologies must adapt. In addition to an overarching posture of vigilance, it is also important that organizations define a set of post-attack procedures and establish pre-infection measures informed by threat intelligence.
At this point, leaders in the public and private spheres should be well aware of the cyber threats arrayed against them. Thus, major incidents that have been enabled due to gross negligence should lead to proper consequences and personnel changes.
Moreover, individuals who decide to go outside the available channels for ideological reasons, such as whistleblowers, or who decide to work for malicious external parties need to face consequences of their actions. Those who are not aware of the consequences of their actions need to be educated, processes changed, and technology kept up to date.
Companies and governments cannot rely upon the myth that there are no defenses against cyber attackers. While these defenses are certainly imperfect — no defense, cyber or otherwise, is impenetrable — there are reasonable steps to take to minimize attacks and mitigate the effects. This process starts with acknowledging not only the role and responsibility of leadership on the matter but also, in the case of internal personnel cyber security risk management, the active role of the HR Department.
Photo: Library of Congress.