Small Wars Journal

The Trusted Shadow and Trojan Horse of the United States Government

Share this Post

The Trusted Shadow and Trojan Horse of the United States Government: Human Behavior and the Insider Threat

Caitlin Squire Hall

Military intelligence professionals go to work every day and use the information available to them to do their jobs.  We can take all the mitigation steps in the world, but the bottom line is that there is no step we can take as a nation, as a military, that’s going to stop the determined insider.

- Captain Joe Morrow, Prosecutor

Introduction

In the 1970’s, Greg Chung became a naturalized United States citizen and obtained a job with Rockwell, now Boeing.  After thirty years of espionage and passing sensitive information to the Chinese government, the police found 300,000 pieces of classified documents worth over two billion dollars in trade secrets in Greg Chung’s house.  Chi Mak, also a naturalized American citizen, was a United States defense contractor who maintained a classified government security clearance. For two decades, Chi Mak passed sensitive information regarding United States Naval capabilities to China.  Early 2001 FBI counterintelligence agent and Chicago native, Robert Philip Hanssen, was caught after spending 22 years spying for Russia. Hanssen gave up 6,000 pages of classified information all pulled from the FBI’s computers to Russia.  Lastly, in early 2013 Edward Snowden, an NSA and former CIA employee who was born and raised in North Carolina, leaked top-secret documents on United States surveillance programs and sought asylum in Russia. 

An insider threat is irrefutably one of the greatest threats to United States national security.  Greg Chung, Chi Mak, Robert Philip Hanssen, and Edward Snowden are a few of the dozens of personalities who have leaked or passed secrets to foreign governments over the past thirty years.  Rita M. Barrios elaborates on the significance of the insider threat stating, “The theft and exposure of the critical data components that resides in a relational database by the authorized insider is on the rise” (Barrios 2013, 54).  In comparison to threats such as weapons of mass destruction, cyber, and nuclear, the insider threat can often be overlooked; however, the threat of the insider is not the method of attack, rather the threat is the individual (Blades 2010, 32).  The insider threat is comparable to a Trojan horse and is identifiable as a trusted shadow of the government who, despite the extensive background checks, obtains a security clearance providing access to classified information.  Furthermore, the United States can strategically mission plan for all divisions of the military, yet it takes one individual to take those plans and pass that information to the enemy, or make it public knowledge.  One individual can obtain classified information on the location of United States submarines, specs on the B-2 stealth bomber, or tactics, techniques, and procedures of the United States military and pass that intelligence to a news agency or foreign government easily.  With the ever growing world of electronics and advancements in technology, a young adult could walk in and out of the work place with dozens of classified documents saved on a CD.  In addition, with websites like Wikileaks, secrets can be published anonymously adding to the elusive nature of an insider threat.  These factors make all government employees with a security clearance dangerous as there is no patch to an insider threat, only prevention and minimization.  But is that what makes an insider threat so challenging to acknowledge and track?  Or is it the fact that these individuals are a trusted shadow whose motivation is prompted by unknown factors?  Ellen Messmer highlights this noting, “While the U.S. military is building up defenses to fend off network-based attacks from enemy states and terrorists, some say the more-insidious security problem is the threat is an insider bent on sabotage or stealing data” (Messmer 2003, 12).  Messmer, in a sense, simply acknowledges that the motivation of an individual can be as minuet as ‘I felt like it.’  That being said, is it only the fault of the insider for a leak or do co-workers impact the process of detection as well?  This realm of threat to a government entity is challenging due to the fact that, for any organization, they are dealing with the unknown. 

The state of unknown bears the foremost question; what then are the underlying complexities making the insider threat so dangerous to Department of Defense agencies?  Furthermore, how will, if at all, the current instability of the United States’ economy impact the ability to combat the insider threat over the course of the next decade? 

The Stance on the Insider Threat: Written Arguments and Assessments

The threat of an insider is not a new revelation as this threat dates back to spies during the Revolutionary War, namely Benedict Arnold; however, the advancement in technology in today’s world opens the door to ease of access regarding espionage.  Before diving into the arguments and assessments that come with the insider threat, it must be defined.  The Defense Security Service defines an insider threat as:

Acts of commission or omission by an insider who intentionally or unintentionally comprises or potentially compromises DoD’s ability to accomplish its mission.  These acts include, but are not limited to, espionage, unauthorized disclosure of information, and any other activity resulting in the loss or degradation of departmental resources or capabilities (Defense Security Service 2013). 

From Department of Defense organizations to Fortune 500 companies, the insider threat, as defined above, is one of the greatest challenges facing companies and government organizations.  This statement is backed by dozens of publications, articles, and speeches made by government officials; furthermore, “each new study that is released further confirms that the malicious insider continues to pose a major threat to organizations in both the public and private sectors” (Blades 2010, 32).  The Central Intelligence Agency, Federal Bureau of Investigation, Defense Security Service, and the President of the United States all acknowledge the significant threat an insider poses to the welfare and safety of the nation as a whole, especially as the government continues to accumulate intelligence.  Therefore, expanding knowledge on arguments and assessments that aid in defining an insider threat is important in order to understand and develop mitigations tactics for the insider threat.

First, elaborating on what and who an insider could be identifiable as in the United States must be conducted.  There are two categories of insider threats, the non-employee whom by virtue of technology is able to gain intelligence via a cyber-attack and then the employee.  Due to the idea that “a company can often detect or control when an outsider (non-employee) tries to access company data either physically or electronically, and can mitigate the threat of an outsider stealing company property,” the unpredictable nature of the employee is the bigger threat (FBI 2013).  The FBI acknowledges “the thief who is harder to detect and who could cause the most damage is the insider—the employee with legitimate access” (2013).  Because of the threat an employee insider poses, namely with Greg Chung, Chi Mak, Robert Philip Hanssen, and Edward Snowden, President Barack Obama issued a national-threat policy in November 2012 putting individuals whom leak intelligence on par with terrorist activity and double agents.  That being said, some experts and business executives argue that an insider threat is not always bad and that often times, the measures to prevent an insider attack is not worth the cost.  Furthermore, there are numerous assessments provided by different agencies and subject matter experts regarding the reasons behind why an individual may be provoked to become an insider.    

An increasing number of Department of Defense agencies identify the insider threat as an audacious breach and significant issue that is a danger to United States national security; however, some argue that certain leaks are good.  But is it possible that any leak of classified government information is good despite what American public opinion states? The Defense Security Service states, “arguably, ‘insiders’ have caused more damage than trained, foreign professional intelligence officers working on behalf of their respective governments” (2013).  This in part is due to the fact that the insider has access to information without the need to go through several hurdles.  Furthermore, because the theft of information from classified databases occurs autonomously, it “can go unnoticed for months or even years” until the insider is caught (FBI 2013).  These leaks cost the United States government hundreds of millions of dollars and where some argue that there is no such thing as a good breach, others beg to differ.  Steven Aftergood, a Federation of American Scientists government security expert, notes “there are such things as a good leak.  Some classified things should be public” (Leonning 2013).  In today’s day and age, there is an increasing need within the American populace for government transparency across the board; however, the line qualifying a leak as good versus bad becomes increasingly grey.   Some American’s believe the leak caused by Edward Snowden was a good leak whereas numerous agencies within the intelligence community to include Keith Alexander, director of the NSA, note the leak caused “irreversible and significant damage” (Gjelten 2013).  Tom Gjelten expands on the impact identifying that as a result of the leak, “terrorist groups are changing their communication methods” (2013).  This is of momentous importance because if the United States intends on preventing terrorist attacks on American soil, then some programs need to remain hidden.  On the other hand, Judge Dennis Saylor, a member of the Foreign Intelligence Surveillance Court that oversees the NSA, as well as James Clapper, the Director of National Intelligence, note that “the leaking of classified NSA documents by a former employee has ‘generated some of the debate’ that needs to happen in the U.S. over the surveillance program” (Nolan 2013).  That being said, who then determines whether or not a leak is good or bad? There is no board or agency whose job is to determine the status of a leak and, as obvious with Edward Snowden, there will always be a debate on the issue.  The issue, then, becomes that whether the leak of information is good or bad, the motivating factors provoking the individual to leak the information is threatening.   

