7

Insider Threat

Abstract

This chapter includes information on one of the most significant and common threats – the insider. It discusses a number of infamous insider spies and many insider spy incidents that have never been publically disclosed. Examples cover the full spectrum of large, high tech and small or low tech firms. Some insider spies are high level employees but many are also secretaries and administrative staff. Insider spies are not just employees but also include contractors including cleaning staff, security staff, etc.

Key words

business spying

business espionage

insider

planting

in-place recruitment

honey pot

honey trap

blackmail

background investigations

General Motors

Volkswagen

eavesdropping

secretaries

contractors

trash

pricing

bicycle

direct employee

TSCM and IT/Cyber security

Introduction

Insider threat is one of the most common and potentially serious threats of business espionage. In the espionage world there are numerous examples of governments and competitors placing spies within targeted locations. This is often called “planting” a spy. Another option is to get someone who already has legitimate access to sensitive information to provide it. This can be what is called an “in-place” recruitment, and this kind of recruitment provides regular inside information to an espionage agent. Another option that is frequently used is to offer an individual a higher-paying position in a competitive firm and have the individual bring sensitive information with them. This is often done by recruitment firms that “recruit away” targeted talent. Of all of the options, the preferred approach is to recruit but then keep an insider working inside of the company because the competitor then has continual access to the latest information.

Businesses are at risk for insider threats from both state-sponsored intelligence agencies working on behalf of a government and/or government-supported competitors (state-owned companies). Competitors themselves can also use an insider, sometimes directly and sometimes using a third-party agency that serves as the “handler” for the spy. These parties use insiders to gather information of all kinds that could potentially have business value, including data on pricing, sales strategies, personal data, computer data, business documents, finance documents, bidding, and pricing. The value of an insider is that you not only have documents and materials, you may also have insight into thought processes and plans that have not been written down.

One technique that can be used is called the “honey pot” or “honey trap” method where the initial angle is romantic and/or sexual. If the individual is truly attached to the person who seduces them, information can be obtained over a long period. The spy may trust his or her lover enough to reveal secrets, or may even change their loyalty and allegiance because of their emotional attachment, but even if the spy does not deliberately give information to their lover, the lover may accidentally be given opportunities to obtain it themselves. A long-term relationship is not necessarily the goal, but a long-term relationship does mean a continued source of information. This technique can be used to blackmail anyone who later regrets their actions and tries to change course. Incriminating photo/videos or recordings can be an effective tool of coercion, for example.

An infamous example of this was the Taiwanese general who was allegedly seduced by a Chinese female while the general served as an attaché in Thailand. The general initially gave in and provided information to his “lover,” but later there was an allegation of blackmail where the general allegedly received up to US$1 million for information he provided. As is often the case, his motivations were complex, but the bottom line is that he was an “insider” with legitimate access to much of what he provided to Chinese intelligence services.1

Here are some other examples of the alleged use of this technique:

 Clayton J. Lonetree, an embassy guard in Moscow, was entrapped by a female Soviet officer in 1987. He was then blackmailed into handing over documents when he was assigned to Vienna.

 Roy Rhodes, a U.S. Army Non-Commissioned Officer serving at the U.S. embassy in Moscow, had a one-night stand (or was made to believe he had) with a Soviet agent while drunk. He was later told the agent was pregnant, and that unless he cooperated with the Soviet authorities, this would be revealed to his wife.

 Irvin Scarbeck, a U.S. diplomat, was entrapped by a female Polish officer in 1961 and photographed in a compromising position. He was blackmailed into providing secrets.

 Sharon Scranage, a CIA employee described by one source as a “shy, naive, country girl,” was allegedly seduced by Ghanaian intelligence agent Michael Soussoudis. She gave him information on CIA operations in Ghana, which was later shared with Soviet-bloc countries.

 James J. Smith and William Cleveland, two FBI officers, are alleged to have been seduced by Katrina Leung in order to obtain information.

 Mordechai Vanunu, who had disclosed Israeli nuclear secrets, began an affair with an American Mossad agent, Cheryl Bentov, operating under the name “Cindy” and masquerading as an American tourist, on September 30, 1986. She persuaded him to fly to Rome, Italy with her on a holiday. Once in Rome, Mossad agents drugged him and smuggled him to Israel on a freighter.

