Posted 26/08/2016 by Nigel Brew
In the wake of the 2016 Census, there has been much discussion about maintaining data integrity and the ability of computer systems to withstand cyber attack or targeted disruption. However, one of the biggest threats to the security of an organisation’s data is typically far less technically sophisticated—but no less damaging. It is one which over half of all respondents in a recent government survey identified as the cyber threat of most concern, and one which generally speaking, the Attorney-General has described as ‘the most likely source of a breach’ capable of causing ‘enormous damage’. It is also one to which the Australian Bureau of Statistics (ABS) has not been immune.
It is the threat of the ‘trusted insider’—defined as the unauthorised accessing, use or disclosure of privileged information by an individual (typically an employee) with legitimate access. In 2015, the Australian Cyber Security Centre conducted its first Cyber Security Survey, involving 149 ‘major Australian businesses’ (a separate unpublished survey was undertaken with government agencies). This followed on from similar surveys conducted in 2012 and 2013 by CERT Australia. Defence industry, energy, and banking/finance organisations were the most represented amongst the respondents, 67% of which employed 200 or more staff.
Although unauthorised access to information by an insider was the least prevalent type of incident revealed by the survey (14% of reported incidents), it was rated by 56% of respondents as the cyber threat of most concern (up from 51% in 2013). Trusted insiders were also rated by 60% of respondents (the largest proportion) as the cyber actor of most concern, up from 52% in 2013. Perhaps this heightened fear of trusted insiders stems from the humiliation of being betrayed by ‘one of our own’ and the potential damage to an organisation’s reputation. As the Attorney-General, George Brandis, noted at the 2014 Security in Government conference (the theme of which was ‘mitigating the trusted insider threat’):
…business must work to gain or sustain a competitive advantage over its rivals. In this environment we must remain vigilant to the threat of a trusted insider who with the click of a mouse can steal that hard won competitive advantage instantly.
Or perhaps it is the sheer volume of stored information that is vulnerable to misuse that worries businesses:
Enough classified material to fill a heavy suitcase can now be stored on a microchip no larger than my thumbnail.
…
The trusted insider can access—on an unprecedented scale today—massive amounts of sensitive information through our networked computers and copy and transfer it with ease.
The motivations of a malicious trusted insider vary, as the Deputy Director-General of the Australian Security Intelligence Organisation (ASIO) explained at the same conference:
…when we talk about malicious insiders we are talking about individuals who, with a range of motivations, betray the trust of their employer. Research has shown that motivations for such betrayal vary widely. But they are fundamentally personal—such as disgruntlement, revenge, ego, a sense of the misguided greater good or loyalties, or financial gain.
In the classified national security environment, Edward Snowden and Chelsea Manning are often cited as examples of ‘self-motivated’ malicious insiders with a personal agenda. This contrasts with ‘recruited’ insiders who are co-opted by a third party, such as organised crime groups or foreign intelligence services. In noting that ‘malicious insiders can inflict incalculable damage’, the US National Counterintelligence and Security Center observes that ‘over the past century, the most damaging U.S. counterintelligence failures were perpetrated by a trusted insider with ulterior motives’. Indeed, the Deputy Director-General of ASIO highlighted how ASIO itself has ‘disrupted and prevented self-motivated insiders posting classified material on the internet, removing significant quantities of classified material for their own personal gain and disclosing classified information to third parties and foreign governments in support of their personal agendas’.
Financial gain is also a strong motivator, as the ABS found out in 2014. In its efforts recently to emphasise that the Census and its data were not compromised, the ABS stated:
The ABS has an unblemished record of protection of data and there has never been a breach in relation to Census data.
However, in what the Australian Securities & Investments Commission (ASIC) has described as Australia’s largest-ever insider trading case, in 2014–15 an ABS officer working at the Bureau’s Canberra headquarters was convicted of offences relating to the unauthorised disclosure of sensitive statistical information. Over a period of nine months, the ABS officer provided an acquaintance in the banking industry with unpublished marketĀ-sensitive economic data which netted approximately $7 million in illegal foreign exchange trades. Of course, the ABS is far from being alone in confronting such challenges, and indeed, ASIC notes that ‘the arrest and conviction of an ABS officer for an unauthorised disclosure of statistics is unprecedented in the ABS’s 110 year history’. While this is certainly a record of which to be proud, it also suggests that no one is immune.
So how does an organisation protect against the trusted insider threat? Specific measures involve aspects of both personnel and information management too detailed to outline here, but according to the Attorney-General:
…the starting point is to foster a culture of security within each organisation, whether public or private sector. A strong culture of security is fundamental for the success of all other security measures. In a strong security culture, employees display an intuitive awareness of risk and security in a way that attracts the respect of colleagues, the admiration of regulators and the on-going trust of customers.
…
A trusted insider can only be thwarted by a robust security culture shared by, and observed by every member of the organisation and by an ongoing assessment of the suitability of personnel to work within the organisation...
To help businesses and government agencies address the challenges posed by the trusted insider threat, the Australian Government has produced a handbook, Managing the Insider Threat to your Business, which the Attorney-General says ‘provides practical advice on the risks and factors leading to a trusted insider going rogue’.