As motivation becomes an underlying complexity making the insider so dangerous, there is a great deal of anonymity behind this eccentric means of attack making it difficult to not only gather information but to identify and prevent an insider attack.  Congress has “[…] continually expanded and strengthened criminal laws for violations of intellectually property rights […]” (FBI 2013).  While important to create laws and strengthen criminal charges in an effort to deter the insider from committing a crime, the motivation provoking the insider cannot be stopped.  Dr. Shelley Kirkpatrick expands on this stating it is, “[…] difficult to defend against an insider who is motivated to go after the company” (Kirkpatrick 2008, 45).  With that in mind, defending against an insider is challenging for any government agency or company as motivation is illusive in nature and there is no easily identifiable indication or warning.  Therefore, “many companies and public organizations think of the insider threat as a very high-impact, very low-frequency issue” and admit that managing this threat “[…] doesn’t always become a high priority, which is fascinating, because the impact is so tremendous in the market-place and the public sector” (Blades 2010, 33).  However, organizations must be frugal with money in an age where the economy is not in a positive standing.  Some research firms assessed in 2008 that federal agencies will have spent “nearly $350 million in technology to manage identity and access” (Aitoro 2007, 30).  While that cost may seem feasible to fend off cyber-attacks seeking classified intelligence, funds towards preventing the insider can seem to fall through the cracks given the covert environment.     

What then are these motivations provoking an individual to commit such an act of betrayal to the United States and what makes detection difficult?  The Office of the Director of National Intelligence acknowledged in the 2012 Report on Security Clearance Determinations that as of October 1, 2012, there were 4,917,751 individuals who held and were approved for a secret or top secret security clearance.  There is no way, technologically, to combat against 4,917,751 individuals; therefore, awareness in the work place is crucial for detection.  There are personal, organizational, and behavioral factors and indicators that motivate an individual to become an insider.  The FBI identifies an insider “may steal solely for personal gain, or that insider may be a ‘spy’—someone who is stealing company information or products in order to benefit another organization or country” (2013).  As a result, President Barack Obama implemented the Insider Threat Program which exhorts not only the insider, but co-workers and managers who fail to report suspicious activity.  This encourages profiling in the work environment, which as a country, we ave been trying to prevent for decades.  The underlying complexities making an insider threat dangerous is not just at the hands of the insider now; rather, in the hands of co-workers as well. 

Methodology and Research Strategy

Despite the fact that the insider threat has been an issue since the Revolutionary War and the present day technological advancements open the doors to espionage, there are also economic, personal, and organizational motives that must be taken into consideration.  These motives provoke consideration of government employees with a security clearance to take part in the act of espionage.  Recognizing these motives and taking into account the state of the economy at any given time is crucial when assessing the potential for a co-worker to be involved in espionage.  Having a comprehensive understanding of the big picture must first be identified in order to not only successfully analyze the complexities that make an insider threat dangerous, but to conduct predictive analysis on the impact over the next decade based on the current economy.  There are major limitations preventing the ability to detect and avert an insider threat from becoming a reality at all government installations.   As aforementioned, the threat of an insider is not the method of attack, rather the individual therefore it is difficult to develop a profile.  Whereas the nuclear and weapons of mass destruction threat has strategic indications and warnings via various forms of intelligence, such is not the case for the insider threat.  There is no movement of foreign naval vessels or forward deployment of aircraft that can be observed or tracked provoking the United States to increase the heightened alert level.  Additionally, there is no perimeter defense that has to be bypassed seeing as the insider is a decentralized threat, a Trojan horse.  That is the limitation in obtaining information on the insider threat as the insider could be anyone with a security clearance; therefore, behavior, both psychological and sociological, must be assessed.  In order to overcome these limitations, qualitative and quantitative data must be analyzed in order to draw commonalities, make assessments and determine what the specific underlying complexities are motivating someone to become an insider threat. 

