Arab Times

How government­s, companies can prevent next insider attack

- By Matthew Bunn and Scott D. Sagan

The Conversati­on is an independen­t and nonprofit source of news, analysis and commentary from academic experts.

Now that they are in office, President Donald Trump and his team must protect the nation from many threats - including from insiders. Insider threats could take many forms, such as the next Edward Snowden, who leaked hundreds of thousands of secret documents to the press, or the next Nidal Hasan, the Fort Hood mass killer.

Indeed, in today’s high-tech and hyperconne­cted world, threats from insiders go far beyond leakers and lone-wolf shooters. A single insider might be able to help adversarie­s steal nuclear material that terrorists could use to make a crude nuclear bomb, install malware that could compromise millions of accounts or sabotage a toxic chemical facility to cause thousands of deaths. How can we better protect against the enemy within, no matter what it is that needs to be protected?

President Obama became so alarmed at the government’s weak protection­s against insiders that he created a “National Insider Threat Policy.” It required each federal agency to put in place a set of basic safeguards against internal betrayals, such as software to detect mass downloadin­g of secret documents and systems to encourage reporting of worrying behavior.

But President Trump will find there is a great deal still to be done. This is in part because the insider problem is so challengin­g. Insiders are known and trusted by other employees (and have to be, if the organizati­on is to function well); they may have detailed knowledge of the security system and its weaknesses; and they can take months or even years to plan their activities.

We co-organized a research project to investigat­e this challenge and suggest potential solutions, which led to our new book, “Insider Threats.” The book was prepared as part of the Global Nuclear Futures initiative at the American Academy of Arts and Sciences. The volume analyzes a range of situations as diverse as Afghan Army soldiers attacking their U.S. trainers and the anthrax attacks in the United States in 2001 - which were probably perpetrate­d by Bruce Ivins, a disturbed scientist from the U.S. Army’s biological defense lab. The cases reveal a series of hard-learned lessons that can help organizati­ons protect against threats from insiders.

First, a remarkable number of people wrongly assume their workplace couldn’t possibly be threatened by insiders. That is a bias we dub “NIMO,” for “not in my organizati­on.” That overconfid­ence can have fatal consequenc­es.

In 1984, for example, Indian Prime Minister Indira Gandhi was killed by two of her own Sikh bodyguards, one of them a trusted favorite. Her security chief had even warned her to remove the Sikhs from her guard, citing Sikh anger about an Indian military attack on Sikhism’s holiest site, the Golden Temple.

One of the most striking elements of the cases in our study is how organizati­ons ignore even the most obvious and alarming red flags. U.S. Army biodefense researcher Bruce Ivins, for example, complained about his increasing­ly dangerous paranoia in an email to a colleague. Ivins even speculated about being mentioned in newspaper reports with the headline: “Paranoid man works with deadly anthrax.”

No one reported, or acted on, that or any of his many other signals that something was amiss. Instead, his coworkers wrote them off as harmless eccentrici­ty. Even when an employee told his boss that she feared he would attack her, no action was taken.

Strong incentives

Companies and government agencies must provide strong incentives for their employees to report worrying behavior - including clear and wellenforc­ed reporting rules, and recognitio­n for those who do the right thing. Those efforts should make clear that in some cases, the result of reporting will be that a troubled colleague gets much-needed help.

Employees who are upset are far more common than mentally disturbed ones, and therefore more likely to pose an insider threat. One study of insider cyber-sabotage found that 92 percent of the cases examined occurred “following a negative work-related event such as terminatio­n, dispute with a current or former employer, demotion, or transfer.”

More than half of the insiders in these cases were already seen as disgruntle­d before the incident occurred. Fortunatel­y, simple steps can combat employee dissatisfa­ction. These include providing effective processes for making and resolving complaints, compliment­ing and rewarding employees for good work and reining in bullying bosses.

Organizati­ons often make the mistake of thinking a single element of defense - such as background checks - is enough to protect them from insiders. But defenses are often less effective than they seem. Years ago, for example, Roger Johnston and his colleagues in the Vulnerabil­ity Assessment Team at Los Alamos National Laboratory tested over 100 types of widely used tamper-indicating seals. They found that all of them could be defeated with equipment from any hardware store, with average defeat times of less than five minutes.

Hence, organizati­ons need a comprehens­ive approach to protecting against insiders, from ensuring that no one can access the protected items without being monitored to building a vigilant, questionin­g culture. Nuclear facilities, for example, should keep material that could be used in a nuclear bomb in a locked vault to which few have access, constantly monitor the vault, ensure that no one is ever in the vault alone and, where practical, keep the material in forms too big and heavy for one person to carry and hide.

Monitoring people, informatio­n and physical spaces can be critical. After an insider destroyed a nuclear reactor’s turbine in Belgium in 2014, for example, the country establishe­d new rules ensuring no one could ever be alone and unwatched in key reactor areas.

Testing and constantly looking for vulnerabil­ities are also key. Johnston’s effort is only one example of an essential approach: assigning intelligen­t teams to look for ways to defeat security systems, identifyin­g weaknesses and helping to fix them.

Building a strong security culture in the organizati­on - in which all employees take security seriously and are constantly on the lookout for vulnerabil­ities to be addressed or concerning behavior the organizati­on should know about - is fundamenta­l. The Fort Hood massacre can be blamed, in part, on a breakdown of security culture. Despite clear danger signs in erratic behavior and radical statements, none of Nidal Hasan’s commanders wanted to cope with the hassle of disciplini­ng him.

Fixing these systemic problems takes focused leadership from the top of the organizati­on, incentives for strong security performanc­e and a broad understand­ing of both the threat and the relevance of security measures to deal with it throughout the organizati­on. Capable leadership will make organizati­ons more successful and more secure.

In our high-tech society, the insider threat is ever-present. High-security organizati­ons, government­s and companies alike need to take action to counter the organizati­onal and cognitive biases that often blind us to the insider danger - or future blunders will condemn us to more disasters.

Newspapers in English

Newspapers from Kuwait