Who are you hiring? When the threat lies within….

By Fiona Peacock.

Security-in-depth is a familiar concept.  We think of a system of layers of security measures, designed to prevent unauthorised access.  The Deter, Detect, Delay and Respond model brings to mind the fences and signage; the alarms and CCTV systems, barriers and secure containers; and the security response services.

These security measures are obviously important, but they are to no avail if the person harming your organisation is wearing your company identification card and carrying the keys.

Protecting your organisation from the insider threat begins when you advertise for new staff.  A key phase is clearly the recruitment process, but personnel security doesn’t stop there.  It continues for the duration of an employee’s engagement and maybe even beyond.  It can be conceived as the life cycle of the employer-employee relationship: Advertising, selection process, induction, ongoing staff development, training and supervision, the exit phase and, potentially, a post-employment phase.

Employers have to trust their staff but should have in place a range of strategies to help detect the warning signs in those few cases where the trust is going to be breached.

This article looks at the threat from insiders deliberately or recklessly causing harm to an organisation.  Accidental security breaches – losing a thumb drive containing corporate files, or mistakenly including sensitive information in a company newsletter, are not considered.

Case Studies – What Can Happen When Something Goes Horribly Wrong…

The media has revealed a plethora of cases of trusted employees across Australia and internationally, causing devastating harm to their own organisations – whether though violence, security breaches or property damage.

2002: NSW -Volunteer Firefighter Arsonist – Peter Cameron Burgess

Cameron Burgess was a young, unemployed man who lit his first fire in January 2001 near his home town of Albury.  After watching the admiration and respect for the firefighters of New York after the September 2001 attacks, and the NSW Rural Fire Service after fighting fires in the Blue Mountains in 2001, 20-year-old Burgess began a spree of another 15 fires across NSW, ending only when he was arrested in April 2002.

Burgess had applied to enter the NSW Fire Service but had been rejected due to lack of academic ability. He served as a volunteer bush firefighter with a number of brigades across NSW.  He thought that serving as a volunteer firefighter might help a future attempt at joining the NSW Fire Service, but he was often the person calling in the fires, and first on the scene.

After his arrest by NSW Police Strike Force Tronto, Burgess pleaded guilty to 16 charges of arson and was sentenced to two years’ in jail In 2002, Burgess was just one of at least 17 volunteer bush firefighters charged with arson nationally between 1998 and 2003.

2006: NSW – Stolen Army Rocket Launchers – Captain Shane Della-Vedova

In December 2006, media reports began emerging that “rogue elements in the Australian military” had stolen nine armour-piercing anti-tank weapons, and that the weapons had fallen into the hands of Sydney’s underworld with terrorist links.

In January 2007, the media reported that Abdul Rahman had apparently sold seven of the rocket launchers (for $5,000 each) to Adnan Darwiche, a Sydney drug dealer who wanted the weapons for his drug gang war.  Police investigating those drug wars bought one of the rocket launchers from Darwiche for $50,000 in September 2006, uncovering the possible theft of military weapons.

Darwiche allegedly on-sold five of the launchers to a terrorist group – some Sydney men who had since been arrested over a plot to blow up the Sydney Harbour Bridge, and the Lucas Heights nuclear reactor – investigated under Operation PENDENNIS.

It was April 2007 when the police finally announced the arrest of serving Army Captain, Shane Della-Vedova, and former Defence member, Dean Taylor.

Della-Vedova was a former Army Warrant Officer munitions expert with 28 years in the military. He was convicted of stealing ten rocket launchers between 2001 and 2003 and selling them to Sydney’s criminal underworld.  Dean Taylor was Della-Vedova’s brother-in-law. Taylor, who served 15 years in the Army as a fireman, also posted to Holsworthy before being medically discharged.   Taylor had offered to supply rocket launchers and other military weapons to a man he was visiting in prison.

In April 2007, Della-Vedova gave his version of events to the court. He claimed that as a normal day on duty disposing of out-of-date munitions, he had driven a load of M-72 rocket launchers 300 km from the munitions bunker at Holsworthy Army Barracks to the School of Infantry in the Hunter Valley. On his return to Holsworthy, he found that he had mistakenly left 10 of the launchers in his Army vehicle.  In his “I forgot” confession, Della-Vedova told police he panicked and hid them in his Holsworthy office, painting over the serial numbers with black paint. He then hid them in the garage of his family home in a nearby suburb. They apparently stayed there while Della-Vedova was on deployment to Iraq.   Della-Vedova told police that after removing the weapons “accidentally”, he later sold them for “a pittance” to a man who wanted them
as trophies.

And the stolen rocket launchers ? One has been recovered and the other seven are believed to be still buried in PVC pipes somewhere in bushland, despite police attempts to locate them.

Despite Della-Vedova’s version of events, this appears to be a case of military weapons being stolen to supply to the criminal underworld.  What were the systems in place to account for such weapons, and have these systems  improved to prevent another such incident occurring ? How can a serving Defence member be associating with criminals – visiting them in prison – and not come to notice?