The most prevalent types of qualitative data include analyzing case studies, and assessments made by subject matter experts.  Case studies allow for the ability to draw conclusions and make assessments based on what is known as a result of past insider threat successes.  Case studies acknowledge the underlying complexities that not only make an insider threat dangerous but highlight motives, psychological and behavioral factors, as well as identify level of invol vement in espionage and explain how an insider ultimately became an insider.  Additionally, quantitative data is important as it allows for ability to fully obtain an accurate perception of the insider threat.  Quantitative data adds to the value of the qualitative data provided by identifying the length in time an individual has been committing espionage and the amount of damage done as a result.  Furthermore, quantitative data identifies how big a threat the insider is by highlighting the number of individuals in the United States that have a security clearance and provides probabilities that aid in grasping the big picture.  After taking all of this information into account, assessments and predictive analysis can be conducted so that complexities can be identified.

A Trojan Horse: Findings and Analysis

The underlying complexities provoking the act of becoming an insider threat is vast whether the insider comes in the form of a disgruntled employee or a hired spy of a foreign government.  Anyone in the work place can be an insider and go unnoticed for decades as there are too many complexities favoring the insider to commit espionage.  Using the inductive approach, the two most significant underlying complexities making the insider threat so dangerous is the fact that the insider threat is a Trojan horse and human behavior on behalf of the co-worker. 

A Trojan horse provides limited warning and seems like a harmless e-mail or a victorious trophy, until it strikes; this mimics the perception of an insider threat.  The motive of a Trojan horse is to disrupt, deny, and acquire information for beneficial reasons where “the initiative here always rests with the attacker” (Gaddis 2002).  The FBI identifies personal, organizational, and behavioral factors of an insider ranging from financial gain to family problems, thrill and revenge to pressure and perception (FBI 2013).  Additionally, Deloitte’s Federal Government Services study about insider threats acknowledges several traits attributed to individuals whom are a security risk.  These traits include “self-centeredness, feeling neglected, a sense of entitlement, passive aggressive behavior and intolerance to criticism” (Blades 2010, 33).  These traits are not physical changes, they are mental; therefore, it is difficult to identify change seeing as there is no obvious factor aside from face to face communication.  Furthermore, when there are problems at home, most people prefer to keep those problems away from the work place and to themselves which again, adds to the shadow that is an insider.  The analogy that a Trojan horse is one of the two underlying complexities it because like a Trojan horse, the insider is malicious, complex, and tedious.  There are numerous factors that make defining and identifying motivations as there are too many internal and external factors that make up an insider and none of which are easily identifiable.  Nick Catrantzos highlights this noting, “background investigations are easily sidestepped” and continues “institutional inquisitors –whether security staff, auditors, cyber network custodian, or other corporate sentinels – repeatedly miss unmasking the infiltrator or saboteur until it is too late” (Catrantzos 2010, 1).  Bottom line, the complexity is the fact that with any government agency or military branch, they are dealing with the unknown, a trusted shadow that is too difficult to detect seeing as the only way to prevent the insider is by recognition from those in the work place.

