Brazil Ireland Sweden Bulgaria Canada Israel Italy Switzerland United Kingdom Japan

Source: BA&H analysis of open source literature.

There have been few indications that the computer underground carries an overt political agenda. Although computer underground members are not entirely apolitical, their activities are seldom guided solely by political motivations. Computer underground members have developed social philosophies, however, which they use to justify their electronic intrusions. One example of a philosophical position held by computer underground members revolves around the concept of "freedom of information." Electronic intruders generally argue that information is not "property" and cannot be "owned" by individuals or organizations.

Over the past decade, networks in many countries have been the target of intrusions by computer criminals. Because the world's telecommunication networks reach beyond national boundaries, electronic intruders regularly attempt to penetrate systems outside their own countries. Most electronic intruders view cyberspace as a universe free from political boundaries. The international nature of the computer underground means that members of this community generally have little regard for the physical locations of targeted network elements and computers.

2.3 Insiders

Insiders are legitimate users of a computer system who use their system knowledge to circumvent computer security protective measures. In a recent survey, security managers were asked to select their top three security concerns. More than 24 percent of those asked stated that the primary threat affecting their systems was insiders, especially disgruntled employees. However, 94 percent placed disgruntled employees within their top three threats. (DATA1093) Unlike members of the computer underground, insiders have no need to bypass dial-in security or compromise password protection systems due to their legitimate access. They simply have to exceed their authorized access privileges or act in an unauthorized manner.

Insiders are likely to have specific goals and objectives in attacking an information system, and they are able to determine the best method to attain their objective based on system knowledge. Insider attacks can affect all systems, and they can do so with limited risk based on their knowledge of the system, organizational security practices, and plausible access requirements.

Insider activities can range from browsing confidential files, to planting malicious code, to fraud. Browsing activities can disclose confidential personal information, such as medical records, corporate proprietary information, or sensitive government data. Insiders can also plant malicious code to gain attention, steal money, or obtain revenge for a real or imagined slight. Insiders can affect system availability by overloading the system's processing or storage capacity, or by causing the system to crash. Additionally, the potential exists for substantial fraudulent activities, to include the diversion of money or property or the theft of valuable data, computer time, or telecommunications access. (NIST1092)

2.3.1 Insider Threat Agents. Insider threat agents can vary greatly in their motivation. Included in this group are disgruntled employees, paid informants, compromised or coerced employees, and former employees. Motivators for this group include malicious intent, monetary gain, and fear of harm or public exposure.

Disgruntled Employees. Disgruntled employees believe that they have been treated unfairly by their employer. This belief may result from employees believing that they are underpaid, not respected by their peers or superiors, or unfairly treated in terms of promotion or advancement. Potentially, the most dangerous disgruntled employee is a system administrator who feels underpaid and has little opportunity for advancement. This individual has full access to the entire range of information within the organization's automated data system and has sufficient knowledge of the computer system to access data anonymously, bypassing audit and access control systems, or can covertly sabotage the system. Such individuals are primary targets for recruitment by foreign intelligence services, competitor intelligence organizations, and information brokers. (19JULY94)

Particularly dangerous is the situation where a system administrator or other systems personnel are terminated or quit under less-than-friendly circumstances. Such personnel can cause considerable damage and may be able to extract or transfer large amounts of data before they depart. Without appropriate safeguards these individuals can place logic bombs in the system that will not activate until after they have left. The employee can also destroy required back-up documentation, purposely insert erroneous data in the system, or misfile important information. It is essential that in such cases employees who fit these characteristics be denied access to supporting computer systems on notification that the individual is leaving or before notification of termination. (CSL1093)

There are numerous cases that demonstrate the potential for harm from disgruntled employees. For example, a computer systems administrator for a large defense contractor in California planted a logic bomb in one of the computer systems used by the corporation in the development of advanced weapons systems. The employee was due to be terminated and had set up the malicious code to activate after his departure. He hoped that the company would hire him back to reconstruct databases after the logic bomb functioned. His attempt was discovered before he left the company, and he later pleaded guilty under a plea bargain arrangement. (WSJAUG92) If the malicious code had functioned as designed, substantial data on the development of military missile systems would have been destroyed, and would have required months to reprogram the computer system. The potential effects to NS/EP telecommunications become obvious if a disgruntled employee of a carrier exhibits similar actions.

