Insider Threat: The Shift from Report to Support
Transportation is a critical component of modern life, and the ability to get people and goods from one location to another is essential. The Santa Clara Valley Transportation Authority (VTA) provides bus, light rail, and paratransit services for a region of Northern California that is home to Silicon Valley.
Its more than 2,000 employees continued to report to work throughout the unprecedented challenges of 2020, helping customers get to where they needed to be and providing essential services to transit-dependent and disabled individuals who rely on the system for groceries, access to doctor’s appointments, and more.
And then, tragedy struck at work. Samuel Cassidy, 57, went to an early morning union meeting at one of the system’s light-rail maintenance yards on 27 May 2021 and opened fire. He killed eight of his coworkers before dying by suicide as police arrived on the scene. A later investigation would find that Cassidy was unhappy with his work and held numerous grievances toward his employer and colleagues.
Evelynn Tran, interim VTA general manager and general counsel, wrote in a statement that she was struck by the courage that VTA employees had shown throughout the pandemic and in the immediate aftermath of the shooting but said that more must be done to support them. That included making VTA employees the top priority by shutting down the light rail system.
“At this point, it is impossible to estimate when service can be restored,” she wrote. “There are many factors involved in restoring service, most importantly the human factor.”
The incident was the third workplace shooting in less than two months in 2021 in the United States, a higher number than previous years based on analysis by the Associated Press, USA Today, and Northeastern University. Their analysis found that the United States averages roughly one workplace mass shooting per year. Mass shootings are defined as shootings where four or more people were killed.
These incidents represent some of the most catastrophic damage that an insider can do to his or her organization. Other incidents can range from assaults to intellectual property theft to disclosure of corporate secrets, leaving physical, reputational, and emotional damage in their wake.
Insider threat incidents are more common than one might think. A recent assessment by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) found that more than 2 million people report some type of workplace violence each year, with approximately 25 percent of workplace violence going unreported.
Additionally, 90 percent of cybersecurity professionals believe their organizations are vulnerable to insider threats, which cost a median of $4.45 million to recover from and take 314 days to identify and contain, according to CISA.
And the reasons why an insider might be compelled to lash out at work have been exacerbated by the COVID-19 pandemic.
“This has been a unique risk environment, and it’s continuing,” says Rebecca Morgan, deputy director of the National Insider Threat Task Force at the National Counterintelligence and Security Center (NCSC). “We have a risk environment where we have an incredibly stressed-out workforce, people are dealing with financial insecurity, medical and mental health isolation, and then trying to get a mission accomplished at the same time.”
A recent employee survey from Gallup found that 45 percent of people said their own life had been affected “a lot” by the COVID-19 pandemic and that only 20 percent of employees were engaged at work.
“In addition, Gallup has found that roughly seven in 10 employees are struggling or suffering, rather than thriving, in their overall lives,” wrote Jim Clifton, Gallup chairman and CEO, in the State of the Global Workforce: 2021 Report. “Eighty percent are not engaged or are actively disengaged at work.”
The findings reflect a trend that Gallup has been tracking for the past decade: negative emotions are on the rise, and employee mental health may get worse. Unfortunately, many organizations lack data on employee wellbeing, burnout, or resiliency.
“Measuring employee mental health is critical. Besides destroying lives, suffering can destroy the human spirit that drives innovation, economic energy, and eventually, good jobs,” Clifton added.
It can also create a dynamic where employees may leave—sometimes in mass numbers. A Microsoft survey of 30,000 global workers found that more than 41 percent were considering quitting or changing their profession. Additionally, 4 million Americans quit their jobs in April 2021 alone, marking the biggest spike of resignations in U.S. employment history.
“There are a number of reasons people are seeking a change, in what some economists have dubbed the ‘Great Resignation,’” according to the BBC. “For some workers, the pandemic precipitated a shift in priorities, encouraging them to pursue a ‘dream job,’ or transition to being a stay-at-home parent. But for many, many others, the decision to leave came as a result of the way their employer treated them during the pandemic.”
