The Insider Threat: A Historical Perspective
Trained as a forensic psychologist and a 15-year veteran of the Naval Criminal Investigative Service, Michael Gelles has long had an interest in the bad guys within organizations.
Trained as a forensic psychologist and a 15-year veteran of the Naval Criminal Investigative Service, Michael Gelles has long had an interest in the bad guys within organizations. At NCIS, he consulted on counterintelligence and counterespionage and took an active role in looking at the insider threat. Years later, Gelles transitioned into the civilian world, landing at Deloitte. He continued working on insider threat issues, literally writing the book on the subject: Insider Threat: Prevention, Detection, Mitigation and Deterrence.
“Let’s just say the insider threat has become quite an interesting topic these days,” he told Nextgov. “Respectfully, it has become a bit of a shiny object for folks. For me, having spent a career with it, it is almost like folks have finally awakened to this issue despite the fact that it has been something that the government has long been focused on.”
Gelles, now a director with the Deloitte Consulting federal practice, talked with Nextgov Executive Editor Camille Tuutti about how insider threats have evolved throughout the years. The transcript of their conversation below has been edited for length and clarity.
»How likely are you to cause a data breach? Take Nextgov's cyber quiz to find out.
Nextgov: You mentioned an awakening. What do you mean by that?
Michael Gelles: I think some of that awakening is the end result of for many, many years, it was always a reactive problem. And quite frankly, it was a problem that people viewed as very low frequency but very high impact. In many instances, it was of such low frequency, people felt that this is probably not going to happen here: “I trust everyone who works for me. Everyone who works for me is dedicated.”
With the advent of technology and the movement of information, if you will, and the infusion of a new generation into the workforce, information is perceived, managed and shared in a very different way than it was in a world of bricks and mortar -- where things now are just instantaneous.
I think what we are seeing is not just the increased frequency of insider but insider that is driven differently by beyond just those who are malicious or have malevolent intent to damage an organization -- whether that is national security or to steal IP or R&D or impact brand and reputation.
Rather, it is the complacent insiders who unwittingly in their efforts to do their job or the way they manage information lead to very significant challenges for organizations as they open doors or windows to external types of attacks or facilitate other types of attacks.
Lastly, we talk about the ignorant or uninformed insider, which goes back almost full circle as we are talking about individuals who aren’t educated. There are organizations that haven’t done training, they haven’t done policies and they haven’t done communications. Employees don’t know what they are doing, so they just do what they think they should be doing and that causes problems as well.
Nextgov: If you go back decades to when we didn’t have all of this advanced technology, what did the insider threat look like?
Michael Gelles: Sadly, I can tell you because I actually lived it and worked in it. If we go back to the world of bricks and mortar, what did those spies look like? I use the term spies because when you go back in history, the focus on insider was around espionage.
In fact, the 1980s was termed the “Decade of the Spy.” As a result of that, what people recognized was, “Wait a minute, while we are in this sort of Cold War sort of Soviet sensitivity, we’re realizing that a lot of what we are losing here is coming from people who have access.” It was the individuals who had access and who had some kind of a crisis -- in many instances, people like to default to financial, but in my opinion it was always people who felt that they weren’t valued.
They needed to prove that they were worthwhile, so they would take information. This is in a time when people had to copy information or they had to write it down or it had to be transmitted. It had to be passed to another individual. You had to meet with another person.
In my career, I debriefed many of these spies. There was a project called Project Slammer, which started in the late 1980s. It was a combination of the FBI and the intelligence agencies looking at those who were convicted of espionage to understand their motivations, what they did to violate security, their personalities.
There were psychological studies done in how it is that they executed what they did, and specifically how they moved information and took information. Some of them were very sophisticated from the standpoint of having very significant relationships with foreign intelligence officers, and others would just grab information out of an office and run out with it and go and try to sell it to an embassy.
Nextgov: What are some of the telltale signs that you have an insider threat in your organization?
Michael Gelles: In many instances, people were caught because they made some mistake. There was something that they did that alerted someone that something was of some concern or there was some suspicion.
