Insider Threats

By Scott D. Sagan

"This compendium of research on insider threats is essential reading for all personnel with accountabilities for security; it shows graphically the extent and persistence of the threat that all organizations face and against which they must take preventive measures."
— Roger Howsley, Executive Director, World Institute for Nuclear Security

High-security organizations around the world face devastating threats from insiders—trusted employees with access to sensitive information, facilities, and materials. From Edward Snowden to the Fort Hood shooter to the theft of nuclear materials, the threat from insiders is on the front page and at the top of the policy agenda. Insider Threats offers detailed case studies of insider disasters across a range of different types of institutions, from biological research laboratories, to nuclear power plants, to the U.S. Army. Matthew Bunn and Scott D. Sagan outline cognitive and organizational biases that lead organizations to downplay the insider threat, and they synthesize "worst practices" from these past mistakes, offering lessons that will be valuable for any organization with high security and a lot to lose.

Insider threats pose dangers to anyone who handles information that is secret or proprietary, material that is highly valuable or hazardous, people who must be protected, or facilities that might be sabotaged. This is the first book to offer in-depth case studies across a range of industries and contexts, allowing entities such as nuclear facilities and casinos to learn from each other. It also offers an unprecedented analysis of terrorist thinking about using insiders to get fissile material or sabotage nuclear facilities.

Contributors: Matthew Bunn, Harvard University; Andreas Hoelstad Dæhli, Oslo; Kathryn M. Glynn, IBM Global Business Services;
Thomas Hegghammer, Norwegian Defence Research Establishment, Oslo; Austin Long, Columbia University; Scott D. Sagan, Stanford University; Ronald Schouten, Massachusetts General Hospital and Harvard Medical School; Jessica Stern, Harvard University; Amy B. Zegart, Stanford University

• Language: English
• Publisher: Cornell University Press
• Release date: Jan 24, 2017
• ISBN: 9781501706493

Book preview

Introduction

Inside the Insider Threat

Matthew Bunn and Scott D. Sagan

Insider threats may be rare within most professional and competent organizations, and especially rare inside organizations that are responsible for protecting the national security of a country and its critical infrastructure. But not all national security organizations are as highly professional and competent as they claim to be, and devastating insider threats have sometimes occurred even within the best of the organizations that have sought to minimize the dangers. Rare does not mean nonexistent.

In this book, readers will encounter many rare but devastating cases of insider threats from around the globe: disloyal personal security guards murdering a prime minister in India; individual soldiers deliberately opening fire on their own military comrades or allied forces in the United States and Afghanistan; employees engaging in sabotage attacks on nuclear reactors in South Africa and Belgium; and a microbiologist working inside a sensitive U.S. biodefense facility and sending deadly anthrax spores through the mail in order to kill reporters and elected officials and terrorize the public. Nuclear materials, because of their dangerous radioactivity and their potential to be used in weapons, are usually considered to be the crown jewels of physical protection. However, insiders pose a serious threat to these materials as well: virtually all the cases of nuclear theft in which the circumstances are known were perpetrated either by insiders or with the help of insiders; also, given that many unsolved cases of nuclear theft involve bulk material stolen without anyone else in the organization being aware that the material was missing, there is every reason to believe that these thefts were also perpetrated by insiders who understood weaknesses in security systems and could cover their tracks afterward. Insiders have also perpetrated a large number of thefts from heavily guarded nonnuclear facilities.¹ A 2014 Sandia National Laboratory report on cases of large-scale, multi-million-dollar perfect heists around the world found that over half of them involved an insider—often a coerced employee but sometimes a planted and recruited criminal.²

It would be reassuring if the intelligence agencies and the armed services of the United States were immune to insider threats, but that is clearly not the case. Indeed, virtually all of the major U.S. intelligence agencies and branches of the military have also experienced an extremely damaging insider incident. Even a partial list is stunning:

Central Intelligence Agency officer Aldrich Ames sold secrets to the Soviet Union and Russia for almost ten years, compromising more than a hundred covert operations in exchange for $2.5 million before he was caught in 1994.

FBI counterintelligence officer Robert Hanssen passed on classified information to the Soviet Union and Russia for twenty-two years, from 1979 to 2001.

In 2012 and 2013, National Security Agency contractor Edward Snowden—who had earlier worked for both the CIA and the Defense Intelligence Agency—leaked to the media thousands of classified U.S., British, and Australian documents about global surveillance practices and military operations.

From 1968 to 1984, U.S. Navy chief warrant officer John Anthony Walker led a four-person insider spy ring that passed on classified information and codebooks permitting the Soviets to read encrypted U.S. military messages.

