Michael D. Moberly December 8, 2010
For some time in the private sector, there has been a significant emphasis on integrating the technological capability to make relevant information available up and down a company’s supply and value chains through dissemination and sharing techniques which are often, in my view, a much tweaked approach to ‘knowledge management’. The well intentioned premise of knowledge management, of course, and its 2010 variants, lies in the notion that more people (employees across functional lines) need and should have access to certain information as a tool, if nothing else, to help simplify decision making processes, i.e., speed up the resolution of a problem, or merely create efficiencies.
In such a global ‘sharing’ environment, it should come as no surprise then that PFC Manning, or whomever the culprit or culprits may really turn out to be, either felt compelled, or acted merely because they had the ability to do so, by engaging in the act of downloading and copying what has been described as largely classified information and making it available to Wikileaks, which is merely one of a multitude of ready and willing global ‘technology’ outlets which when confronted, claim a journalistic orientation which they characterize as rendering them as a ‘first amendment’ exemptees.
Much research and personal experience tells us however that there are literally thousands upon thousands of PFC Manning’s who have the wherewithal and receptivity, if not a penchant, to become an ‘insider’, a term which we in the information asset protection and security arena refer to them. Insiders are a feisty and persistent lot and pose ever present challenges to companies and organizations alike. They come wrapped and immersed in many different motives which collectively form, I presume, a rationale for doing what they do; stealing, disseminating, and/or selling proprietary or classified information to those who otherwise have no legitimate right see/read that information, let alone disseminate and public it in open sources. In the private sector such acts may fall into categories of misaapropriation or infringement. In the government classified arena it’s likely to be called espionage!
When insiders are successful, as it appears PFC Manning has been, not once, but perhaps three or more times, the product of their misdeed can, and often does wreak havoc with its target(s) which today carries many new dimensions especially in the increasingly inter-connected world’s of business and government, not the least of which is straightforward embarrassment on many different levels.
Being somewhat well versed in ‘the insider threat’ arena and the current (on-going) research, the additional risks that this PFC’s illegal behavior has spawned are indeed asymmetric and probably carry long lasting ramifications. Returning to a state of diplomatic normalcy, for the U.S. anyway, will be neither easy nor swift. On the other hand, when circumstances like this occur in the private sector, something which I’m more familiar, there are many financial, personal, and professional ‘fences that require mending’, some of which remain irreversibly broken.
What’s new and clear relative to this particular incident is that there’s no precedent for the shear mass of data/information that was taken aside from perhaps the ‘Pentagon Papers’. But that doesn’t discount or explain away the reality that ‘we should have seen it coming’! By ‘we’, I mean both the public/government and private sector.
The work of insiders, while it may not be the world’s oldest profession, it certainly does, in my view, rank in the top five. And, to add insult to injury, stealth in this instance, was apparently merely a PFC’s rouse of downloading ‘Lady Ga Ga’ music, whomever that is, but, from a remote government computer with access to classified information, I have still have a hard time believing this was the act of a single PFC acting alone.
So, this new breed of insider (threat, risk) has emerged that is more calculating, in some respects more stealthy, and whose acts can potentially cause more irreversible, costly, and immediate damage-harm and embarrassment to a company or organization than their predecessors who were largely confined or limited to stealing only ‘hard copies’ that they could put in the proverbial shoe box and carry out of a building under their overcoat, ala the former Detroit auto executive who literally put paper copies of ‘plans, intentions, and capabilities’ of his former employer to take to his new European automaker employer as somewhat of an arrogant, yet very strategic ‘housewarming gift’.
Let me be clear though, this post is not so much about the insider threat posed by the ‘Wen Ho Lee’s who was originally charged, circumstantially at least, with compromising classified materials belonging to a U.S. national laboratory and giving them to an adversary. While this post does have, in my view, considerable relevancy to the classified arena in terms of the types of assets now being targeted, this post is also a ‘wake up’ of sorts to the millions of small and mid-size enterprises (SME’s) that have developed unique and valuable sets of intangible assets that literally deliver (underlie) most company’s value, revenue, competitive advantages, and market position.
When an SME experiences a theft, misappropriation, or compromise by an insider of one or more of its key intangible assets, while the consequences are certainly not equivalent or comparable to national security breaches, their impact to that SME, in terms of lost revenue, undermined competitive advantages, lost market position, etc., can be, and often is, devastating and irreversible.
So, as this construct, which I call ‘the new insider’ emerges, studies and research conducted by DoD’s Personnel Security Research Center and Carnegie Mellon University’s CERT unit provides important and timely credence and relevance.
A particular PERSEREC study, in my view, contributed significantly to my framing of ‘the new insider’ and the risks-threats they posed by putting it in a very compelling and rational global context. The study which I’m referring is appropriately titled ‘Technological, Social, and Economic Trends That Are Increasing U.S. Vulnerability to Insider Espionage’. It identified some very ominous challenges governments and companies alike face, relative to trying to deter, prevent, combat or mitigate, however one wishes to portray it, insider risks and threats. The four key one’s (taken from PERSEREC’s study) in my view, are described (paraphrased) below:
1. Fewer employees today, and presumably in the future, are (will be) deterred by a conventional sense of employer loyalty. In other words, they have a tendency (proclivity) to view theft of information assets to be morally justifiable if sharing those assets, they believe, will benefit the world community or prevent armed conflict…
2. There is a greater inclination for employees who are – will be engaged in multinational trade-transactions to regard unauthorized transfer of information assets or technologies as a business matter, rather than an act of betrayal or treason…
3. The value of – market for protected information assets, presumably regardless if it is a company’s proprietary information or trade secrets or a government agency’s classified information, has elevated as those so inclined, i.e., insiders, recognize it can be sold for a profit to an ever widening range of receptive global entities…
4. Companies are at greater risk for experiencing insider theft of information assets than previously because there is no single countervailing trend to make it more difficult or less likely to occur…
So, designing effective practices-techniques to mitigate, counter, and ultimately defend against the insider threat, whether it be PFC Manning, or far more technologically sophisticated players, should, above all, not be based solely on or unduly prejudiced by (a.) past practice, (b.) anecdotal (internal, external) snap shots in time, or (c.) generalized assumptions about ethnic allegiance. Rather ‘defenses’ to the broad and complex phenomena of insider threats should be well grounded in the relevant, current, and applied research and findings of highly specialized research as noted here.
Let it suffice to say, insider (threat) challenges, left unchecked, or poorly addressed, can produce wide ranging cascading affects that can instantaneously ripple throughout a company or government agency. Such risks are unlikely to miraculously recede or fade away through attrition, terminations, or resignations, etc. Rather they require execution of best practices that reflects and can rapidly adjust to forward looking research, not merely plugging yesterday’s leaks.