Æther-ASOR

Insider Threats

  • Published

Insider Threats edited by Matthew Bunn and Scott D. Sagan. Cornell University Press, 2016, 181 pp.

Dealing with modern protection strategies for corporate or government organizations requires recognizing the biggest threat at any time: insiders who combine knowledge of internal practices with malicious intent. Insider Threats, a five-paper collection edited by Matthew Bunn and Scott D. Sagan, examines case studies and then extrapolates how those lessons could be used in defending nuclear facilities. Though the editors narrow the focus, the insights gained will be valuable for anyone in the protection field as the cases examine a wide spectrum of topics. Each chapter follows a similar format in first developing a framework, discussing basic elements, and then applying the framework to the selected case. Many paper compilations suffer from a lack of directed focus, but Insider Threats performs admirably by keeping the selections on target for the desired outcome. 

All insiders—whether competent, malicious, or ignorant—pose some potential organizational threat, with those risks categorized by worker as active, passive, or violent. The leading influences that transform insiders from productive worker to threat include self-motivation, recruitment by others, infiltration, nonmalicious errors, or coercion by other actors. The editors contend that insider threats pose two central challenges. First is complacency through managers refusing to accept that those they work with daily can cause the greatest harm. Second is an aura of secrecy surrounding many critical facilities about practices and procedures so that shared learning between sites becomes impossible. Many site managers feel that admitting any breach, through any forum, creates new security problems rather than increased security across the industry. Case studies demonstrate why organizations must overcome complacency and determine a method for unveiling internal practices. The editors offer potential mitigations for ten worst practices.

From the presented cases, Amy Zegart’s analysis of the Fort Hood attack involving US Army insider Nidal Malik Hassan stands out. The chapter discusses three organizational failures leading to the attack: identifying Hassan’s clear radicalization, placing the right security skill sets in the right places, and accurately assessing insider threats. Zegart follows similar trends to her earlier book Spying Blind (2007) that discussed 9/11’s organizational intelligence failures. The first organizational failure occurs when Hassan contacts known extremist Anwar al-Awlaqi through email almost a full year prior to the Fort Hood attacks (50). The FBI intercepts the initial and subsequent emails but passes them through channels rather than taking action. The second failure stems from the agent receiving those emails having been selected not for counterintelligence but for criminal investigation qualifications. Consequently, he looks only for evidence of crimes committed rather than considering the potential threat. The third failure comes from the Army side as its deficit of psychiatrists and need for organizational diversity meant that no supervisor ever rated Hassan poorly on his official evaluations and even treated his contact with al-Awlaqi as “superior research” (63). When an incorrectly skilled individual investigated Hassan, his Army record was spotless, the case was closed without even a personal interview, and no flags were raised to suggest continued monitoring. Zegart summarizes the failures eloquently and highlights several areas for future improvement through increased communication and transparency within organizational structures.

The remaining chapters are also excellent, although none stood out as strongly as Zegart’s writing. Additional topics include the 2002 anthrax attacks, theft prevention in pharmaceutical and casino industries, and green-on-blue attacks in Afghanistan. The 2002 anthrax case tracks a mentally disturbed worker handling dangerous diseases who evaded regular security practices and any identification by management for his unusual behavior. The industry chapter studies activities similar to nuclear material management through highlighting how careful handling practices can track discrepancies. The green-on-blue chapter examines attacks from Afghani soldiers against US trainers during counterinsurgent operations but translated the least to protecting a nuclear facility.

The final chapter summarizes the worst nuclear security practices to foster desired or corrective actions. Most are standard security maxims such as understanding that an insider threat exists, knowing that not all systemic red flags are obvious, and realizing that not all insiders operate independently. Each worst practice is accompanied by a discussion on avoiding pitfalls and implementing security guardrails. For instance, not all detrimental insider actions are malicious. Employees can introduce the worst risks by trying to speed work processes or bypassing suspicious coworker behavior to meet timelines. Each bad practice considers the worst possible outcome, the result if one only slightly mitigates the issue, and the most secure solution. The identified practices should be a starting point for those who protect secure facilities.

On many occasions, I have found myself reviewing a text and wishing the author(s) knew when to stop writing. In this case, the opposite holds true as I wish Insider Threats contained additional high-quality material and cases. While the five cases presented were constructive (although the green-on-blue chapter was less focused), at the same time, I desired more meat in the sandwich. As the work is based on two separate seminars over three years apart, Bunn and Sagan should have had ample opportunity to find additional examples. The cases presented are likely the best, but a few more examples of protecting organizations from insider threat would have been useful. Possible topics that spring to mind are disgruntled employees during administrative change like elections, victims of covered-up organizational crimes as in the “Me Too” movement, or even how whistleblower events affect organizational cultures.

Insider Threats delivers a quick, insightful read into serious issues faced by those guarding sensitive material from those with ill intent. Each chapter presents a different case in the context of abstracting nuclear material protection lessons. While the cases were slightly dated at the time of this review, the lessons learned remain applicable. Those who work with sensitive material, from classified information to highly valuable goods or even protected corporate data, should place this volume as the next read on their list.

Lt Col Mark T. Peters II, USAF, Retired

"The views expressed are those of the author(s) and do not reflect the official policy or position of the US government or the Department of Defense."