Insider Threat: Hard but not Impossible

Why the time is now for industry-led human-domain security

INTRODUCTION: Insider Threat (InT) is an oft-misunderstood, heavily nuanced, and complex space into which modern cybersecurity (cysec) professionals must integrate and support. The challenges span non-traditional cysec space, from legal and privacy aspects to administrative, physical, and technical control deployment. InT teams are typically under-resourced and can be over-sold as a component of total hazard security. The impact from human-risks will continue to increase in severity until adequate programs are in place. This paper explores InT through examples helping define why now is the time for action in the long arc of American ingenuity. The future of the global digital ecosystem is accelerated through industry-led human-domain security first and foremost, not only from threats but from the vulnerabilities inherent in the human condition.

INSIDER THREAT DEFINED: Insider Threat (InT) is defined by the Cybersecurity and Infrastructure Security Agency (CISA) as “…the potential for an insider [i] to use their authorized access or special understanding of an organization to harm that organization. This harm can include malicious, complacent, or unintentional acts that negatively affect the integrity, confidentiality, and availability of the organization, its data, personnel, facilities, and associated resources.” [1]

Other elements within U.S. federal government and industry have relevant definitions that predate even CISA’s since the Department of Homeland Security (DHS) officially stood it up in 2018. In late 2011, President Obama issued Executive Order (EO) 13587 which established the National Insider Threat Task Force (NITTF) under the Director of National Intelligence (DNI) and Attorney General (AG) jointly. [2]

The NITTF through their designated executive arms, the National Counterintelligence and Security Center (NCSC) and Federal Bureau of Investigations (FBI) define InT as “… a threat posed to U.S. national security by someone who misuses or betrays, wittingly or unwittingly, their authorized access to any U.S. Government resource. This threat can include damage through espionage, terrorism, unauthorized disclosure of national security information, or through the loss or degradation of departmental resources or capabilities.” This 2017 definition was obviously in response to Wikileaks as a national security risk mitigation. [3].”

“…the Strategy forms a healthy way forward through a prioritized lens ultimately enabling private-sector autonomy with an eye for enhanced whole-of-community security posture.”

While there is an array of other definitions across industry and government, these two frame the problem plainly. The formation of the NITTF under counterintelligence auspices matched with law enforcement expertise demonstrates the nature of InT. This paper explores InT as a distinctly human-related issue that spans administrative, physical and technical controls and enablers.

Sometimes there are negative connotations with the term “insider threat” thus causing confusion about the breadth of its definition. CISA and NITTF definitions specify that InT includes intentional and unintentional acts both internal and external to organizations. Securing vulnerable human behavior to external threats (e.g., reverse social engineering), simple mistakes, and securing ineptitude are at the heart of any good InT program. Common misinterpretations seek blame, but fail to recognize the issue’s shared origin of our inherently flawed human condition. Getting organizations to accept InT in a a positive light will take a paradigm shift.

InT programs can be a positive experience for its organization, board, and employees. There are aspects of InT that look to rekindle old practices, empowering humans to interact with humans. In the fragmented working environs, it’s very easy to miss the signs and precursors of an Insider becoming a threat. Undoubtedly, technology is both here to stay and a key enabler for detecting and in some cases mitigating aspects of InT. The key is based on right-sizing and balancing human capacity with technological advantage. It might be hard, but it is not impossible.

[i] An insider defined “is any person who has or had authorized access to or knowledge of an organization’s resources, including personnel, facilities, information, equipment, networks, and systems.” [1]

ILLUSTRATIVE InT VALUE: In one case of industrial insider fraud, the U.S. filed a complaint, indicted, and ultimately helped secure convictions against Nickolas Sharp in 2021. He was convicted after pleading guilty on three counts primarily related to Computer Fraud and Abuse under the Title 18, U.S. Code (section 1030) relating to “Fraud and related activity in connection with computers.” [4] Sharp used his corporate access and insights to exfiltrate credentials, to export GitHub repositories (repos), extort his company, Ubiquiti, as a purported ransomware actor, and ultimately slandered Ubiquiti’s handling of the “cybersecurity incident” resulting in $4B in market (⅕ of total) capitalization loss. [5]

Sharp was also a member of the cybersecurity incident response team (CIRT) misleading colleagues and federal investigators. [6] These deceitful acts illustrate the importance of maintaining and maturing InT Programs, as well as an active security culture. Is it possible that Sharp progressed through stages whereby his intent became malicious? It is possible that precursors of Sharp’s behaviors might have been noted sooner - even prevented - in a well-tuned security culture.