In 1979, U.S. Air Force second lieutenant Christopher M. Cooke gave the Soviet Union the secret launch codes and flag words for the Strategic Air Command’s nuclear ICBM force.

In early 2010, U.S. Army private Chelsea Manning (then known as Bradley Manning) leaked some 250,000 classified diplomatic cables and 500,000 U.S. Army reports and documents from the Iraq and Afghanistan wars to the WikiLeaks organization, which then posted most of them on the Internet.³

The U.S. military services, intelligence agencies, secret service details, and nuclear security guard forces are supposed to be the best of the best; they are designed to be highly effective national security organizations. So it is significant that even they have suffered serious insider incidents. If the most elite organizations in the nation have had many serious problems in recognizing and dealing with insider threats, doesn’t this suggest that other organizations will have even more serious difficulties?

Why are insiders so difficult to protect against? Part of the answer is that there are deep organizational and cognitive biases that lead managers to downplay the threats insiders pose to their organizations, facilities, and operations.⁴ But another part of the answer is that those managing security operations often have limited information about incidents that have happened in other countries or in other industries, and the lessons that might be learned from them. In addition, leaders sometimes ignore the likelihood that insiders may know not only an organization’s secrets but also its security systems and procedures—and how those security measures might be defeated. Finally, insiders are usually known entities; they are familiar and trusted. Few employees imagine that their colleagues, whom they have known and worked with for years, might pose a danger. In high-security organizations, these colleagues have typically also been through a formal process of review and been officially approved as trustworthy, removing them further from suspicion.

The case studies in this book demonstrate that these factors can generate remarkable complacency about insider threats even in otherwise highly competent organizations. Overconfidence in the ability to identify and deal with potential insider threats makes leaders blind to what afterward seem to have been obvious warning signs of impending danger. Red flags are often waving in the wind, but no one sees them.

Varieties of Insider Threats

We define an insider as a person with authorized access to items that an organization wishes to protect—information, people, and dangerous or valuable materials, facilities, and equipment. Insiders are often employees, but they can also be contractors or certain types of visitors. Insiders can be individuals at any level of an organization—from the janitor cleaning up at night to the manager of the entire organization. Guards, in particular, can help cope with both external and insider threats, but they can also pose insider threats themselves. Indeed, the security chief of one of Russia’s largest plutonium and highly enriched uranium (HEU) processing facilities described guards as the most dangerous internal adversaries.⁵

Insiders can pose many different types of threats. Some simply provide information to individuals outside the organization—ranging from a spy agency’s secrets to a company’s intellectual property to information on key weaknesses in an organization’s security that others could exploit. Some might steal from the organization, sabotage a facility, or help outsiders do one of these things. A key distinction is between insiders who are passive (for example, those who let an outside group know about a security vulnerability but take no other part in their plot), those who are active (for example, insiders who open a key security door or disable an alarm), and those who are violent (for example, guards willing to shoot other employees as part of the plot).

People can follow many pathways to becoming insider threats to an organization. Prescreening processes such as background investigations might detect some risky individuals moving on some of these pathways, but other individuals may not be detected. Self-motivated insiders at some point decide for their own reasons to become insiders—perhaps becoming a spy or a thief. Recruited insiders are already inside an organization but are then convinced by others to take part in a plot. Infiltrated insiders are associated with some adversary of the organization and join an organization with the purpose of carrying out malicious activity against it. Inadvertent or non-malicious insiders pose a threat by making mistakes without really intending to do so (such as an employee who leaves a password lying around). Finally, coerced insiders remain loyal in intent but knowingly assist in theft or sabotage to prevent hostile acts against themselves or their loved ones.

Motives for insiders in each of these categories vary widely. Common motivations for the first three types of insiders include money problems, anger and disgruntlement, desire to show off their own cleverness, and ideological affiliation with a terrorist group or another state. Inadvertent insiders may not have any motivation at all and, indeed, may not be aware that their actions are creating a danger to the organization for which they work. Coerced insiders would never be identified as a problem in any screening process if they are professional and highly motivated to protect their organization’s secrets or assets, but they can be even more motivated to protect their loved ones. When family members are kidnapped and threatened with death, coerced insiders may become dangerous threats.