2009: Victoria – Anti-Terrorism Investigation – Victoria Police Detective Charged With Media Leak

Operation NEATH was the joint agency investigation into the plot by Islamic extremists to attack Holsworthy Army Barracks near Sydney. The details of police raids in August 2009 were allegedly leaked to a journalist of The Australian and were published hours before the raids were conducted, potentially endangering the success of the raids and the safety of the officers involved.  A Victoria police officer, Simon Artz, was charged in November 2011 with a number of offences relating to unauthorised disclosures.

2009: USA – Mass Shooting At Fort Hood, Texas – US Army Psychiatrist Charged With Murder

In November 2009, a US Army psychiatrist walked into a building at Fort Hood, Texas, and committed fratricide, shooting dead thirteen and wounding thirty more.  Media soon carried stories that Major Malik Nadal Hasan, a US-born Muslim, had been calling for Muslims to rise up and attack Americans, and had been in angry disputes with other officers about his views. Other articles suggest that he had been trying to resign from the Army, and was dreading being posted to serve in the Middle East. Some media articles suggest that the shootings were triggered by senior officers refusing Hasan’s requests to prosecute some of his patients for war crimes, based on statements they made during psychiatric sessions with him.

Two years on, survivors and relatives of those murdered have filed for damages against the US Army, saying that the Army knew of Hasan’s radical beliefs and should have prevented the incident. Sergeant Munley, a claimant, and one of the police officers who helped bring down Hasan, stated, “I brought this claim because I strongly believe this tragedy was totally preventable and that the Army swept under the rug what they knew about Hasan.” The 83 claimants are seeking $750 million in compensation from the Army  Hasan faces the death penalty if convicted at the court martial scheduled for March 2012.

2010: USA – The Largest Leak Of US Classified Documents – Private Bradley Manning And Wikileaks

Intelligence analyst Bradley Manning is alleged to have leaked US government cables to the whistle-blowing website Wikileaks, resulting in the biggest leak of classified information in US history.  The classified documents included more than 250,000 classified US diplomatic cables.  A cache of nearly 400,000 documents relating to the war in Iraq, known as “war logs”, were also leaked to the anti-secrecy site, including a video of a 2007 helicopter attack in Iraq in which journalists and civilians died.

Private Bradley Manning joined the US Army in 2007, a talented ‘geek’ who had been drifting through low-paid jobs. In October 2007, he was sent to Iraq as an intelligence analyst – low ranking, but with access to phenomenal amounts of highly classified data.

In July 2010, Pte Manning was charged with several offences relating to stealing secret information.  In March 2011, the US Army charged Manning with 22 additional counts relating to the unauthorised possession and distribution of more than 720,000 secret diplomatic and military documents.  On 12 January 2012, an investigating officer recommended Pte Manning face a military court martial.

2011: NSW – Quakers Hill Nursing Home Fire – Nurse Charged With Murder

In November 2011, Australians shared their grief over the death of at least eleven elderly nursing home patients in a fire at a residential facility.  Horror turned to disbelief when police announced they had charged a 35-year old male nurse from the nursing home. Roger Dean allegedly started the blaze in the early hours and then presented himself for media interviews as a hero who had helped evacuate some patients from the fatal fire.

Dean had apparently been interviewed by police on another matter, at his home on Thursday evening, just hours before the fire began early on Friday morning. He had been working at the Quakers Hill Nursing Home for two months, following a dispute with a previous employer.

The Advertising And Recruitment Processes

There’s no magic solution – no questionnaire, psychometric test or interview proforma – that will enable employers to detect all potential offenders at the selection process.

Employment screening merely provides a snapshot of what the person is like at that point in time. People change across time, as a result of life experiences and sometimes as a result of their work-related experiences.

If an employer is considering imposing character or background checks on new employees (such as checks of credit references, or mandatory drug testing), these requirements should be mentioned in advertising of vacancies.  To do so, gives a clear forewarning to potential candidates – some of whom may opt out of the recruitment process as a result.  It also enhances the professional reputation of the organisation, making a clear statement of the standards of character required of their staff.

There are guides on good practice that can assist an organisation in making their selection processes as robust as possible – such as the Australian Standards on employment screening.

If a public servant is required to have ongoing access to resources classified at PROTECTED, or above, then the department will need to seek a formal security clearance for that individual.  Similarly, if someone employed in the private sector is contracted for government work involving such classified information, they will also require a security clearance.  The majority of Australian Government clearances are now processed through the Australian Government Security Vetting Agency (AGSVA) currently administered through the Department Of Defence.

The Ongoing Management And Supervision Of Staff – Aftercare

It is a good organisational security culture when supervisors actually know their staff and take an appropriate level of interest in them.  This means that you can know when something’s not right – when someone is behaving out of character, when their standards are slipping, or maybe when they seem to be espousing new or radical views.  It is only by knowing what is normal that you can detect was is abnormal.  Similarly, it is a sign of a healthy workplace when colleagues know each other and show an appropriate level of interest.