While Sharp may have evolved into an InT, there are cases where people are put in positions that ensure their access yields the largest bounty and most enduring access. These are not advanced persistent threats, but economic spies, foreign agents, and illegals penetrating deep into an organization and American culture by design. They often demonstrate a degree of tradecraft or state-sponsored awareness, techniques, and even training that help avoid detection. One such case involves a naturalized U.S. citizen who conspired with foreign agents of the Peoples’ Republic of China (PRC) to exfiltrate trade secrets, highly proprietary and secret information through the use of steganography. [7]

Xiaoqing Zheng so blatantly committed economic espionage that he registered conspiring businesses in the PRC and U.S. Zheng’s feeble attempt to obfuscate his actions were unremarkable at the time despite having deceptively reported his venture to General Electric (GE) Power General Counsel as seemingly above-board. In reality, Zheng stole millions in turbine technology on behalf of his co-conspirator’s (Zhaoxi Zhang) national interests. [8], [9] Actions for both Zheng and Zhang were tied to a [10] Ministry of State Security (MSS), 6th Bureau deputy division director, Yanjun Xu. In late 2021, Xu was convicted on all counts of espionage crimes and sentenced to 20 years in federal incarceration as the first ever PRC intelligence officer extradited to the U.S. [11] This precedent may serve as a deterrent for future MSS operatives targeting industry Insiders.

The scale remains a challenge to almost all critical infrastructure-key resource (CIKR)-designated organizations. GE Power were able to detect and work with the FBI rapidly ensnaring the economic spy. The potential damages are staggering in the aerospace manufacturing industry alone, who stand to lose over $1T over the next two decades. The impact to the U.S. economy and the west writ large is palpable. GE Power are not alone in being targeted by the MSS. [12]

POLICY PROGRESSION: In March, the Biden-Harris Administration announced a U.S. National Cybersecurity Strategy (“the Strategy”). While many national strategies lack detail this strategy is effective in its focus and prioritization through “five pillars.” Among the pillars, are some key focus areas on critical infrastructure, disrupting threat actors, and shaping market forces impacting resilience. The first two pillars indicate a reliance on and thus a protection needed for assets, but the authors of this new strategy might have stumbled upon an overlooked aspect of the strategy.[13]

The National Institute of Science and Technology (NIST) defines an asset as “the data, personnel, devices, systems, and facilities that enable the organization to achieve business purposes.” [14] While the drafters of the strategy might not have comprehended the terms used, they have enabled a reckoning of asset management between the U.S. Federal government and industry partners not seen since the 1930s. In this release, the highest executive office signaled an importance of increasing CIKR security measures and ensuring national resilience, prioritizing among its objectives assets (which includes people). [13] The Strategy articulates an importance in not only protecting assets but reducing human asset risk from external threats.

People seem to be making the same mistakes as they did in the 1930s too. Recently, a National Air Guardsman with unclear reason for access to sensitive intelligence was arrested for allegedly leaking classified national intelligence. That he had access to this alarmingly detailed intelligence is not the most important point in his case. There were precursors to Teixeira’s leaks that are documented and known to have gone largely unaddressed. [15] Teixeira is alleged to have used Discord, an online peer-to-peer application largely serving the gaming community, to disseminate intelligence. Questions of both why Teixera had access and what his supervisors did to help maintain departmental policies on need-to-know have already come under scrutiny, rightfully so. What policy response should we expect? Or, has that effectively been communicated from the recent the Strategy? The time to address how we respond is now.