The Importance of the Insider Threat

Today, in a world of nuclear weapons, deadly pathogens, potentially devastating cyber intrusions, and high-capability terrorist groups bent on mass destruction, the stakes in dealing with insiders have never been higher. In the United States, these dangers have been recognized at the highest levels. After the stunning leaks by Edward Snowden on National Security Agency operations and the massive transfer of diplomatic cables and military reports by Chelsea Manning to WikiLeaks, President Barack Obama issued a directive intended to ensure that all U.S. executive branch agencies put in place the minimum elements necessary for an effective program to protect against insider threats.⁶ Nevertheless, there is a great deal more to be done to reduce the risks that insiders in various organizations pose to society. With the possibility that terrorists could make or steal deadly pathogens, or try to use cyber attacks to shut down critical infrastructure, or steal nuclear material and make a crude nuclear bomb, or cause a Fukushima-scale accident by sabotaging a nuclear facility, the potential threats posed by insiders in modern society are especially dire.⁷

Not all insider threats can be traced to terrorists or foreign governments. Indeed, disgruntled insiders at nuclear facilities have perpetrated many of the known acts of nuclear sabotage. In August 2014, for example, the Unit 4 reactor at Doel in Belgium shut down when the lubricant for its turbine drained away, causing substantial damage to the turbine and putting the reactor out of commission. Internal investigations concluded that an insider had intentionally drained the lubricant to sabotage the facility.⁸

The potential consequences of such insider actions are staggering. The deliberate spreading of a highly infectious and deadly disease by an insider with knowledge of how to maximize casualties could produce effects that dwarf those caused by the 2001 anthrax attacks in the United States. A crude terrorist nuclear explosive—potentially made from a chunk of stolen nuclear material the size of a grapefruit—could turn the heart of a major city into a smoldering radioactive ruin, killing tens or hundreds of thousands of people. Economic and political effects would reverberate throughout the world, causing an economic crisis that would create, as Kofi Annan remarked, a second death toll in the developing world.⁹ A successful nuclear reactor sabotage incident could potentially produce consequences on the scale of the 2011 accident at Fukushima Daiichi, forcing huge numbers of people to flee and causing many tens of billions of dollars of damage through social and economic disruption. The probabilities of these events may not be high, but the potential consequences are grave enough to justify urgent action to reduce the risks. And insiders appear to be an important—but not always recognized—source of these risks.

Why This Book?

Protecting against insiders is a difficult job, for at least two reasons. First, the complacency that leads an organization to downplay the insider threat and fail to take appropriate action against it is difficult to combat. Second, in part because of the secrecy that often surrounds security measures, there is insufficient sharing of information and learning from the experience of other similar organizations.¹⁰

Real case studies, in all their specificity, can help address both of these barriers to coping with the insider threat. By highlighting the reality of the danger, they can be powerful motivators to focus organizational leaders and staff on addressing insider threats. And the lessons learned from both the failures and the successes of others can help organizations strengthen their own insider threat protections.

We are specialists on nuclear weapons proliferation and nuclear materials security. Fortunately for the world, but unfortunately for research, there are very few well-documented insider cases in the nuclear sector—that is, cases where not only is it known that an insider stole a nuclear weapon or material or sabotaged a nuclear facility but also that the specifics of how this happened have been released. In this arena, secrecy can be the enemy of learning. Hence, it is especially important to learn lessons not only from the narrow world of nuclear security but from other sectors as well. This book is an exercise to promote vicarious learning, in that we want organizational leaders and managers to learn from one another’s mistakes and successes in dealing with insider threats. The principles we outline in this book are applicable, we believe, to preventing and mitigating insider threats across a wide range of contexts.

The Plan of the Book

In the following pages, an extraordinary group of authors helps to get inside the insider threat problem. First, Thomas Hegghammer and Andreas Hoelstad Dæhli ask to what extent terrorists have actually tried to accomplish their objectives by using insiders in nuclear facilities—either by convincing existing insiders to work with them or infiltrating their own members into the facility. To what extent have they considered such tactics? To answer these questions, the authors pull together an unprecedented data set on nuclear incidents around the world, drawing on multiple sources of information, and dive deeply into a wide range of terrorist writings and website discussions. There have been many insider incidents at nuclear facilities, but these authors find only a small number that have been convincingly linked to terrorists—and relatively little discussion of this tactic in the vast jihadi literature. Nevertheless, Hegghammer and Dæhli acknowledge that our information about incidents in Russia and Pakistan is not very extensive, preventing us from making confident assessments about insider threats in those two crucial countries in the coming years. They also present information about incidents in Belgium in 2014 and 2016 that suggest that Islamic State (IS) terrorists and sympathizers have targeted nuclear facilities. Given the potential consequences of successful nuclear theft or sabotage committed or aided by insiders anywhere, Hegg-hammer and Dæhli offer recommendations for making the insider pathway less attractive to international terrorists.