 John Vassall, a British civil servant who was guided by the KGB into having sex with multiple male partners while drunk. The KGB then used photographs of this to blackmail Vassall into providing them with secret information.2

Insider threat is one of the most significant threats but many companies do not address it because they think it would imply a lack of trust of all employees or those that have legitimate access to sensitive information. Companies prefer to develop programs that are designed exclusively for external threats but are reluctant to address the all too common insider threat. Given the frequency of insider recruitments it is important for companies to stop their “head in the sand” approach to this threat and realistically consider how this issue should be addressed.

The examples that follow took place from the mid-1990s to the present in China, Taiwan, Japan, Korea, and India and are only a few of the many examples of the insidious insider problem.

Cases of Insider Espionage

In the mid-1990s, an international security firm was targeted by competition in South Korea. The South Korean competitor had an older Korean woman call the international firm’s younger secretary and try and arrange a meeting at a nearby coffee shop. The excuse was that the older secretary wanted to learn more about how to get a job with a foreign company. The secretary was suspicious and reported this unusual call to her supervisor. She was instructed to agree to a meeting when the older woman called again. Within a day, the call came and plain clothes security personnel were deployed to the coffee shop where they observed, photographed, and recorded the older woman as she tried to persuade the young secretary to provide pricing and customer data to the South Korean competitor. The spy was given a special cell telephone that could be used to contact her handling agent as well as some money. She was promised more money and even a possible job if she continued to spy on the international company. The older woman noted that the international company would not give her a true opportunity for promotion and she felt she could help South Korean companies be competitive and make some additional money at the same time. When the handling agent was confronted by security staff, she admitted that she worked for a competitor and was trying to get someone who had access to pricing, customer lists, and methodologies that could be used to help the company get some of the business that was going to the international competitor.

In the late 1990s, a young, attractive woman in Taipei, Taiwan was approached by an older man who was a senior executive for a Japanese firm operating in Taiwan. She worked for a real-estate company that had the Japanese company as a client. Part of their service included providing office space and housing for Japanese expatriates in Taiwan. During the course of a conversation, the Japanese executive asked the Taiwanese female about her long-term life and career objectives. The young woman shared that she was taking college courses at night in an effort to enhance her skills in administrative areas. The Japanese executive took an immediate interest and began wining and dining the young lady. She initially thought it might be a romantic interest; however, it became clear that he had a genuine interest in her learning and progressing. When she had difficulties with finances for tuition and needed a computer in order to stay ahead, the Japanese executive jumped in to help. He pushed the young woman to work hard and complete her classes. When she completed her studies, he took her on a trip to Singapore where they flew first class and stayed (in separate rooms) in a five-star hotel. At a dinner before they returned to Taipei, the Japanese executive told the young woman that he wanted her to apply for an opening as an executive secretary in the front office of a competing Taiwanese firm. He assured the young lady that with her language skills, her computer and administrative skills, and her good looks she would get the job. He then told her she should pay him back for his generosity by providing information on the business. After attending one of my presentations on business espionage, the young woman came up to talk. This had just happened and she wanted to know whether if she provided information if she would end up in trouble or in jail. I told her that while it was doubtful that providing information was technically illegal it was definitely not ethical. She agreed and ultimately declined to seek the position.

In 2005, a U.S. high-tech manufacturing company contacted me and asked if I could do a detailed background investigation on an individual the company had hired from China. I confirmed that the individual had been hired and had worked at the company’s headquarters for almost 6 months. The corporate security director reported that the individual supposedly had a degree in the field he was working in but his co-workers were questioning his skills. I asked if they had conducted a pre-employment background investigation and the security director said they had not because the individual lived and had gone to college in the People’s Republic of China. After conducting a background check it was apparent that the college the individual allegedly attended was, in fact, well known for educating personnel for a Chinese intelligence service. This information was verbally provided to the corporate security director who then exclaimed, “Aha! So that’s why the FBI was here asking about him!” That was the extent of my involvement in this matter so I do not know what happened next. However, I did see the security director later and he thanked me for the information and voluntarily added that the information was of great value since the individual would have otherwise had access to some very sensitive inside information. I asked him why the company had not asked us to do a pre-employment background investigation prior to hiring the individual and he said that the company’s human resources department had told him that it would be expensive and unnecessary, in their opinion, to do checks in China but now all had learned their lesson.