In some of the espionage cases, if you go back and look at the [Aldrich] Ames case or [Robert] Hanssen case or some of those more famous cases, you will see that some of them were operating for very long periods of time. It wasn’t until another counterintelligence operation turned up that there was something going on that suggested that there was an insider.
All of this stuff historically, up until very, very recently has been very reactive. They have been doing insider threat awareness training for decades, but the one thing that I would say is what’s always been a struggle is when people see things, they haven’t always reported them. They will talk about them in a post-incident investigation but they will not necessarily report it unless the appropriate mechanisms are in place. It was usually because there was something they did that crossed other types of investigations or other types of activities that their behavior became recognized.
I would say if we want to move forward in time, as we got into the later ‘90s, I think there was more sensitivity to what people did. We are getting a little bit outside of the espionage realm. This is more along the lines of workplace violence. Historically, insider threats are people who sold information, whether that was proprietary or classified. Workplace violence was separate. It was viewed very separately even though by definition an insider is an individual who has access to an organization’s information, material or people. If you think about an insider that way, that would include workplace violence.
Nextgov: So after the ‘90s, the workplace violence component became a bigger part of the insider threat?
Michael Gelles: There was a greater awareness, paying attention to people’s behavior. What we have known since the 1980s and ‘90s that came out of Project Slammer -- and I think is important to know here -- is that insiders do not act impulsively.
We’ve seen this with those who take information to those who commit workplace violence and that is that individuals move along a path of idea to action. The reason we know this is because we have debriefed so many of them who have been caught and talked about all of the different things that they did over a period of time.
Today, we are able to detect folks who engage in anonymous behavior because we understand what those indicators are -- for example, what someone does in the virtual space versus what someone does in the nonvirtual space. There are individuals who have different levels of access to information in an organization -- a systems administrator versus a clerical administrator -- and the access to that information puts them at different levels of risk.
The virtual would be more along the lines of, “What do you do on your computer? What do you download? What do you print? Where are you logging on? Where do you go on the computer that’s irrelevant to the organization? Are you showing undue interest in certain topics that essentially are not related or relevant to what you do?"
In the nonvirtual world, it's, “Is your performance declining? What is your physical access? When do you come and go to work?" And there are the different compliance issues: “Are you compliant with training? Are you compliant with expenses?” All of these become indicators.
Remember, all of the spies had security clearances. They never really intended to commit espionage; they just had a crisis and decided the solution to their crisis would be to take information.
In the past, they were detected by making a mistake or people observing over a period of time as we became more educated into the ‘90s about behavior that was anomalous. Now, individual behavior can be captured in data.
Nextgov: What are some key considerations in setting up an initiative to address insider threats?
Michael Gelles: If you follow the rules -- and this is getting at the complacent insider, not necessarily the malicious insider -- you can mitigate a lot of risk.
How about the employee life cycle? That is another important piece. How are people hiring and vetting people? Are they thinking through how they are doing recurring background investigations? How well are they training their managers to be sensitive to what they should be aware of, to be able to reach out to employees who may be having a crisis? How engaged is the workforce? How do I think about separations and terminations from my company? This has become a fascinating area because what we found is that companies and agencies are not paying close enough attention to the separation node.
Lastly, I think cybersecurity and the insider are intimately connected. We invest a tremendous amount and have invested over the last 10 years-plus in securing our perimeters. We are beginning to recognize that we need to invest in paying attention to what’s going on in the inside, knowing that those on the inside can open doors and windows into the organization that facilitate outside cyberattacks.
Nextgov: What are some misconceptions about the insider threat you have come across?
Michael Gelles: There are a lot of folks who believe their workforce, because they hired them and everyone is working together, is a real trustworthy bunch. They're here working together, why would they ever take what is sensitive and critical? The insider problem is by far greater than I think people want to recognize. We all really want to believe that people are good.
The other misconception is that some people feel that insider activity is impulsive -- that I wake up one morning and I decide that I am going to steal some IP or take some R&D or it’s time for me to sell some classified information.
Another misconception is that insiders are more prevalent today than they have been in the past and the reason they are more prevalent today is because of the way we do business. It has shifted from that world of bricks and mortar to the context where technology has defined a very global and virtual workforce.