[Many have heard the story of an American office-worker who supposedly died seated at his desk and it was several days before anyone noticed. Is that a team you would want to belong to?]

The language used in government personnel security policy refers to “any changes in circumstances” or “concerns about the continued suitability” of a worker to access classified or sensitive information.

There is obviously a balance between caring about a colleague’s welfare, and invading their privacy, but it is a balance that most mature adults can find when the culture supports it.  That culture should seek not only to promote good security awareness, but also workplace health and safety.  Security concerns and duty-of-care often share common ground, such as if there are signs of mental illness, drug or alcohol issues, or a gambling addiction.

In the same way that reporting of, not just incidents but also near misses, can identify a safety hazard in the workplace, so can potential personnel security vulnerabilities be identified. Apart from a healthy range of social behaviours and security awareness, an organisation needs sound policies and procedures for the reporting and analysis of any issues of potential security concern.

Once your staff are aware of something being not quite right with a colleague, the systems must be in place so that they can report their concerns with confidence that the privacy of the individual will be balanced with the security requirements of the organisation, and that concerns are handled with suitable confidentiality so as to protect the source, if necessary.

However, it does not stop there.  A filing cabinet full of reported security concerns is of no value unless someone suitably qualified is analysing those reports for specific security threats and for systemic vulnerabilities – and then acting upon those issues.

Underpinning such policies and processes must be a combination of security induction training and then ongoing security awareness programmes. It is important that all staff receive security training during their induction phase so that they immediately know what is required of them. Annual refresher training is then generally considered to be a suitable interval to retain a level of awareness.

This may take a variety of forms, depending on the nature of the organisation.  At its most formal, it may be a mandatory requirement to attend a formal briefing or complete an online training package. Or it may involve more creative security awareness activities tailored to the nature of the organisation.  Discussing case studies of other organisations’ security incidents can be a useful way of reviewing whether the same could occur in your own workplace.

Security issues should also feature in staff exit processes.  If an employee has held a security clearance, there are specific requirements, including notifying the Australian Government Security Vetting Agency of the change in employment status.  Exit interviews also present an excellent opportunity for an organisation to gain some candid feedback on a variety of issues, including any weaknesses in security practices.  Any specific issues raised, or insights from departing staff, should be evaluated.

The Final Phase Of The Employer – Employee Relationship – Beyond Aftercare

Some American government agencies are particularly adept at keeping former employees within their networks.  This form of extended aftercare is not just for the social pleasures. Whether staff have retired or simply moved on, maintaining those social networks serves to keep those staff within the watchful gaze of the organisation’s network.  This occasional contact with the organisation and other former colleagues can have numerous benefits to an organisation.  That invitation to a Christmas barbeque may help prevent a former employee from turning bad and divulging sensitive corporate information (especially if they left as a result of a grievance).  It may provide an opportunity to detect and intervene when someone is showing signs of stress – raising those interrelated issues of security and duty-of-care (particularly if they resigned due to work-related stress).  Former staff can also be a valuable talent pool when an organisation is recruiting.  Recycling a good former employee saves on training and induction, and can deliver someone with years of corporate knowledge, improved upon by their intervening experience elsewhere.

A Risk Management Approach

Good personnel security involves applied risk management. There are some basic principles of risk management to consider:

The likelihood of a threat being realised is a function of the threat source’s intent and capability, combined with the vulnerability of the assets.

How does this apply to personnel security and the trusted insider?  It means that the risk of deliberate harm from a trusted insider results from a combination of the individual having both the intent (the desire) to do harm and the capability (the skills, knowledge, tools).  They can only act on their intent if there is a vulnerability – an opportunity arising from flawed security practices.

Risk management is not a perfect process. When it comes to interpreting or predicting human behaviour, the best we can hope for is an educated guess. Suffice to say, the more educated you are (the more information you have), the better your guess.

Faced with a potential insider threat, the security manager faces a number of options – which each carry their own risks:

One possibility is that your information might lead to a false positive (reacting to a perceived security threat, but it turns out that the concern is unfounded). Alternatively, you might run the risk of a false negative (you don’t act on the information available, and a serious incident occurs as a result).

There is even the chance that you might get it right – correctly identifying and acting on the concern, or correctly assessing and dismissing the concern.

In examining the available information, factors to consider include the impact on the subject of the allegation, the potential security harm to the organisation and its stakeholders, legal implications and the potential impact on reputation, either way.

The level of risk is determined as a function of the assessed likelihood of the event occurring, and the anticipated consequence if it does occur.

Fiona Peacock has a Masters degree in Investigative Psychology from theUniversity of Surrey UK, a B.Sc Honours degree in Psychology and a B.A in Criminology from the University of Melbourne.  She has worked in law enforcement, intelligence and security roles in Australia and the UK for more than 20 years. She holds a CPP (Board Certified in Security Management) from ASIS International and a Diploma in Security & Risk Management.  Fiona’s interest is intelligence-led security, applying risk management principles.