All of this—combined with many workforces moving out of corporate offices and into home offices—created a perfect storm where insider threats can thrive. “And we know, unequivocally, that our adversaries are prepared to take advantage of these situations and exploit them,” Morgan adds.
A Prevention Paradigm Shift
In 2010, WikiLeaks published a trove of classified documents about the Iraq and Afghanistan wars—including a video of a helicopter crew opening fire on a group of people, two of whom were Reuters news agency employees.
Its source? U.S. Army intelligence analyst Chelsea Manning, who downloaded U.S. military reports onto her personal laptop and provided them to WikiLeaks. She had learned about the organization during a security training course she attended while in the Army.
In an interview with The New York Times after then-U.S. President Barack Obama commuted her prison sentence, Manning said that she was initially intrigued by the work that WikiLeaks was doing and wanted Americans to see what was happening in the Middle East as she saw it.
Months later, after WikiLeaks published the leaked materials, Manning was arrested, court martialed, and sentenced to 35 years in prison. It was a personal reckoning for her, but also for how the U.S. government addresses insider threats—especially since it came on the heels of an active shooter incident at Fort Hood when U.S. Army Major and Medical Corps psychiatrist Nidal Hasan killed 13 people and injured more than 30 others.
In October 2011, Obama signed an executive order creating the National Insider Threat Task Force (NITTF) to deter, detect, and mitigate actions by employees who may represent a threat to national security. The order instructed the NITTF to develop a national insider threat program with supporting policy, standards, guidance, and training under the guidance of the U.S. attorney general and the director of national intelligence.
The NITTF was designed to create a new paradigm in addressing insider threats. Originally, the U.S. government took a more traditional law enforcement approach to insider threat detection and management, essentially addressing the risk only after an incident, Morgan says.
“In many cases, there were precursors of behavior that, if identified and addressed, might have prevented the loss of insider information or—in some cases—tragedy,” she says. “The new policy mandated that insider threat be managed in a proactive manner by a team that adds in human resources folks, employee assistance, mental health and behavioral, legal counsel, and cybersecurity.”
Creating this type of team recognized that insider threats may have malicious intent—seeking to harm the organization or coworkers—or they could be individuals who need help and are looking for their employer to step in to provide it.
“We have invested a tremendous amount in our national security workforce, and it is in everyone’s interest to help someone who may feel he or she has no other option than to commit an egregious act—such as espionage, unauthorized disclosure, suicide, workplace violence, or sabotage,” according to an NITTF fact sheet.
A crucial component of insider threat prevention, mitigation, and response is understanding the human factor—what an employee’s baseline of normal is and when that individual is deviating from it.
“These programs are designed to help folks,” Morgan says. “We like to use the phrase, ‘Turning people around, not turning them in.’ Our goal is to get ahead of any negative action.”
Achieving this goal requires having an insider threat program in place; an awareness strategy to share information with the entire workforce on the risk, indicators of a potential problem, and how to report them; and then a method to address reports quickly. It also includes reassessing communication strategies and support for the workforce, such as sharing information on mental health and other employee support resources during the COVID-19 pandemic.
“One of the things we put out, beginning around spring 2020 and then going into summer, was resources on personal resilience,” Morgan explains. “It encouraged insiders to harden the target, make themselves aware of their susceptibility, and giving them tools to facilitate their own mental health and wellness while reinforcing the idea that it’s okay to struggle.”
At the same time, Morgan’s former director, Bill Evanina, and then Michael Orlando, acting director of national intelligence, released memos clarifying that people would not lose their clearances for minor financial issues, seeking mental health counseling, or asking for support.
“We want folks to get help,” Morgan says. “2020 was a horrible year for everyone, but any given year someone in your staff is having a terrible time or a crisis; they’re going through a divorce, etc. Insider threat programs are not designed to call people out—they’re designed to facilitate help and resources.”
