A problem that is not readily discussed within the cybersecurity world is the threat of malicious insiders to company or agency networks. Most insider threats are of the “accidental” variety due to human error, poor policies, or installing corrupted software. The malicious insider, often motivated by money and/or revenge, operates in the shadows and in many cases, has valid and elevated privileges and credentials. Often undetected until it is too late, the damage ranges anywhere from file corruption to intellectual property compromise to personal data theft. Failure to recognize the signs normally attributed to a malicious insider or not revoking credentials when an employee or contractor leaves are two big reasons malicious insiders are successful.
A Network Engineer with Too Much Access
Ankur Agarwal was a contract network engineer who had elevated credentials to several telecommunication companies. In 2017, the contract ended with the companies, but Agarwal’s credentials remained active on at least two different networks. Not only did he use the gift of access to the network and business to monitor it, he installed key-logging software to harvest passwords and usernames of employees. From that point on, Agarwal stole sensitive R&D information on both companies, and physically, through fraudulent means, gained access to company premises. After a year of investigation that pointed towards Agarwal, he was finally taken into custody. Agarwal maintains he did not profit from the data taken (perhaps a retirement umbrella for him to use later?). He was brought to indictment in the United States District Court for the District of New Jersey. As court records indicate “Agarwal waived indictment and pleaded guilty to one count of aggravated identity theft, in violation of 18 U.S.C. § 1028A(a)(1), and two counts under the CFAA (Computer Fraud and Abuse Act) for intentionally accessing a protected computer without authorization and obtaining information valued at more than $5,000, in violation of 18 U.S.C. §§ 1030(a)(2) and 1030(c)(2)(B)(iii)”.
Tallying Up the Damage Cost is Complicated
According to the prosecution and sentencing input, the damage caused by Agarwal, specifically the subsequent investigation and securing the networks, to include employee time, was in excess of $3 million dollars. As a matter of law, in excess of $1.5 million dollars in losses increases the sentencing range provided by the guidelines. Agarwal disputed the amount at sentencing and placed the actual costs at $500,000, arguing employee’s time should not be included in the cost. Because of the dollar loss accepted by the court, Agarwal was sentenced to 94 months in prison, less than the maximum for the charges, but apparently more than what Agarwal anticipated. He asked, based on information the court used to determine his sentence that his guilty plea be set aside by the United States Court of Appeals for the Third Circuit. In February of this year, the Third Circuit denied his appeal and upheld his sentence, noting that he understood the risk involved on the dollar loss subject.
Need Cyber Experts at Court
I read many cybersecurity statistical reports and have always been intrigued by the dollar loss estimates. Calculating Indirect and Induced Loss can be quite complicated and often relies on estimates from industry professionals and financial analysts. Cases like Agarwal emphasize the need for expert consultation before arguing sentencing in a criminal proceeding.