At SERC’s “The Scoop on Insider Threats” webinar Tuesday, experts warned that employees at all kinds of businesses are more tempted than ever to use confidential information to benefit themselves or others — and organizations that seek to play a leading role in their fields must grapple with this danger eventually.

“Willie Sutton, a very famous bank robber … when asked why he robbed banks, said, ‘Because that’s where the money is,’” FBI Special Agent Greg Klein said. “Criminals go to where whatever they want is … and we have to understand now [that] people and systems are banks … of information, banks of things that other countries, especially, want. That’s a good thing: If you’re pushing the ball forward … on green energy [or] things like that, that’s great, you have something to give. If you don’t have those things, you won’t exist very long.”

States Sponsoring Industrial Spies

Insider threats are nothing new for statecraft. Nations have always tried to convince their rivals’ citizens to switch sides. Klein noted that Benjamin Church, the director of the medical service of the Continental Army, arguably qualifies as the “first American insider threat” for selling secrets to the British in February 1775 to pay off his gambling debts.

Industrial espionage likewise goes back a long way: the U.S. textile industry was jumpstarted by American manufacturers stealing weaving technology from their British counterparts in the 1700s.

What characterizes the modern era is a combination of the two, with nation-states sponsoring theft of trade secrets from overseas companies to help domestic enterprises catch up. China is frequently accused of this practice, and Klein noted the case of Xiaoqing Zheng as an example. The former engineer at General Electric, who was arrested in August 2018 for copying information from his employees’ computers onto a USB drive, told FBI agents that he was encouraged to steal the data and taught how to encrypt the files by agents from the Chinese intelligence service.

“What we have now, especially with China, is an economic war — we call it an asymmetric threat,” Klein said. “Everyone now can be a gatherer of information, and we’re looking especially in [the] tech fields, [the] energy fields — you name it, anything that’s going to give [China] an economic advantage, that’s what they’re after.”

Damage Not Always Done Intentionally

Making the threat mitigation job more challenging is the fact that employees can easily distribute confidential information without any malicious intent, or even the awareness that they are doing so. Klein identified several categories into which the FBI groups insider incidents, ranging from “stupid” — which includes mishandling sensitive data, oversharing on social media and networking sites, and speaking too freely to friends in the media — to “sinister,” which could mean actively seeking information to share with rivals or even seeking to sabotage the organization.

In addition to stealing information, employees may also cause physical danger to their companies or colleagues either willfully or through carelessness. Samantha Lee-Conroy, a physical security analyst at the Electricity Information Sharing and Analysis Center (E-ISAC), recounted several incidents involving E-ISAC members that felt endangered. In one case, a former employee called in a bomb threat against the supervisor that fired them; in another, a contractor “made a threat to kill” two employees with whom they were on a conference call.

Other events involved no immediate physical threats but could have potentially put the company or staff at risk, such as when a worker’s housekeeper stole a set of keys that included keys to critical facilities, or when a terminated employee pawned clothing with the company’s logo instead of returning it. Lee-Conroy called these incidents reminders “that employees may be exposed to risks unrelated to the job, which then may become security issues later.”

Warning Signs of Potential Issues

Guarding against insider threats can be a delicate balancing act because the employees most able to hurt an organization are, by definition, those to whom a great deal of power has already been given and who are typically considered among the most trustworthy staff members. Accusing such employees of conspiring to harm the business, or even implying that they could do so through overly harsh security measures, could actually backfire by alienating them.

Nevertheless, Klein noted a number of warning signs that could indicate an employee is preparing to betray his company and should spark a reaction from management:

• moving high volumes of data, either by printing, by USB drive, or by sending to a personal email address;
• significant foreign travel or contacts, especially speaking engagements not coordinated through the company;
• knowledge of potential layoff or termination; or
• sudden resignation, particularly if it follows a trip overseas.

Lee-Conroy added that “the industry has a lot of different factors to consider when assessing industry threats” and suggested that utilities should think about the information that their employees have, how it could harm the company if exposed, and how to mitigate that damage if it occurs. In other words, they should assume the data will get out and plan accordingly, rather than trying to assess which individuals are most likely to cause a leak.

She also urged utilities to reach out to the E-ISAC on a white paper the organization is working on, with input from utilities and government, that will outline best practices for organizations seeking to build their own insider threat programs. The target audience is small and medium-sized utilities that “may not have access to resources or industry-specific examples” of effective approaches.