Every Facility Security Officer (FSO) is aware of the need to upgrade their insider threat program (NISPOM Change 2) and to educate their cleared employee workforce on the threats which each and every one of the employees may face. Occasionally it is an uphill slog for the FSO, as the likelihood of an individual ever knowingly engaging face-to-face with a criminal or nation state intelligence officer is quite low. That said, low is not zero. The reality is, we must prepare all of our cleared employees to recognize and be prepared to act appropriately when they do find themselves engaged.
I don’t know enough to be of interest
If you’re the FSO, you no doubt have presented counterintelligence seminars and briefs while cleared employees sit and self-exclude themselves from being of interest to an adversary. If only we lived in a Polly-Anna world and such was the case. The harsh reality is, if you enjoy the trust and confidence of the United States government by virtue of being granted a security clearance and having access to classified information, you are on someone’s targeting matrix. The OPM database was stolen by an adversary, believed to be China, they have the ability to put together a dossier on each of us. We also facilitate the process through our social networks where we share and some would argue, over share, professional and personal information. Readers will recall the 2015 admonishment from the British security services about the targeting of cleared personnel via the LinkedIn network.
Here we are in 2017, and guess what? Adversaries continue to use social networks to target cleared personnel. The Israeli Defense Force was the latest victim, as a number of their personnel were lured into a number of catfishing schemes, during which the adversary (Hamas in this case) attempted to compromise the devices of IDF personnel they had hooked. A case of insider threat being manifested via the social engineering of the IDF service member’s willingness to click on an app.
For those unfamiliar with “catfishing” a target is contacted by an individual via social network. In the IDF instance, the adversary created a number of fake Israeli female personas and went after male IDF servicemen – sending photos (yes those type of photos) and inducing the recipient to join her for a video chat. The IDF reports, the video chat request was accompanied by an “app” to download. While the app never works, and the video chat never materializes, the IDF serviceman has turned his “mobile device into an open book – leaving contacts, location, apps, pictures, and files accessible to Hamas. What’s more, it can stream video from the camera and audio from the microphone. With the delivery, the device and the information on the device was compromised.”
Understanding the motivation of criminal networks and how they measure success is important to understanding how to defend yourself. This author has often been quoted as saying, “Criminal entities target for monetization or extension of power and capability.” A recent report/survey “Monetizing the Insider” conducted by Red Owl and Intsights (behind registration wall) calls out the following insider threat issues which their research from within the Dark Web revealed.
- Recruitment of insiders is growing with the number of discussions and insider outreach in the criminal forums doubling from 2015-2016.
- The Dark Web has created an environment for those insiders willing to break trust to monetize their employers (or in the case of cleared individuals, the classified material of the United States). In addition, “insider knowledge” can be monetized by projecting events and market direction and monetizing via this insider information.
- For those insiders who are either recruited or volunteer to engage with a criminal element, the insider can be armed with malware to launch from within a secured environment, bypassing the many perimeter defenses which may exist.
Insider Threat Self-Defense
Criminals have a different ethos than intelligence organizations, though both may use coercion to induce an insider to break trust, the cleared employee can engage in a bit of self-help by limiting those instances when too much information is shared, and to understand how to recognize engagements which are worthy of reporting to the FSO.
- Validate with whom you are sharing information on social networks with others – not just look to see who is connected to who, as every individual sorts with whom they will connect differently. Actually engage others to get a first-person validation.
- Use image checking software (Google Image Search) for all new contacts.
- Take a page out of the US Army CID warning to civilian personnel on the many romance scams being perpetrated by individuals posing as soldiers in need of assistance.
- Don’t discuss your classified work or life’s personal details on social networks.
- Report any suspicious or anomalous contacts to your FSO.
ClearanceJobs is a closed network, they carefully screen employers and have in place checks and balances on how and to whom your folio is shared. This is not the case with the open networks like LinkedIn, Facebook, Google+, etc. These social networks are considered open networks, where the admission and presence requires nothing more than web access and an email address.