Telecommunications company employees who support network computer operations are in a position to cause substantial harm to the PSN and NS/EP telecommunications systems. Such personnel would be considered high value targets by foreign intelligence services, terrorists, and criminal organizations. The potential damage that such individuals could inflict requires that the telecommunications companies determine the reliability of personnel employed in key functional areas.

Paid Informants. There is significant evidence of insiders selling information to information brokers, industrial spies, criminal organizations, and intelligence services. Information brokers have paid employees with legitimate access to provide data on unpublished telephone numbers, toll records, credit reports, and other personal data. They have also paid individuals to access U.S. Government systems. (NOSC594) There are a number of examples of activities by paid informants, including the following:

The FBI determined that in a number of cases criminal organizations have gained access to National Crime Information Center (NCIC) records, primarily through the use of compromised employees who had legitimate access to NCIC terminals. Currently, there are more than 97,000 NCIC terminals at 19,000 locations in the United States and Canada. In many of these locations terminal security is lax or nonexistent. Gaining NCIC access has been of particular interest to drug trafficking and terrorist organizations. (19JULY94)

In December 1991, 18 people were indicted for sale of confidential information maintained by the Social Security Administration (SSA); 6 were SSA employees. These employees sold data to private investigators concerning earnings histories, criminal records, addresses, and family relationships. An internal investigation launched by the SSA's Office of Systems Design and Development stated that there was little that could be done to prevent future occurrences due to the legitimate requirement that most employees had for the type of information that was sold. The investigation concluded that information security was dependent upon the trustworthiness of the employees who required access. (GCMJAN92)

Both incidents have a bearing on the NS/EP responsibilities of the United States Government, and they illustrate the vulnerability of key government information systems to insider intrusion. The NCIC is an NS/EP telecommunications system, and the information resident in the system is essential for law enforcement operations. Social Security records play an integral role in the NS/EP mission of the Department of Health and Human Services by providing a substantial database for execution of the department's health and welfare responsibilities in the event of a national emergency. In both cases, personnel accessing the system had legitimate access and relatively little chance of being caught. Numerous NS/EP databases and telecommunications systems could be subject to intrusions by paid informants, resulting in the compromise of sensitive information and telecommunication system attributes. Similarly, the telecommunications companies are subject to this type of attack. Toll records could reveal information concerning relationships between government facilities and other activities, potentially divulging classified or sensitive data.

Compromised or Coerced Employees. Employees with access to sensitive data or computer systems containing sensitive information are high-value targets for compromise or coercion by criminal activities, terrorist organizations, foreign intelligence services, and industrial spies. Employees may be compromised by their past experiences or by family connections. They can be coerced through threats of harm to themselves or their families. Frequently, coercion attempts involve family members in another country who could be adversely affected by the group seeking information. The compromised or coerced employee, like any other insider, is likely to be successful in performing the assigned illegal functions.

Former Employees. Former employees frequently retain the ability to enter the information systems in their former organizations and extract data based on their knowledge of security countermeasures and system vulnerabilities. Former employees may have intimate knowledge of user/password combinations, may retain access to the building, and may have the knowledge required to defeat call-back mechanisms allowing them remote access. Additionally, former employees often maintain personal relationships developed while they were with the organization, providing them a means to obtain information on changes in security procedures, personnel, and organizational structures. Frequently, they keep manuals describing information system functions and lists of dial-in ports. In some cases, former employees have retained keys to an office and have logged into the computer system using the company's own terminals. In effect, the former employee can maintain all system privileges unless information system security managers ensure that effective countermeasures are in place. (CSJFAL92) If former employees can continue to access computer and communication systems, they can steal information or inflict significant damage if they wish. Former employees may be motivated by a desire for revenge, monetary gain, or a combination of factors.

2.3.2 Potential Damage Resulting From Insider Threats. Insider threats can potentially affect both the PSN and NS/EP telecommunications systems. The information passed by these systems is sought by a variety of intelligence, commercial, and criminal interests. Insiders willing to sell desirable information are likely to find a ready market. Insiders also can use their access to computer and communication systems to disable or disrupt communication or information management activities. Either activity could be undertaken by a trusted insider who is cognizant of security countermeasures and is aware of methods to defeat or counter them. This process could also take place during the manufacturing of a computer or network element, or the development of complex software. In either case, the activity is unlikely to be discovered and would have a substantial probability of succeeding. Potential threats from insiders must be considered in analyzing telecommunication system vulnerabilities and the development of threat