This is where the second underlying complexity comes into play, human behavior.  As identified above, the traits of an insider can potentially describe numerous personalities in every work place.  The complexity comes in the ability for a co-worker to identify potential negative traits and report them; however, human behavior becomes problematic.  The issue with a co-worker analyzing behavior is that one must not only conduct psychological profiling, but often times co-workers overlook depressed-like behaviors seeing as everyone has bad days.  Psychological profiling in the work place has been frowned upon for years, yet President Barack Obama now encourages profiling in an attempt to ensure another Edward Snowden like event does not occur.  However, even if a co-worker identified that an individual within the workplace was showing warning signs, the chances of that co-worker physically going and reporting that behavior is likely minimal simply based on the nature of human behavior; thus making human behavior a significant underlying complexity.  The individual showing warning signs could be a friend, a boss, or even a relative and regardless of who the individual is observing these potential warning signs, the perception is incredibly subjective in nature.  There is a culture that is apparent in every government agency, military branch, and Fortune 500 Company that can impact detection.  Dr. Shelley Kirkpatrick emphasizes this point stating, “companies may not always be willing to see or act upon the warning signs” (Fitzpatrick 2008, 58).  While the Insider Threat Program, in a sense, encourages psychological profiling companies do not want to have the burden of making mistake publically.  Motives are incredibly complex and not mutually exclusive as there are direct and indirect experiences affecting motives and personalities at varying parts of every day.  As aforementioned, assessments on the psychological state of a co-worker are subjective and how one person views a situation may be viewed by another in a different manner; again, human behavior plays a huge role in regards to the insider threat.  On a similar note, should a co-worker report suspicious activity or behavior, the technological advancements and vast number of ways in which an insider can infiltrate and remove intelligence could make it very difficult in proving suspicions. 

The idea of an insider being identifiable as a Trojan horse coupled with human behavior in conjunction with the poor economy and current government shutdown makes those underlying complexities even more significant.  Financial problems as a result of the government shutdown is one factor influencing decisions made by the 70% of civilians performing intelligence based jobs that are furloughed.  James Clapper, the Director of National Intelligence, acknowledged the United States is “a dreamland for foreign intelligence services to recruit” (Fox News 2013).  In times of a poor economy, the insider threat as the potential to be more pertinent; however, human behavior remains a limiting factor.  A large majority of government employees have to potential to be in financial distress making it difficult for co-workers to see warning signs or red flags.  Furthermore, with the poor economy the United States has been dealing with for a couple of years now, the threat of the insider does not seem to be an issue that will be going away any time soon.       

Conclusion

Dealing with the insider is like dealing with a Trojan horse which is why the insider threat is so dangerous.  With 4,917,751 individuals with a security clearance in the United States, finding an insider threat is like trying to find a needle in a bag of needles.  The insider can be anyone in the work place and “[…] the unfortunate truth is that there can never be complete safeguards against surprise attacks because the number of targets and the ways in which they are vulnerable will always exceed the measure that can be taken to defend them” (Gaddis 2002).  While the insider threat is not comparable to the threat of a nuclear attack or the launch of a weapon of mass destruction, it is of crucial importance.  When the RQ-170 went down over Iran, the Iranian government refused to give it back to the United States which ended up being a serious matter seeing as the United States wanted to ensure that aircraft would never get into the hands of enemies.  That event if comparable to the impact of an insider releasing information; if the enemy continues to obtain intelligence on United States tactics, techniques, and capabilities, then the United States starts to have a disadvantage should conflict occur with another country.

Due to the impact, monetarily, strategically, and tactically, in which an insider can cause damage to the United States, steps must be taken in order to prevent, mitigate, and attempt to eliminate.  With the poor economy and current government shutdown, this threat only has the potential to grow as American citizen’s fight against financial complications and anger towards the government.  The issue is that there is no easy way to prevent the insider, rather mitigate or minimize the impact.  There are several programs that could be implemented to not only draw awareness to the insider threat but call for periodic review boards and background checks.  However, the insider is still a trusted shadow of the government and with the technological advancements in today’s society, numerous programs, if poor in nature, could be implemented and the threat would remain alive and kicking.  Identifying that human behavior plays a major role affecting the detection and prevention of the insider can aid in narrowing the focus when creating programs that could be affective against the insider.  That being said, future studies focusing on the insider threat should continue to aim in identifying good prevention techniques against the insider.  These programs can be implemented to raise awareness to making various forms of technology illegal in the workplace.  The insider threat will be around for years to come and seeing as the impact the insider has on national security is of crucial concern, future studies should continue to expand on identifying motives and acknowledging similarities behind former and future insiders.      

