Cybersecurity Blog: The Cyber Scene is evolving, are you?

Return to blog

When it comes to people, processes, and technology, the weakest link is human behavior.

In the wake of various high-profile leaks, human-enabled data breaches, and theft of corporate assets over the last several years, the insider threat topic has received much attention.

Probably the most famous insider leak in recent history was the National Security Agency’s (NSA) data breach by contractor Edward Snowden in 2013, and his revelations about mass surveillance. Snowden claims that U.S. and British intelligence agencies successfully cracked much of the online encryption relied upon by hundreds of millions of people to protect the privacy of their personal data, and online transactions and emails.

“[Snowden], as a system admin, was to activate and deactivate accounts, populate SharePoint servers, show people how to collect and how to search,” said deputy director of the NSA at the time, Chris Inglis during an interview for NextGov magazine.

“He never had access to the tools themselves. He was never allowed to search or to write reports. So when he, at a distance, saw these capabilities, he came to false conclusions about how they were being used. In most cases, he got it dead wrong,” said Inglis.

What did we learn

When it comes to people, processes, and technology, the weakest link is human behavior.

Speaking at an Institute for Critical Infrastructure Technology (ICIT) event in Washington, D.C., Bill Evanina, national counterintelligence executive and director of the U.S. National Counterintelligence and Security Center said, “Stopping insider threats relies more on addressing human problems than technological ones.”

Also, “many breaches are the result of an employee or contractor accessing information they’re cleared to see, then taking a thumb drive or papers out of the office with them, and there is no high-tech way to prevent that,” said Evanina.1

Politics aside – Whether you view Snowden as a hero who became disillusioned with his government or a traitor who put America’s national security at risk, the Snowden incident rocked the U.S. cybersecurity establishment. It serves as a wake-up call to the dangers of insider threats, something every Executive Leadership should be actively defending.

Moreover, the Snowden leak introduces two major lessons that all organizations can learn from:

Lesson 1: Prepare leaders (and employees) to deal with leaks

Inglis also stated in his interview for NextGov magazine, that in the summer of 2013, as his team suffered a disastrous loss of their capabilities, he told the workforce that despite having every right to be angry, disappointed and even heartbroken, they still had to do their job.

What your organization can learn from this incident is the need to prepare IT security teams for attacks of this nature. How? A well-structured training and awareness program that educates employees about their vulnerability to internal and external threats, provides guidance on protective measures, and reinforces the means to report potential insider concerns.

Lesson 2: Invest in an Insider Risk Program

The Snowden incident may be the most marketed insider attack in history, but it’s far from the only one – consider Benedict Arnold in 1780, Watergate in 1972, or the Iran-Contra Affair in 1986.

Waymo filed a lawsuit in February 2017 alleging Anthony Levandowski, a long-time member of Google’s driverless car team, secretly downloaded 14,000 files of “highly confidential data” from Waymo’s hardware systems six weeks before his resignation.

According to Waymo, “Mr. Levandowski searched for and installed specialized software onto his company-issued laptop. Once inside, he downloaded 9.7 GB of Waymo’s highly confidential files and trade secrets, including blueprints, design files, and testing documentation. Then he connected an external drive to the laptop. Mr. Levandowski then wiped and reformatted the laptop in an attempt to erase forensic fingerprints.”

Levandowski founded Otto in 2016 which was then purchased by Uber in August 2016 for a reported $680 million dollars.

How to protect your organization

Organization’s need to prepare for insider threats and arm themselves by investing in a comprehensive, holistic, and proactive insider risk program.

Start with an initial assessment of your current state to evaluate your organization’s capability to prevent, detect, and respond to insider threats. These assessments will provide a baseline of current insider risk management capabilities, help identify areas of concern, and provide a list of risk treatment recommendations.

Next implement a proper program design, including developing or modifying stronger procedures for screening and monitoring contractors and employees, relevant business processes, organizational policies which include enforcement, and security awareness training for the entire workforce.

Integrate cutting edge technology for monitoring that includes proactive alerts to enable your organization to counter threats while minimizing business disruption.

Finally, when there is a concern of potential insider activity within your organization, develop an investigative plan and gather the facts necessary to resolve the matter successfully. Consider using analytical resources and highly-skilled cyber forensic experts with counterintelligence experience conducting complex investigations that can be trusted to maintain the highest level of discretion.

The last word

Snowden participated in an incredibly high profile incident, but he simply raised the modern profile of insider threats, reminding us that oversight is always going to be needed, and it’s a lesson that we cannot afford to forget.


What's holding you back from implementing an insider risk program?

Download 6 Reasons Insider Threat Detection Programs Are Missing from Corporate Security


Ollie Luba is a principal systems engineer at Leidos with 30 years of experience in analyzing, modeling and designing complex analytic systems for government and commercial clients. Currently, Ollie is the Product Manager and Technical lead for Leidos' insider threat identification solution. His educational background includes a BSEE from University of Pennsylvania, MSEE from Drexel University and a MS in Technology Management from the Wharton School/Penn Engineering. Ollie is based in Valley Forge, PA.