“The known thefts of highly enriched uranium and plutonium, and the known sabotage incidents at nuclear facilities – almost all involved insiders,” said Dr. Matthew Bunn, Professor of Practice at Harvard University’s JFK School of Government, on 16 November 2017 at a seminar hosted by the VCDNP. Dr. Bunn presented the findings of his recent book Insider Threats (co-edited with Scott D. Sagan), which details case studies of security failures caused by insiders, not only in the nuclear sphere but also in other kinds of high-security organizations. It also offers valuable lessons for all such organizations.
Dr. Bunn explained that the book is divided into seven chapters. The five chapters following the introduction assess: jihadi thinking on using insiders to procure nuclear material or sabotage nuclear facilities; the Fort Hood shooting; the 2001 anthrax letters; “green-on-blue” attacks in Afghanistan; and insider security challenges for casinos and pharmaceutical industries. The concluding chapter provides a “worst practices” guide to insider threats.
When referring to the nuclear area, Dr. Bunn emphasized that insider threats are the most dangerous nuclear security problem, for a number of reasons. First, insiders are authorized to go through many layers of the security system. Second, insiders are known and trusted colleagues. And finally, insiders may understand key aspects of facility operations and the facility’s security system. As an example, Dr. Bunn described the 2014 case of an insider causing destruction of a nuclear reactor turbine, resulting in $200 million worth of damage. He also noted that, although there were few jihadist writings on the nuclear insider possibility, the case of a nuclear power plant employee who had passed clearance review, had access to vital areas and eventually left to fight for terrorists in Syria, highlighted the potential threat.
Dr. Bunn also outlined cognitive and organizational biases that drive organizations to downplay the insider threat, which leads to disincentives to report or act on warning signs, even seemingly obvious “red flags”.
Dr. Bunn outlined a number of lessons to be learned from the described cases. The first lesson is the danger of assuming that serious insider problems cannot happen in your organization. He cited the examples of Indira Gandhi’s assassination by her own bodyguards and Edward Snowden’s collecting of highly sensitive files from his employer’s databases. The second lesson is not to assume that background checks will solve the insider problem. Dr. Bunn emphasized that background checks are not perfect; local employees can be coerced or corrupted, and insiders may be radicalized quite quickly after receiving a security clearance. Dr. Bunn pointed out that rapid radicalization is a special problem for thwarting insider threats, which might necessitate continuous behaviour monitoring.
Commenting on another false assumption – that red flags will always be read properly – Dr. Bunn referred to the cases of the anthrax letters (2001) and the Fort Hood shooting (2009). In the former case, reports by Bruce Ivins’ therapists had shown the culprit to be highly dangerous, but had never been reviewed by his employer; Dr. Ivins’ long-standing eccentricity “immunized” the organization to noticing concerning behaviour. In the latter case, although the insider had voiced radical beliefs and emailed a known terrorist, the organization failed to read those warning signs and act accordingly.
Yet another lesson outlined by Dr. Bunn is that organizational culture and disgruntlement do matter. One of the examples used in the book is the case of Chelsea Manning. Manning’s dawning self-identification as transgender in the “don’t ask don’t tell” military made her feel isolated and alone, exacerbating apparent emotional instability. She then reacted violently to being reprimanded for persistent lateness and began downloading classified documents shortly after that incident.
The rest of the lessons, or “don’ts” as outlined by Dr. Bunn, are: don’t assume that insider conspiracies are impossible; don’t rely on single protection measures; don’t forget that insiders may know about security measures and how to work around them; don’t assume that security rules are followed; don’t assume that only consciously malicious insider actions matter; and don’t rely only on prevention and assume mitigation doesn’t matter.
Dr. Bunn put forward various recommendations for organizations to reduce insider threat. In particular, he emphasized the need for a comprehensive, multi-layered approach, for a high-performance and high-vigilance culture, and for regular assessment – all designed within the context of the laws and culture of a specific country and an organization.
The seminar was followed by a question and answer period, during which the audience also voiced their views and concerns. The participants shared the view that insider threats should be dealt with seriously, both at the levels of prevention and mitigation of the consequences. However, they also observed some difficulties in introducing corresponding security arrangements, such as striking a balance between the organization’s interests and staff privacy, working with strong trade unions, and dealing with unusually high-level threats in some situations.