The problem and attempts to address InT though policy are bending upward. Since the National Security Policy Memorandum 33 (NSPM-33), Presidential Policy Directive 21 (PPD-21), PPD-41, EO 13800, EO 13691, and EO 13636 (among others) have attempted to alleviate federal agencies and private sector capacity from inaction and uncertainty. [16] While the U.S. has no omnibus cybersecurity policy, the Strategy forms a healthy way forward through a prioritized lens ultimately enabling private-sector autonomy with an eye for enhanced whole-of-community security posture. The natural next step is to enable civil and industry partners to mitigate risk.

WHY NOW: It might seem obvious at this exact moment in time why InT Program focus is deeply missing across industry and government. Experience tells us that many of these nuanced challenges behave like a pendulum. InT Program cost-benefit analysis is often brushed aside. The return on investment is not always clear, and it requires a degree of business impact analysis largely absent. Remarkably, most organizations regardless of sector fall into this category. Trends and statistics offer a bleak environment that may help demonstrate the need for an InT program.

By late 2020, InT-related disruptions were purported to be in excess of 150 per year in the U.S. InT-related data breaches were trending and continuing upwardly at 47% year over year with related costs slightly lagging at 31%. Each reported event cost organizations between $500K and $3M through the courts putting the overall U.S. figure somewhere between $75M and $450M per year. In indirect costs, after each event, organizations reported that between 20 and 40 percent of staff resigned or moved on. And, each organization experienced about a 50% reduction in productivity. These factors alone were largely based on pre-COVID scenarios. [1] The cost is not catastrophic but is rapidly rising.

Since the onset of COVID, remote working environs have placed a greater focus on cysec organizations to identify, protect, detect and respond to remote access security issues. Applying the CARVER model, [17] when looking at illicit access, the cost of remote access is going up. With more and more endpoint protections, enhanced security orchestration, automation, and response (SOAR) technology stacks, and improved intrusion detection/protection systems (IDS/IPS) adversaries are looking at Insiders as a more effective return on investment. There are opportunities to flip the script, enabling industry in line with a renewed focus on CIKR-designated organizations.

CIKR-designated organization applying sound, security-centric culture and enabling model employees while looking at outliers would change the human aspect of security. Adversaries looking to exploit American free markets might find themselves in a very different landscape than anticipated. An overwhelming and catastrophic success might come in the form of relieving non-security minded professionals from a field that admires, gravitates towards, and nurtures security minded concepts and people.

CONCLUSION: We stand at cross-roads in American history. What lies to our fore is not yet known. Based on recent National Security Strategy concerns and related strategies and polices, we are empowered to take up arms. [18] Tackling the human component of security has never been more complex. Likewise, it has not had more focus and attention. How we answer the call to arms will dictate the in-aggregate success we have through our business interests or national security mechanisms. Does a SOAR deployment protect our CIKR-designated organizations adequately or are there more human-domain security solutions we can consider and enact that solve bigger parts of the hardest problem? Securing the human-domain is our mandate. The time is now!

References:

[1] CISA and Harris, S., “Insider Threat Mitigation Guide,” Nov. 2020. Accessed: Apr. 14, 2023. [Online]. Available: https://www.cisa.gov/resources-tools/resources/insider-threat-mitigation-guide

[2] “National Insider Threat Task Force (NITTF).” https://www.dni.gov/index.php/ncsc-how-we-work/ncsc-nittf (accessed Sep. 24, 2022).

[3] ODNI, “NATIONAL INSIDER THREAT TASK FORCE MISSION FACT SHEET.” Accessed: Apr. 14, 2023. [Online]. Available: https://www.odni.gov/files/NCSC/documents/products/National_Insider_Threat_Task_Force_Fact_Sheet.pdf

[4] “18 USC 1030: Fraud and related activity in connection with computers.” https://uscode.house.gov/view.xhtml?req=(title:18%20section:1030%20edition:prelim) (accessed Mar. 18, 2023).

[5] Department of Justice, “Nickolas Sharp Indictment Redacted | 21 CRIM 714 SDNY,” Nov. 18, 2021. https://www.justice.gov/usao-sdny/press-release/file/1452706 (accessed Mar. 18, 2023).