Bibliography

Aitoro, Jill R. “Insider Threat.” Government Executive 39, no. 19 (2007): 28-30, 32-34, accessed September 10, 2013. ProQuest Ebrary.

Barrios, Rita M. “A multi-leveled approach to intrusion detection and the insider threat.”  Journal of Information Security 4, no. 1 (2013): 54-65, accessed September 7, 2013. ProQuest Ebrary.

Blades, Marleah. “The insider threat.” Security Technology Executive, Nov (2010): 32-37, accessed September 8, 2013. ProQuest Ebrary.

Catrantzos, Nick.  “No dark corners: A different answer to insider threats.” Homeland Security Affairs 6, no. 2 (2010): accessed September 8, 2013. ProQuest Ebrary.

Federal Bureau of Investigation. “The Insider Threat: An introduction to detecting and deterring an insider spy.” FBI Counterintelligence. (2013):  accessed September 19,2013, http://www.fbi.gov/about-us/investigate/counterintelligence/the-insider-threat.

Gaddis, John Lewis. “On Strategic Surprise.” Hoover Institution Stanford University no. 2 (2002): accessed October 3, 2013, http://www.hoover.org/publications/hoover-digest/article/7582.

Gjelten, Tom. “The Effects of the Snowden Leaks Aren’t What He Intended.” NPR, September 20,2013, accessed October 6, 2013, http://www.npr.org/2013/09/20/224423159/the-effects-of-the-snowden-leaks-arent-what-he-intended.

“Insider Threats: Combating the ENEMY within your organization.” Defense Security Service. (2013): accessed September 14, 2013, http://www.dss.mil/documents/ci/Insider-Threats.pdf.

“Intel chief suggests US spies might defect over budget impasse.” Fox News. October 2, 2013, accessed October 2, 2013, http://www.foxnews.com/politics/2013/10/02/intel-chief-us-spies-might-defect-over-budget-impasse/.

Kirkpatrick, Shelley A. “Refining Insider Threat Profiles.” Security 45, no. 9 (2008): 56-63, accessed September 30, 2013. ProQuest Ebrary.

Leonning, Carol D. and Julie Tate, Barton Gellman. “U.S. intelligence agencies spend millions to hunt for insider threats, document shows.” Huffington Post, September 1, 2013, accessed September 14, 2013, http://www.huffingtonpost.com/2013/09/02/insider-threats_n_3856290.html.

Messmer, Ellen. “Security experts: Insider threat looms largest.” Network World 20, no. 49 (2003): 12, 72, accessed September 8, 2013. ProQuest Ebrary.

Nolan Robert. “5 Undeniable Fallouts from the Edward Snowden Leaks.” U.S. News, September 20, 2013, accessed October 6, 2013, http://www.usnews.com/opinion/blogs/world-report/2013/09/20/brazil-russia-and-the-impact-of-edward-snowden-on-us-foreign-relations.

“2012 Report on Security Clearance Determinations.” The Office of the Director of National Intelligence. Jan (2013): accessed October 3, 2013.

About the Author(s)

Caitlin S. Hall is a Strategic Intelligence Graduate originally from the Buckeye State who earned her undergraduate degree from Indiana University in Criminal Justice. As an Officer in the United States Air Force, she works as a Combat Intelligence analyst.  She is thankful for the opportunity to publish and would like to thank her parents, Elizabeth and Gregory, for not giving her up for adoption and constantly pushing her be amiable, passionate, and the best version of herself.