Outside the House
If you can’t break into a building yourself, one of the best ways to obtain access is to recruit someone who already has a key. Recruitment of insiders to provide information on their employers or share government secrets is nothing new.
“There are also unwitting insiders who can be exploited by others,” the NITTF fact sheet said. “Our adversaries have become increasingly sophisticated in targeting U.S. interests, and an individual may be deceived into advancing our adversaries’ objectives without knowingly doing so.”
For instance, Jon Ford, managing director at Mandiant who works with government agencies and corporations on insider threat and risk management, has seen a trend develop since 2020 where threat actor groups from foreign countries target employees at organizations to recruit them to provide sensitive information—sometimes even unwittingly, such as an employee accidentally opening an email attachment that is then used to launch a corporate espionage attack.
“In the last 90 days, we’ve notified 15 organizations that eastern European groups were looking to recruit individuals to specific companies and were advertising that they would welcome their support and pay for their access into those systems,” Ford tells Security Management in a May 2021 interview. “We were able to notify these companies—some of which were clients.”
External threat actors, especially nation states, have been conducting campaigns, with a particular interest in medical research. This includes COVID-19 research, as well as cancer and other major disease research initiatives that were underway before the pandemic. Insiders committed 59 percent of healthcare data breaches, with another 4 percent involving partners with authorized access, according to the 2021 Verizon Data Breach Investigations Report (DBIR). Broadly speaking, external threat actors outpaced internal actors in 2021, Verizon found, with external actors responsible for 61 percent of breaches while the remaining 39 percent were because of an internal actor.
“The insider breaches that were maliciously motivated have not shown up in the top three patterns in healthcare for the past several years,” wrote the authors of Verizon’s 2021 DBIR. “But does this mean they are no longer occurring, or are they still around but we just aren’t catching them (like Bigfoot)? Only time will tell.”
In acknowledgement of this threat, the Center for Development of Security Excellence released an implementation guide for insider risk programs for the healthcare and public health sector in August 2020.
One concerning trend is for threat actors to recruit an individual in an IT administration or security role who has a working knowledge of the technology controls in place to detect and monitor insider activity.
“We’ve done responses to organizations where an individual in IT actually suppressed alerts to ensure their activity was not flagged further up,” says Ford, whose background is in investigating insider threats for the FBI. “One individual was stealing millions (of dollars); another person was stealing intellectual property.”
In another incident, a client asked Ford and his team to assess a situation where executives believed an external hacker had gained access to their organization. After a review, Ford says they determined it was actually two of the client’s contractors who “believed they were smarter than they company they worked for, and wanted to prove it,” Ford says. “They started calling in bomb threats, which led to evacuation of buildings. It got out of hand for what they intended.”
Threats like this show that while having technological resources in place to detect and monitor network activity is beneficial, they are not enough to stop insider threats.
“For insider threat, there is not a technology solution that’s holistic,” Ford says. “If you’re going to have a full insider threat program, it’s complementary to the technology. It has to consider people, processes, and tools.”
More Help
Since the executive order creating the NITTF was rolled out in 2011, Morgan says the U.S. federal government has been successful at establishing an insider threat program that closely mirrors the federal policy guidelines. It also worked to promote best practices to the private sector, primarily in the critical infrastructure space that is largely owned and operated by private organizations.
“We’ve tried to pause and come together to identify the reasons for these policies and bring awareness to the general public by demystifying insider risk programs,” she adds. “People, in the past, have perceived them as big brotherish—someone is watching you all the time.”
Instead, Morgan says it’s important to explain why insider threat programs exist and use them to identify risky individual behavior and organizational culture that could increase the threat.
“Sometimes it’s poor management or lack of transparency or toxicity in the workplace,” she says. “We work with organizations to remediate those items.”