[6] Former Employee Of Technology Company Pleads Guilty To Stealing Confidential Data And Extorting Company For Ransom. 2023. Accessed: Apr. 14, 2023. [Online]. Available: https://www.justice.gov/usao-sdny/pr/former-employee-technology-company-pleads-guilty-stealing-confidential-data-and

[7] United States v. Xiaoqing Zheng, 1:19-CR-156. Accessed: Apr. 14, 2023. [Online]. Available: https://casetext.com/case/united-states-v-zheng-11

[8] United States Department of Justice, Former GE Engineer and Chinese Businessman Charged with Economic Espionage and Theft of GE’s Trade Secrets. 2019. Accessed: Apr. 14, 2023. [Online]. Available: https://www.justice.gov/opa/pr/former-ge-engineer-and-chinese-businessman-charged-economic-espionage-and-theft-ge-s-trade

[9] United States Department of Justice, Northern District of New York | Former GE Power Engineer Sentenced for Conspiracy to Commit Economic Espionage. 2023. Accessed: Apr. 14, 2023. [Online]. Available: https://www.justice.gov/usao-ndny/pr/former-ge-power-engineer-sentenced-conspiracy-commit-economic-espionage

[10] Unted States v. Yanjun Xu, 18 cr-00043. [Online]. Available: http://bit.ly/2QuMh3l

[11] “Chinese Government Intelligence Officer Sentenced to 20 Years in Prison for Espionage Crimes, Attempting to Steal Trade Secrets From Cincinnati Company,” Nov. 16, 2022. https://www.justice.gov/opa/pr/chinese-government-intelligence-officer-sentenced-20-years-prison-espionage-crimes-attempting (accessed Apr. 17, 2023).

[12] CBS News, “How China developed its first large domestic airliner to take on Boeing and Airbus,” Apr. 2023, Accessed: Apr. 14, 2023. [Online]. Available: https://www.cbsnews.com/news/china-domestic-airliner-c919-plane-boeing-airbus/

[13] U.S. Presidential Office, Biden, J., and The White House, “Executive Order on Protecting Americans’ Sensitive Data from Foreign Adversaries,” The White House, Jun. 09, 2021. https://www.whitehouse.gov/briefing-room/presidential-actions/2021/06/09/executive-order-on-protecting-americans-sensitive-data-from-foreign-adversaries/ (accessed Nov. 23, 2022).

[14] C. C. CSRC-NIST, “asset — Glossary.” Accessed: Apr. 14, 2023. [Online]. Available: https://csrc.nist.gov/glossary/term/asset

[15] B. Rosen, “The Teixeira Disclosures and Systemic Problems in the U.S. Intelligence Community,” Just Security, Apr. 2023, Accessed: Apr. 14, 2023. [Online]. Available: https://www.justsecurity.org/85991/the-teixeira-disclosures-and-systemic-problems-in-the-u-s-intelligence-community/

[16] U.S. Presidential Office, Biden, J., and The White House, “FACT SHEET: Biden-Harris Administration Announces National Cybersecurity Strategy.” Mar. 02, 2023. Accessed: Apr. 14, 2023. [Online]. Available: https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/02/fact-sheet-biden-harris-administration-announces-national-cybersecurity-strategy/

[17] “What is CARVER?” https://www.smiconsultancy.com/what-is-carver (accessed Mar. 20, 2023).

[18] U.S. Presidential Office, Biden, J., and The White House, “NATIONAL SECURITY STRATEGY.” Oct. 22, 2022. Accessed: Apr. 14, 2023. [Online]. Available: https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjuyOHKm6r-AhUph_0HHU4yD1MQFnoECBsQAQ&url=https%3A%2F%2Fwww.whitehouse.gov%2Fwp-content%2Fuploads%2F2022%2F10%2FBiden-Harris-Administrations-National-Security-Strategy-10.2022.pdf&usg=AOvVaw19DlapTAhvGcM69GEkBs86