It’s September, which means its National Insider Threat Awareness Month again. There are constantly examples of insider threat scenarios in the news, but I came across this interesting Department of Justice release recently where two U.S. Navy Sailors were arrested for transmitting military information to the People’s Republic of China. It’s a real-life story of espionage and shows a timeline of a young man who apparently didn’t join the Navy to become a spy and how he was persuaded to risk everything to use his privileged access and clearance to betray his sworn allegiances.
While there is lots to be said about how technology can play a role in detecting an insider threat earlier or leveraged to assist in this investigation, this article for me particularly brings to mind the idea of how organizational controls can help improve insider threat awareness where technology can’t reach.
FIT Insider Risk Solutions
Why was this young soldier vulnerable?
I’m an insider threat professional today, but I’m also a retired Navy Chief, so I was interested in learning more. I read this story and try to imagine what was going on in his life at the moment he was approached that made him susceptible to betraying his fellow Sailors. Was he just a junior Sailor who possibly didn’t fit in once the realities of what life on board a ship hit him? Adjusting to life on a ship is hard. Was this young man isolated and vulnerable with a new binder of watchstation qualification cards with few friends or connections on a ship? Was he assigned a “Sea Dad”? Did a reprimand go too far or some other event happen to him to increase his risk profile to his fellow Sailors?
According to the DOJ release, he passed the information on to an individual posing as a maritime economic researcher- did he originally buy the line and start out thinking he was committing a lesser crime of just helping someone with an investment and get in too deep? I was a nuclear-trained reactor operator and the shipboard environment was not always conducive to admitting mistakes. This is a leadership issue.
We may never know what was going through his head or on in his life that made him vulnerable to being a target of espionage. I would hypothesize if a Sailor was made to really feel like he was part of a team and connected of the mission that the choice to betray the country to serve and jeopardize the lives of the Sailors you serve daily with would have been much harder. Maybe if his chain of command had recognized vulnerabilities surrounding this Sailor their actions could have changed the outcome here.
What can leaders do to get ahead of insider risk?
If we go back in time, there were more than likely some signals that something was amiss that those around him did not recognize. Managers can be empowered to play an important role in recognizing these signs and mitigating vulnerabilities before a situation like this rises to such dire consequences. Here are 3 ideas for leaders to become better sensors for their organization:
1. One and done trainings are not enough.
The Sailor in this story had been trained and onboarded to obtain a security clearance, then according to the indictment he later attended a training at one point to warn him about the dangers of being socially engineered and manipulated to betray his country. Putting a label on something doesn’t mean it is being handled correctly and we have especially seen lots of stories this past years of high-level officials ignoring security protocols and classification labels. Young sailors work in a target rich environment, surrounded by materials and information with labels on everything around them suggesting some degree of classified controls or clearance required. One and done counterintelligence awareness trainings delivered on the Mess Decks by the local NCIS agent are obviously failing to thwart proper handling to the seriousness of protecting sensitive documents. In fact, it has been proven that mandatory training and awareness campaigns generally fall flat. Fear-mongering is also unhelpful and counterproductive, not to mention unempowering. Instead we must model good behavior daily to expect it from others, treating training as a process, not an event. When leaders, security, and IT teams model good behavior, others often do the same
2. Positive incentives over punishment can help.
In the Carnegie Mellon University Whitepaper: Common Sense Guide for Mitigating Insider Threats they talk about positive incentives, suggesting that organizations should entice workforce behaviors rather than coerce it by leveraging positive-incentive-based organizational practices centered on increasing job engagement, perceived organizational support, and connectedness at work. In a scenario where an employee made a mistake and did something wrong it could change the outcome if they felt supported enough to come forward verse falling further victim. Before these sailors were in too deep if there was a reward for coming forward verse only feeling there would be consequences it could change the outcome.
3. Leaders must be empowered as front line sensors.
Especially in an environment where the stakes are high and young employees have access to such consequential date, strong leadership is extremely important. It begins at morning quarters in the work center. Leaders must be trained to be aware of factors that put employees at risk for becoming an insider threat. Things like recognizing isolation and recognizing the signs of vulnerabilities are important. Nurturing and mentoring junior Sailors can go a long way to making them feel part of the team or part of the mission.
Insider Threat Awareness Month should be a time to think about how to ensure insider threat programs holistically. While technology is important, we must equally educate our leaders that they are at the front line and they can be both better sensors and help to change the outcomes.
Bonus—Here's a timeline of the recent U.S. Navy insider threat incident: