At a time when nation-states and hacker-activists worldwide are increasingly infiltrating US networks to steal sensitive information, the allegations against Pfc. Bradley Manning highlight a cybersecurity threat that might be just as dangerous.
Private Manning on Thursday enters the seventh and perhaps final day of his pretrial hearing to determine whether he should be face a full court-martial on charges of stealing and leaking US intelligence to the WikiLeaks website.
Among its accusations against Bradley, the US government says he walked out of a US military base in Iraq with a compact disc labeled "Lady Gaga" that actually held more than 251,000 secret State Department diplomatic cables.
If true, the case shows the "insider” cyberthreat to companies, governments, and organizations. The attacks can range from disgruntled employees shutting down 1,000 company mobile phones at once to insiders changing computer codes to hide any records of money they have stolen.
The trend lines for insider attacks are not as dramatic as those for outside attacks. Indeed, they have mostly held steady for a decade. But a 2011 survey found that nearly half of the organizations it polled reported an “insider incident” last year, suggesting the threat remains significant – and perhaps overlooked.
"Companies today are going to greater lengths to keep outsiders and nation-states out of their networks, yet insiders come to work every day,” says Dawn Cappelli, technical manager of the CERT Insider Threat Center, a division of the federally funded Software Engineering Institute at Carnegie Mellon University in Pittsburgh, Pa.
“Most of these malicious insiders do what they do every day," she adds.
During the past decade CERT has documented more than 700 cases of insider cyberattacks by previously trusted people at the computerized heart of many organizations.
The 2011 Cyber Security Watch Survey reported that 43 percent of 607 organizations queried reported an "insider incident" last year. That finding fits between the 2006 peak of 55 percent and the 2005 low of 39 percent.
The report also suggested that insider attacks are in many cases more damaging than outsider attacks. One-third of respondents said they were more costly than other types of attack, whereas 38 percent said attacks by outsiders were more costly.
Insider attacks break down to four main categories:
- Sabotage of company computers.
- Theft of proprietary information.
- Release of sensitive data.
Ms. Cappelli of CERT has seen it all.
One company's mobile devices were suddenly disabled for nearly 1,000 employees, grinding sales and delivery operations to a halt for days, she wrote in a June report. A network architect had programmed the cyber “bomb” to go off three months to the day after resigning after being demoted.
In another instance, a company sued a former programmer who was discovered selling a competing product at a tradeshow. Investigators discovered copies of the company's source code on his home computer – stolen on his last day of work there, Cappelli's report recounts.
Fraud is usually a longer-term, more subtle insider attack, she notes. A financial company’s audit discovered a $90,000 discrepancy in a software engineer's personal loan account. As it turns out, the employee had modified critical source code to siphon off money to cover fraudulent personal loans he had created.
And the 700 cases documented by CERT are just the tip of the proverbial iceberg, since most cases never see the light of day.
"I've led about 71 major insider threat investigations over the last 12 years, none of which have become public to date," says Paul Williams, director of security services for White Badger Security, a security company in Breinigsville, Pa. "It's often the people in charge who are the problem. Network administrators in charge of the security systems of those companies accounted for about half of all those cases."
Even social networks have become a security threat. "It's really a new vulnerability: Employees talking about products, big contracts, bragging to friends and family on these sites,” says Michael Rustad, codirector of the Intellectual Property Program at Suffolk University Law School in Boston. “Then it turns out to be a violation of a trade secret.”
What's needed is a better awareness of how to lessen the risks, experts say.
Restricting access is vital. The State Department has completely revised its access privileges in the wake of the Manning case. Many observers say he should never have been allowed access to documents he didn’t need for his work.
"Companies need to do a better job with basic security measures as simple as performing background checks on employees and limiting their access to highly sensitive information," says Fernando Pinguelo, a trial lawyer and partner at Norris, McLaughlin & Marcus, specializing in technology law.
Another easy step is monitoring the company computer network activities of fired or demoted employees for at least a month before and after they leave the company, Cappelli notes.
Research has shown gains in automated monitoring to detect insider threats – the accessing of sensitive files by the wrong people or at the wrong time, for instance. But for now, humans are still the best detector.
"Yes, the research is there and automated tools will emerge in due course," writes Shambhu Upadhyaya, a researcher at the University of Buffalo. But today, a "completely automated tool doesn't exist."