2.3.1 Insider Threat Agents. Insider threat agents can vary greatly in their motivation. Included in this group are disgruntled employees, paid informants, compromised or coerced employees, and former employees. Motivators for this group include malicious intent, monetary gain, and fear of harm or public exposure.
Disgruntled Employees. Disgruntled employees believe that they have been treated unfairly by their employer. This belief may result from employees believing that they are underpaid, not respected by their peers or superiors, or unfairly treated in terms of promotion or advancement. Potentially, the most dangerous disgruntled employee is a system administrator who feels underpaid and has little opportunity for advancement. This individual has full access to the entire range of information within the organization's automated data system and has sufficient knowledge of the computer system to access data anonymously, bypassing audit and access control systems, or can covertly sabotage the system. Such individuals are primary targets for recruitment by foreign intelligence services, competitor intelligence organizations, and information brokers. (19JULY94)
Particularly dangerous is the situation where a system administrator or other systems personnel are terminated or quit under less-than-friendly circumstances. Such personnel can cause considerable damage and may be able to extract or transfer large amounts of data before they depart. Without appropriate safeguards these individuals can place logic bombs in the system that will not activate until after they have left. The employee can also destroy required back-up documentation, purposely insert erroneous data in the system, or misfile important information. It is essential that in such cases employees who fit these characteristics be denied access to supporting computer systems on notification that the individual is leaving or before notification of termination. (CSL1093)
There are numerous cases that demonstrate the potential for harm from disgruntled employees. For example, a computer systems administrator for a large defense contractor in California planted a logic bomb in one of the computer systems used by the corporation in the development of advanced weapons systems. The employee was due to be terminated and had set up the malicious code to activate after his departure. He hoped that the company would hire him back to reconstruct databases after the logic bomb functioned. His attempt was discovered before he left the company, and he later pleaded guilty under a plea bargain arrangement. (WSJAUG92) If the malicious code had functioned as designed, substantial data on the development of military missile systems would have been destroyed, and would have required months to reprogram the computer system. The potential effects to NS/EP telecommunications become obvious if a disgruntled employee of a carrier exhibits similar actions.
Telecommunications company employees who support network computer operations are in a position to cause substantial harm to the PSN and NS/EP telecommunications systems. Such personnel would be considered high value targets by foreign intelligence services, terrorists, and criminal organizations. The potential damage that such individuals could inflict requires that the telecommunications companies determine the reliability of personnel employed in key functional areas.
Paid Informants. There is significant evidence of insiders selling information to information brokers, industrial spies, criminal organizations, and intelligence services. Information brokers have paid employees with legitimate access to provide data on unpublished telephone numbers, toll records, credit reports, and other personal data. They have also paid individuals to access U.S. Government systems. (NOSC594) There are a number of examples of activities by paid informants, including the following:
The FBI determined that in a number of cases criminal organizations have gained access to National Crime Information Center (NCIC) records, primarily through the use of compromised employees who had legitimate access to NCIC terminals. Currently, there are more than 97,000 NCIC terminals at 19,000 locations in the United States and Canada. In many of these locations terminal security is lax or nonexistent. Gaining NCIC access has been of particular interest to drug trafficking and terrorist organizations. (19JULY94)
In December 1991, 18 people were indicted for sale of confidential information maintained by the Social Security Administration (SSA); 6 were SSA employees. These employees sold data to private investigators concerning earnings histories, criminal records, addresses, and family relationships. An internal investigation launched by the SSA's Office of Systems Design and Development stated that there was little that could be done to prevent future occurrences due to the legitimate requirement that most employees had for the type of information that was sold. The investigation concluded that information security was dependent upon the trustworthiness of the employees who required access. (GCMJAN92)
Both incidents have a bearing on the NS/EP responsibilities of the United States Government, and they illustrate the vulnerability of key government information systems to insider intrusion. The NCIC is an NS/EP telecommunications system, and the information resident in the system is essential for law enforcement operations. Social Security records play an integral role in the NS/EP mission of the Department of Health and Human Services by providing a substantial database for execution of the department's health and welfare responsibilities in the event of a national emergency. In both cases, personnel accessing the system had legitimate access and relatively little chance of being caught. Numerous NS/EP databases and telecommunications systems could be subject to intrusions by paid informants, resulting in the compromise of sensitive information and telecommunication system attributes. Similarly, the telecommunications companies are subject to this type of attack. Toll records could reveal information concerning relationships between government facilities and other activities, potentially divulging classified or sensitive data.
Compromised or Coerced Employees. Employees with access to sensitive data or computer systems containing sensitive information are high-value targets for compromise or coercion by criminal activities, terrorist organizations, foreign intelligence services, and industrial spies. Employees may be compromised by their past experiences or by family connections. They can be coerced through threats of harm to themselves or their families. Frequently, coercion attempts involve family members in another country who could be adversely affected by the group seeking information. The compromised or coerced employee, like any other insider, is likely to be successful in performing the assigned illegal functions.
Former Employees. Former employees frequently retain the ability to enter the information systems in their former organizations and extract data based on their knowledge of security countermeasures and system vulnerabilities. Former employees may have intimate knowledge of user/password combinations, may retain access to the building, and may have the knowledge required to defeat call-back mechanisms allowing them remote access. Additionally, former employees often maintain personal relationships developed while they were with the organization, providing them a means to obtain information on changes in security procedures, personnel, and organizational structures. Frequently, they keep manuals describing information system functions and lists of dial-in ports. In some cases, former employees have retained keys to an office and have logged into the computer system using the company's own terminals. In effect, the former employee can maintain all system privileges unless information system security managers ensure that effective countermeasures are in place. (CSJFAL92) If former employees can continue to access computer and communication systems, they can steal information or inflict significant damage if they wish. Former employees may be motivated by a desire for revenge, monetary gain, or a combination of factors.
2.3.2 Potential Damage Resulting From Insider Threats. Insider threats can potentially affect both the PSN and NS/EP telecommunications systems. The information passed by these systems is sought by a variety of intelligence, commercial, and criminal interests. Insiders willing to sell desirable information are likely to find a ready market. Insiders also can use their access to computer and communication systems to disable or disrupt communication or information management activities. Either activity could be undertaken by a trusted insider who is cognizant of security countermeasures and is aware of methods to defeat or counter them. This process could also take place during the manufacturing of a computer or network element, or the development of complex software. In either case, the activity is unlikely to be discovered and would have a substantial probability of succeeding. Potential threats from insiders must be considered in analyzing telecommunication system vulnerabilities and the development of threat