Quis custodiet ipsos custodes? The Latin phrase, which was first found in the work of Roman poet Juvenal from his Satires, has been used in modern times to note the problem of controlling those with great positions of power. It is literally translated as “who will guard the guards themselves?” It is also known by variant translation, notably “Who watches the watchers?” or “Who will watch the watchmen?”
In the latter variation it certainly could refer to those who oversee Information Technology (IT), whether it is a federal agency, contractor or other firm. Those in IT have great power over an organization’s computer networks and related systems, yet are seldom subject to the same level of oversight as other employees.
In a report for Stratfor, a geopolitical intelligence platform and publisher, the potential harm that IT personnel could inflict on a company was laid out. Scott Stewart, who supervises Stratfor’s analysis of terrorism and security issues, noted that IT employees now hold the key to the information that bad actors could potentially want.
Stewart also addressed the fact that IT workers have much in common with their diplomatic and intelligence counterparts. IT workers are often undervalued compared to those who are actually designing, making or selling a company’s core mission, service or product.
What further amplifies the problem is that these employees can be relegated to remote areas of the office, or even other office buildings entirely. This can result in IT workers who are isolated physically, socially and even culturally from the rest of the company’s staff. That in turn can lead to anger, resentment and poor morale. All of that makes them vulnerable to what Stewart wrote are a variety of human intelligence approaches and bribery tactics — especially those that pander to desires for money, friendship, sex, or an ego boost.
IT and MICE
For the reasons Stewart cited, IT workers are a prime target for “MICE” – as in Money, Ideology, Compromise, and Ego.
“This is absolutely true,” warned Stewart.
“This is true in both the cleared world, and the non-cleared world, and state actors target these workers because of what they know,” he told ClearanceJobs. “Companies have taken massive losses when an IT worker sells valuable information. State actors target these individuals for the same reasons and with the same tactics.”
Stewart cited a recent survey of 500 IT security professionals that was conducted by the cybersecurity firm Gurucul, which found that a whopping 24% of respondents said they would steal information from their current company to help them apply for a job with a competitor. Clearly money and ego could be factors in how IT workers could be recruited by rival companies or foreign agents – and in either case it isn’t good news.
Poor morale could also play into compromise as well as ego, but one should never underestimate the power of a honeytrap when it comes to workers who may feel isolated from the rest of the company.
Part of the Team, and Under the Same Scrutiny
The risk can be mitigated in part by treating the IT staff like the rest of the team, but IT workers should also be subject to the same level of security measures that they implement on others. Stewart noted that there are already software programs available that can be used to monitor employees’ online activity.
An irony, he explained, is that these programs are often installed and monitored by the IT staff, but someone should still be watching the watchers.
“Does Chelsea Manning (AKA Bradley Manning) mean anything to you,” pondered Jim McGregor, principal analyst at the TIRIAS Research.
“Anyone that has access to a network has the potential to compromise the data,” McGregor told ClearanceJobs, and added that his company hosted a session on security at Arm TechCon a few years ago. “One of the key insights was that people create holes in security whether they intend to or not. The best way to have secure software is to have only one person working on it then you just have to worry about that person and not all the rest.”
Stewart agreed that IT workers should not have unsupervised access – especially to every computer and/or network. “To play on the Spiderman thing, with great power comes great accountability,” he added. “If you have access to the greatest secrets, we darn well should hold you accountable for that access.”
Here is where technology could also play a part.
“The best way to prevent this is through constant monitoring of anyone and anything that accesses the network,” suggested McGregor. “While AI is often cited as the biggest threat to electronic security, it also holds the greatest potential to prevent it. The systems themselves need to be more intelligent to threats of all kinds, including threats from those that design and/or maintain them.”
And the rest of the company should also help monitor IT staff. On the surface this may sound like encouraging everyone to report on their colleagues, but this is really just about watching for warning signs that perhaps should be reported.
“The human element is still the weakest point,” explained Stewart. “We need to educate people about the danger signs. We already get educated about phishing scams, but hardly anyone gets this training on the human intelligence that probes into a company. Who knows what to do about it?”