Next, two chapters explore troubling cases in which the U.S. Army and a U.S. biodefense laboratory failed to recognize and respond to glaring warnings of trouble to come. Amy B. Zegart offers an organizational diagnosis of the case of Major Nidal Malik Hasan, who killed thirteen of his fellow soldiers and injured many more in the 2009 Fort Hood shootings. Zegart explores in detail the web of poorly designed organizational procedures, misplaced incentives, and miscommunication between organizations that allowed the Army to fail to notice and respond to multiple signs that Hasan might pose a threat—and the FBI to drop the ball on its investigation—until it was too late. Jessica Stern and Ronald Schouten then dissect the equally remarkable case of Bruce Ivins, the Army scientist widely believed to have perpetrated the anthrax attacks that followed the 9/11 terrorist attacks in New York City and Washington, DC. As the authors show, Ivins had long suffered from severe mental illness and had been identified by some of his therapists as a serious danger—but none of that information ever percolated up to those in authority, and his coworkers did not report multiple warning signs (including Ivins expressing concern about his own increasing paranoia), dismissing them as the actions and musings of a harmless eccentric. These two chapters raise a troubling question: If organizations fail to detect insiders when the warnings are so flagrant, what hope is there that organizations will notice and respond to the more subtle signs that might come from a sophisticated and determined insider?

The Zegart and Stern/Schouten chapters are followed by two chapters that offer case studies to identify possible steps that might reduce the insider threat. First, Austin Long describes the puzzling story of the sudden surge of green on blue attacks—Afghan soldiers and policemen attacking U.S. and European troops—in Afghanistan in 2012, and the almost equally rapid decline in these attacks in 2012–2013. He explores different theories of the causes of both the increase and the decline, finding at least suggestive evidence that a substantial portion of the surge was the result of a Taliban decision to emphasize insider attacks after seeing how effective these were in undermining coalition cohesion, and also that steps to address the threat, ranging from enhanced screening of Afghan personnel to having a guardian angel remain armed and on watch whenever Afghan and U.S. troops were working together, contributed to the decline. Matthew Bunn and Kathryn M. Glynn explore approaches to insider protection in the casino and pharmaceutical industries, reasoning that firms that have a profit incentive to maximize insider protection will likely have come up with creative means for doing so. Bunn and Glynn outline a number of insider-protection practices used in these industries that the nuclear industry might adopt—but they also find deep differences in context and objectives that weaken the analogy. In particular, for both the casino and the pharmaceutical industries, small thefts are generally not worth the cost of the security measures needed to stop them—an attitude that certainly should not be replicated with respect to plutonium, HEU, biological agents, or intelligence secrets.

Finally, we offer a set of conclusions and lessons learned for coping with the insider threat, drawing on these chapters and lessons from other incidents around the world. It is now common for regulators and nongovernment organizations to present best practices guides on many thorny problems in order to ensure that appropriate lessons are learned. In contrast, our chapter A Worst Practices Guide to Insider Threats highlights common failures and explains why it is so difficult for national security organizations to learn how to protect themselves from insider threats.

Our hope is that this book offers new perspectives and information that will encourage vicarious learning about both successes and failures in the past. The book’s contributing authors have gotten inside the insider threat in order to help leaders better understand the complexity of the problems that they face. We do not expect that good scholarship can identify all potential pathways by which insider threats emerge and fester. But we do hope that our case studies and comparative analyses can spark further research, encourage vigilance and prudent policy changes, and reduce future risks, even if no organization can eliminate insider threats altogether.

---

1. Bruce Hoffman, Christina Meyer, Benjamin Schwarz, and Jennifer Duncan, Insider Crime: The Threat to Nuclear Facilities and Programs (Santa Monica, CA: RAND, 1990).

2. Jarret M. Lafleur, Liston K. Purvis, Alex W. Roesler, and Paul Westland, The Perfect Heist: Recipes from around the World, SAND 2014-1790 (Albuquerque, NM: Sandia National Laboratories, 2014).

3. For an account of the Aldrich Ames case, see Tim Weiner and David Johnston, Betrayal: The Story of Aldrich Ames, an American Spy (New York: Random House, 1995). On the case of Robert Hanssen, see David Wise, Spy: The Inside Story of How the FBI’s Robert Hanssen Betrayed America (New York: Random House, 2003); U.S. Department of Justice, Office of the Inspector General, A Review of the FBI’s Performance in Deterring, Detecting, and Investigating the Espionage Activities of Robert Philip Hanssen (Washington, DC: U.S. Government Printing Office, 2003). For reporting on the Edward Snowden leak, see Gellman et al., Edward Snowden Comes Forward as Source of NSA Leaks, Washington Post, June 9, 2013. On the John Anthony Walker case, see John Prados, The Navy’s Biggest Betrayal, Naval History Magazine 24, no. 3 (2010), https://news.usni.org/2014/09/02/john-walker-spy-ring-u-s-navys-biggest-betrayal. For an account of the Christopher M. Cooke case, see Eric Schlosser, Command and Control: Nuclear Weapons, the Damascus Incident, and the Illusion of Safety (New York: Penguin, 2013), 444. On the Bradley Manning leak, see Charlie Savage, Soldier Admits Providing Files to WikiLeaks, New York Times, February 28, 2013; and Charlie Savage and Emmarie Huetteman, Manning Sentenced to 35 Years for a Pivotal Leak of U.S. Files, New York Times, August 21, 2013.

