1 Counterintelligence & The Insider Threat An Enterprise
Operations Counterintelligence Presentation Presented by: Ralph
Butler SSC Counterintelligence Lead
Slide 2
2 Overview Understanding the Insider Threat Insider Threat
Trends Insider Threat Program
Slide 3
3 Understanding the Insider Threat
Slide 4
4 Define the Insider Authorized people using their trusted
access to do unauthorized things Threat actors vs. threats Boils
down to actors with some level of legitimate access, and with some
level of organizational trust Inadvertent or Malicious
Insiders
Slide 5
5 Robert Hanssen FBI Spied for Russian Intel 1979 - 2001
Aldrich Ames CIA Spied for KGB 1985 - 1994 Paid $4.6 million Felt
CIA superiors failed to see his talent Motivation Money Disgruntled
Ego Felt the FBI didn't appreciate his brilliance, his ability and
his skills Did not get promotions they felt they deserved
Slide 6
6 Glenn Shriver Recruited by China 2005 - 2011 Studied at East
China Normal University in Shanghai Paid 10k and 20k for taking the
Foreign Service Exam, and finally 40k to apply with the CIA
Responds to an ad to write a political paper in for $120 Lied on
his security clearance paperwork and failed his pre- employment
polygraph
Slide 7
7 Pvt. Bradley Manning U.S. Army Im not a source for you.Im
talking to you as someone who needs moral and emotional support I
was actively involved in something that I was completely against
Hopefully this will lead to worldwide discussion, debates, and
reforms. If not, than were doomed as a species
Slide 8
8 Edward Snowden CIA/NSA I dont want to live in a society that
does these sort of things (Surveillance on its citizens) Im neither
a traitor nor hero. Im an American I have no intention of hiding
who I am because I know I have done nothing wrong
Slide 9
9 Psychosocial Indicators Disgruntlement Responds poorly to
criticism Inappropriate response to and/or inability to cope with
stress at work Sudden change in work performance Disgruntlement
Responds poorly to criticism Inappropriate response to and/or
inability to cope with stress at work Sudden change in work
performance Ego Domineering Harassment Argumentative Superiority
complex Selfish Manipulative Rules do not apply Poor teamwork
Irritability Threatening Retaliatory behavior Ego Domineering
Harassment Argumentative Superiority complex Selfish Manipulative
Rules do not apply Poor teamwork Irritability Threatening
Retaliatory behavior Emotional Change in beliefs Unusual level of
pessimism Unusual level of sadness Difficulty controlling emotions
Emotional Change in beliefs Unusual level of pessimism Unusual
level of sadness Difficulty controlling emotions
Relationship/Financial Problems Divorce Marriage problems Stress at
home Financial problems Inappropriate response to and/or inability
to cope with stress at home Unexplained change in financial status
Irresponsibility Selfish Relationship/Financial Problems Divorce
Marriage problems Stress at home Financial problems Inappropriate
response to and/or inability to cope with stress at home
Unexplained change in financial status Irresponsibility
Selfish
Slide 10
10 Potential Risk Indicators Attempts to bypass security
controls Request for clearance or higher level access Unjustified
work pattern Chronic violation of organization policies Decline in
work performance Irresponsible social media habits Unexplained
sudden affluence Outward expression of conflicting loyalties
Unreported foreign contacts / foreign travel (when required)
Maintains access to sensitive data after termination notice Visible
disgruntlement towards employer Use of unauthorized digital
external storage devices
Slide 11
11 Insider Threat Trends
Slide 12
12 Perspective Change Espionage used to be a problem for the
FBI, CIA and military, but now it's a problem for corporations -
Joel Brenner, National Counterintelligence Executive, 2008 Courtesy
CI CENTRE & SPYpedia
Slide 13
13 Steady Upward Trend 32% of all espionage arrests since 1945
have occurred in the last 5 years (FBI) 54% of all individuals
involved with compromise of classified or proprietary information
were employed in Private Sector (FBI) Industry SCRs up 600% from
2009 (DSS) 76% increase in SCRs evaluated of CI interest by DSS
from 2010 to 2012 IIRs from Industry reporting up 500% from 2009
(DSS) USG Investigations & Operations predicated on Industry
reporting up over 1000% from 2009 (DSS) Courtesy:; CI CENTRE &
SPYPEDIA; CERT; DSS; www.whitehouse.gov
Slide 14
14 When Does it Happen? 59% of employees leaving a company
admit to taking proprietary information with them (FBI) Out of 800
adjudicated insider threat cases, an overwhelming majority of
subjects took the information within last 30 days of employment
(CERT; Carnegie Mellon) 60% of cases were individuals who had
worked for the organization for less than 5 years (CPNI) Majority
of acts were carried out by staff (88%); 7% were contractors and 5%
temporary staff (CPNI) Courtesy www.Whitehouse.gov
Slide 15
15 Insider Threat Program
Slide 16
16 What is the most common way that spies within the U.S.
Government and U.S. cleared defense contractors are detected and
caught? A: Routine counterintelligence monitoring B: Tip from
friend, family, co-worker C: Their own mistakes D: Reporting by
U.S. sources within foreign intelligence services How to Catch a
Spy? Answer: D There is no loyalty in the spy business, and
intelligence officers who have been recruited as sources by the
U.S. Intelligence Community eagerly betray the U.S. persons who
have given them information
Slide 17
17 Insider Threat Program All government agencies will have an
insider threat detection and prevention program Designate Insider
Threat Senior Official Training Senior Official Cleared Employee
Within first 30-days (New Employee Orientation briefing) Annually
thereafter System to maintain training records NISPOM Conforming
Change 2 Executive Order 13587
Slide 18
18 What are we doing? Invested in a dedicated CI program
Established Office of Counterintelligence Operations (OCIO) in 2011
Designated CI Representatives in each business area OCIO
Representation at DSS Full Time analyst support Access to timely
and relevant threat data Increased CI emphasis within known target
areas CI in Contracts / Supply Chain Risk Analysis and Mitigation
System (RAMS) What is the single greatest factor?
Slide 19
19 CI Awareness The Employee Mindset Co-workers of former spies
often knew something was wrong, but didnt report the behavior for
many reasons People dont like to tattle It is common to doubt
yourself and your intuitions It is common to deflect responsibility
It seems too personal - We dont understand how certain behaviors
are tied to espionage Dont miss the obvious signs!!!
Slide 20
20 What Can You Do? Help Me Justify My Paranoia
Slide 21
21 Our Challenging Equation 1 in 1,000 persons in a position of
trust are eligible targets for recruitment Bruce Held, Director of
Intelligence and Counterintelligence for the Department of Energy
and 25 year CIA veteran Education: Consider the Operator
Slide 22
22 Summary The insider threat is real and dramatically
increasing The threat has shifted from government to industry
Establish a solid CI program with emphasis on the insider threat
Detection of insider threats has to use behavioral based techniques
Employees are in the best position to observe potential risk
indicators
Slide 23
23 Contact Info Ralph Butler Space Systems Company
Counterintelligence Lead 408-742-6167 [email protected]