How governments and companies can prevent the next insider attack

By Matthew Bunn and Scott D. Sagan

Published 22 February 2017

Insider threats could take many forms, such as the next Edward Snowden, who leaked hundreds of thousands of secret documents to the press, or the next Nidal Hasan, the Fort Hood mass killer. Indeed, in today’s high-tech and hyperconnected world, threats from insiders go far beyond leakers and lone-wolf shooters. A single insider might be able to help adversaries steal nuclear material that terrorists could use to make a crude nuclear bomb, install malware that could compromise millions of accounts or sabotage a toxic chemical facility to cause thousands of deaths. How can we better protect against the enemy within, no matter what it is that needs to be protected? In our high-tech society, the insider threat is ever-present. High-security organizations, governments and companies alike need to take action to counter the organizational and cognitive biases that often blind us to the insider danger – or future blunders will condemn us to more disasters.

Now that they are in office, President Donald Trump and his team must protect the nation from many threats – including from insiders. Insider threats could take many forms, such as the next Edward Snowden, who leaked hundreds of thousands of secret documents to the press, or the next Nidal Hasan, the Fort Hood mass killer.

Indeed, in today’s high-tech and hyperconnected world, threats from insiders go far beyond leakers and lone-wolf shooters. A single insider might be able to help adversaries steal nuclear material that terrorists could use to make a crude nuclear bomb, install malware that could compromise millions of accounts or sabotage a toxic chemical facility to cause thousands of deaths. How can we better protect against the enemy within, no matter what it is that needs to be protected?

President Obama became so alarmed at the government’s weak protections against insiders that he created a “National Insider Threat Policy.” It required each federal agency to put in place a set of basic safeguards against internal betrayals, such as software to detect mass downloading of secret documents and systems to encourage reporting of worrying behavior.

But President Trump will find there is a great deal still to be done. This is in part because the insider problem is so challenging. Insiders are known and trusted by other employees (and have to be, if the organization is to function well); they may have detailed knowledge of the security system and its weaknesses; and they can take months or even years to plan their activities.

We co-organized a research project to investigate this challenge and suggest potential solutions, which led to our new book, “Insider Threats.” The book was prepared as part of the Global Nuclear Futures initiative at the American Academy of Arts and Sciences. The volume analyzes a range of situations as diverse as Afghan Army soldiers attacking their U.S. trainers and the anthrax attacks in the United States in 2001 – which were probably perpetrated by Bruce Ivins, a disturbed scientist from the U.S. Army’s biological defense lab. The cases reveal a series of hard-learned lessons that can help organizations protect against threats from insiders.

“Not in my organization”
First, a remarkable number of people wrongly assume their workplace couldn’t possibly be threatened by insiders. That is a bias we dub “NIMO,” for “not in my organization.” That overconfidence can have fatal consequences.