4. For an account of the biases that lead organizations to underestimate the risks they face, see Max H. Bazerman and Michael D. Watkins, Predictable Surprises: The Disasters You Should Have Seen Coming and How to Prevent Them (Cambridge, MA: Harvard Business School Publishing, 2004).

5. Igor Goloskokov, Refomirovanie Voisk MVD po Okhrane Yadernikh Obektov Rossii [Reforming MVD troops to guard Russian nuclear facilities], Yaderny Kontrol 9, no. 4 (2003), http://www.pircenter.org/data/publications/yk4-2003.pdf, 39–50.

6. Barack Obama, Presidential Memorandum: National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs, November 21, 2012, http://www.whitehouse.gov/the-press-office/2012/11/21/presidential-memorandum-national-insider-threat-policy-and-minimum-stand. Interestingly, after these leaks and the first Fort Hood shooter case, the insider threats that the memo highlights are potential espionage, violent acts against the Government or the Nation, and unauthorized disclosure of classified information. Theft of nuclear materials does not appear to be one of the priorities.

7. For assessments of the nuclear terrorism threat, see Matthew Bunn et al., The U.S.-Russia Joint Threat Assessment of Nuclear Terrorism (Cambridge, MA: Belfer Center for Science and International Affairs, Harvard Kennedy School, and Institute for U.S. and Canadian Studies, 2011), http://belfercenter.ksg.harvard.edu/publication/21087; William H. Tobey and Pavel Zolotarev, The Nuclear Terrorism Threat (paper presented at the meeting of the 2014 Nuclear Security Summit Sherpas, Pattaya, Thailand, January 13, 2014), http://belfercenter.ksg.harvard.edu/files/nuclearterrorismthreatthailand2014.pdf; and Matthew Bunn, Martin B. Malin, Nickolas Roth, and William H. Tobey, Advancing Nuclear Security: Evaluating Progress and Setting New Goals (Cambridge, MA: Project on Managing the Atom, Belfer Center for Science and International Affairs, Harvard University, 2014), http://belfercenter.ksg.harvard.edu/files/advancingnuclearsecurity.pdf, i–vi, 49–60.

8. See, for example, Geert de Clercq, Belgian Doel 4 Nuclear Reactor Closed till Year-End, Reuters, August 14, 2014.

9. KofiAnnan, A Global Strategy for Fighting Terrorism: Keynote Address to the Closing Plenary (paper presented at the International Summit on Democracy, Terrorism and Security, Madrid, 2005), http://english.safe-democracy.org/keynotes/a-global-strategy-forfighting-terrorism.html.

10. There are exceptions, of course. Cybersecurity, in particular, has seen much more genuine data and more data-driven analysis of appropriate practices in coping with insider threats than most other security fields have seen. See, for example, George Silowash et al., Common Sense Guide to Mitigating Insider Threats, 4th ed., CMU/SEI-2012-TR-012 (Pittsburgh: CERT Program, Software Engineering Institute, Carnegie-Mellon University, 2012), http://resources.sei.cmu.edu/asset_files/TechnicalReport/2012_005_001_34033.pdf.

CHAPTER 1

Insiders and Outsiders

A Survey of Terrorist Threats to Nuclear Facilities

Thomas Hegghammer and Andreas Hoelstad Dæhli

Employees are the Achilles’ heel of nuclear installations. Skilled insiders can cause more damage and steal radioactive material more easily than outsiders can.¹ All known cases of nuclear theft appear to have involved insiders, as did several cases of sabotage.² The prospect of a terrorist insider has therefore long worried governments and should continue to do so. But effective countermeasures require a nuanced and empirically based understanding of the threat. This chapter seeks to inform insider-threat assessments by taking stock of what terrorists have said and done in the past with regard to nuclear insider plots.

As we shall see, terrorists have so far displayed somewhat less interest in nuclear insider operations than many have expected. When militants have tried to attack nuclear facilities, they have mostly preferred other methods such as assault.