Understanding workplace dynamics and being culturally competent play a role in mitigating insider threats. This is one of the reasons that the NITTF created the theme of “Cultural Awareness and Insider Threat” for September’s National Insider Threat Awareness Month (NITAM).
“A culturally competent organization has the capacity to introduce and integrate various cultures or subcultures in order to produce better outcomes and enhance operational effectiveness,” according to the Center for Development of Security Excellence’s Understanding the Intersection of Cultural Competence and Organizational Risk. “In the context of insider risk, better outcomes and enhanced operational effectiveness can be measured by the successful prevention, detection, deterrence, and mitigation of the potential insider threat in all of its manifestations: cyber threats, espionage, fraud, sabotage, trade secret theft, unauthorized disclosure, mishandling classified information, and kinetic violence.”
Highlighted as a sub-theme this year is the risk of toxic workplaces and leaders—such as individuals who put their own needs or image above their subordinates, micromanagers, or insecure leaders.
“This type of leadership can perpetuate a toxic work environment, and is often marked by poor communication, constant stress, regular infighting, mental or physical abuse, and stressed relationships amongst coworkers,” according to a NITAM stakeholder communications guide. Also highlighted are top–down culture, microaggressions in the workplace, and work–life stressors.
Identifying these elements in the workplace and working to reduce or eliminate them can proactively lower insider threat risks, the Center for Development of Security Excellence has found.
“Insiders at risk of causing harm to themselves, harm to others, or damage to their organizations often display concerning behaviors that result from a combination of personal predispositions and an inability to cope with life stressors,” according to the center’s report. “These stressors that are frequently generated in the workplace can be caused by a hostile, toxic, and harmful work culture. Certain organizational cultures may cause or intensify stressors for members of its community and increase the risk of a potential threat. If this risk is not mitigated, then it can lead to exceptionally grave damage.”
In response to the rise in workplace physical violence, CISA has also crafted a de-escalation series for insider threat that complements its existing Insider Threat Mitigation Guide, says Susan Schneider, active assailant security branch chief at CISA. As of Security Management’s press time, CISA planned to release the de-escalation series during the third quarter of 2021.
Many critical infrastructure owners and operators that CISA works with began asking for resources on de-escalation and intervention strategies as they implemented their insider threat plans.
Schneider says CISA looked at an existing de-escalation training created by the Oakland Public Library system, which has nine techniques for employees to use when interacting with an unruly or upset visitor or colleague. CISA also looked at techniques used in healthcare for calming down agitated patients.
“We did not want it to be a law enforcement approach,” Schneider says. “We wanted it to be from a space where anyone can de-escalate a situation—calming the situation by talking to an individual.”
Engaging people and talking to them is not only a good security strategy that lets someone know you’re aware of their presence, but also beneficial for building a good organizational culture where people can share their stressors and feel supported by their colleagues.
“I may have a bad day and spout off about how bad it’s going to be, but that day doesn’t mean I’m going to go down the path of violence,” Schneider says. “The good thing about the remote work environment is it forces you to talk to individuals and have team meetings. Communication is better, and people will share with you so you can determine what their baseline of behavior is.”
The Power of Hello
Organizations, especially critical infrastructure ones, face a variety of threats from internal and external actors. Combatting these threats can be complicated, but it can also start with a simple step of saying “hello,” according to the U.S. Cybersecurity and Infrastructure Security Agency (CISA).
“Used effectively, the right words can be a powerful tool,” CISA says. “Simply saying ‘Hello’ can prompt a casual conversation with unknown individuals and help you determine why they
are there.”
CISA recommends using the OHNO approach: Observe, Initiate a Hello, Navigate the Risk, and Obtain Help. This can help employees observe, evaluate suspicious behaviors, and empower them to mitigate potential risk or obtain help when necessary.
For more information on the OHNO approach, visit CISA’s dedicated Web page.
Megan Gates is senior editor for Security Management. Connect with her at [email protected]. Follow her on Twitter: @mgngates.