123
10
The Insider Threat
A primary reason for considering Internet vetting is the fundamental
changes that have occurred since the 1970s in the workplace, and since
the early 1990s on networked computers. The insider threat deserves in-
depth analysis, because it has such a large impact on all types of organi-
zations, but that will be left for another day. Studies on industrial crimes,
shrinkage, losses ascribed to embezzlement, and espionage have shown
increases in insider crime for the past twenty to thirty years. However,
the relevance of survey statistics in a eld with so little tangible, public
evidence is minimal. Are we seeing better reporting, better detection, or a
higher incidence of insider crime? We certainly are seeing a higher level of
attention paid to the insider threat in government and industry.
The insider threat is not well understood outside the connes of the
individual enterprise because statistical record keeping and reporting
are inconsistent at best. Like economic espionage, the problem has been
addressed over time much more rarely by law enforcement than by inter-
nal investigations and administrative resolutions. Most of the time, in my
experience, the perpetrator is laid off, red, or otherwise moved out. I am
aware of some instances where felony crimes were addressed internally,
and the employee retained, because of the wishes of high-ranking execu-
tives. In any case, insider threat mitigation varies greatly.
As mentioned in earlier chapters, an insider with access to informa-
tion systems, networks, and data is in a position to do great damage to the
enterprise with substantially less prospect of detection than in the physi-
cal world. After all, the data remain in the possession of the employer,
even if the insider copies those data and sells them to the highest bidder.
INTERNET SEARCHES FOR VETTING, INVESTIGATIONS, AND INTELLIGENCE
124
From the standpoint of vetting applicants and insiders, employers need
to include online behavior, from both intranet and Internet sessions, in
evaluations of eligibility. The consequence of omitting online behavior is
that insiders will not be evaluated in the one dimension where they can
probably do the most damage, and cause the greatest losses. As we have
learned from studies of espionage and nancial services embezzlement,
people initially cleared have gone on to commit the crime even though
their initial background investigations and even updates and periodic
polygraphs favored continued clearances.
1
This suggests that without
periodic reinvestigations and reviews, insiders can commit serious crimes
against their employers undetected.
Security, intelligence, and law enforcement practitioners sometimes
think too narrowly of venue and territoriality in connection with securing
the enterprise. Work computing has moved off campus,and into hotel
rooms, airports, coffee shops, and homes. Symantec and IDC estimate that
73% of the workforce will be mobile by the end of 2011. “Whether inside
the employers space or cyberspace or outside, the vulnerabilities of work-
related data are increasing,Symantec’s white paper said. According to
industry analysts, 70 percent of security incidents resulting in data loss
are perpetrated by insiders. Risk assessment studies by Symantec reveal
that an organization with 20,000 employees is likely to suffer up to 400
potential data loss incidents per day.
2
To be perfectly clear, the vulner-
ability includes vital employer data processed on both work-issued and
personal devices, at rest and in transit, at work and outside.
Recent conversations with intelligence, defense, and law enforcement
leaders indicate that some cyber vetting is under way. Several agencies
(which will go unnamed) ask candidates to sit down with a background
investigator, log on to Internet services they often use, and take a tour of the
content together. Agency leaders believe that this is the best way to review
postings (which may be accessible to anyone, or many people) and verify
that they are appropriate for an employee of whom the highest behavioral
standards will be expected. Asking the candidate to log on also avoids the
potentially problematic option of asking for passwords. Not all agencies
then follow up with independent searches, designed to ascertain whether
the candidate has revealed all the relevant online activities. Concealment
is one of the most common potential problems found among applicants.
3
While it is good to know that the agencies with the highest stakes (i.e.,
those whose employees hold the highest clearances, carry weapons on
duty, and must keep secrets) are beginning to address Internet vetting, it
is clear that the process is not uniform or well developed.

Get Internet Searches for Vetting, Investigations, and Open-Source Intelligence now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.