In 2007, a U.S. high-tech firm asked me to conduct an investigation on an engineer who had worked in their research and development office for 5 years and had suddenly resigned—supposedly, he said, to go back to Taiwan and be with his family. We were able to locate the individual in Taipei and put him under surveillance to see what he was doing. On the second day of surveillance, the individual was followed to the offices of a high-tech competitor company in the Hsinchu Science and Industry Park on the outskirts of Taipei. Further inquiries at the competing firm confirmed that the former employee was now the head of the competitor’s research and development department and was being paid double what he had been paid by the U.S. firm. Subsequently it became apparent to the American company that their Taiwan competitor had benefited from the information the former engineer had learned while working for them. What caused exceptional concern was that the engineer had just been promoted and given a bonus and an increase in salary after being named an outstanding engineer in the company’s research and development division. Company executives were shocked when, in spite of this, the individual announced he was leaving.

One of the most recent incidents I have seen—which is very similar to the senior executive at General Motors who was recruited in the 1990s by the competitor Volkswagen and who literally took crates of material with him—involved a senior executive at Harsco Corporation in Harrisburg, Pennsylvania in the U.S. Harsco Corporation filed suit against one of its former top executives in federal court, accusing him of corporate espionage for allegedly passing confidential company information to a competitor. According to court documents, Clyde Kirkwood essentially acted as a mole. Kirkwood abruptly quit his post as commercial vice president for Harsco’s Metals & Minerals Division in early June, 3 months after he secretly agreed to take an executive job with the Michigan-based Edw. C. Levy Co., according to the Harsco lawsuit. Harsco claims that, starting early that year, Kirkwood not only passed confidential Harsco information to Levy, including data on top-level corporate decisions, he also intervened to try to steer Harsco away from international projects that would have been in competition with Levy. Harsco’s lawyers refer to the alleged espionage as “shocking,” especially since it involved an ex-employee who worked for Harsco for 23 years, had risen steadily through the corporate ranks, and was trusted implicitly. They claim that Kirkwood, a citizen of the United Kingdom, accepted his final promotion from Harsco in April, a month after he had secretly accepted a $420,000-a-year vice president job with Levy. They alleged that Kirkwood also passed confidential corporate information to an industry consultant, Geoffrey Butler, a former Harsco president who retired 4 years previously (Butler is not a defendant in the suit). Harsco’s suit is understandable as the firm has more than 12,000 employees and provides logistical and environmental support and engineering services to industries worldwide. Kirkwood was considered one of the company’s top 100 employees, the Harsco suit states, and contends that he began secretly soliciting employment with Levy in January, using his wife’s email. Soon after, he began passing information to Levy, including information regarding a potential Harsco project involving a steel mill in Israel, the suit states. Harsco claims Kirkwood actively tried to deter it from considering that project. He also allegedly passed Levy inside information on a possible Harsco project with a company in India, and on projects in Brazil and Oman, Harsco alleges. By remaining with Harsco after he supposedly accepted the Levy job, “Kirkwood continued to benefit from very high-level access to Harsco’s most confidential business and proprietary information, including trade secrets,” the suit states.3

It never ceases to amaze me how many times companies even inadvertently pay for being spied on. In Chapter 3, I shared the story of electronic eavesdropping devices purchased on a company credit card by employees before they left the company and planted the devices. In 2014, an automotive parts manufacturing company operating in Canada was developing some new, modified, and updated automotive equipment. One of their employees was able to take some prototypes and mail them, through the company mail room and mail service, to one of their peripheral business partners. When the devices were determined to be missing an investigation was launched and the individual who took them claimed that he accidently and inadvertently mailed them to the business partner. While it seemed to be an innocent mistake, when efforts were made to get the prototypes back, the partner failed to cooperate. Ultimately it was determined that they were closely linked to a competitor who was now releasing a similar device. The individual who supposedly “accidently” mailed them suddenly resigned and joined the competing firm and the victim company realized they had been victims of insider business spying.

Insiders are not always direct employees. They are sometimes contractors who have legitimate access to facilities. A company in Mexico called me in 2012 and reported that they had an unusual incident where an individual working as a contract cleaner had been spotted by one of their engineers. Their engineer realized that this suspicious-acting cleaner was a classmate from the university where they both had studied engineering. He was shocked to see this well-educated individual working as a contract cleaner, and when he advised security, they attempted to confront the individual. He tried to run away but was detained. When questioned, he admitted that he had been sent by his company, a competing company, to try and learn about their processes. They had determined that being a cleaner he would not be suspected and would have unrestricted access to the areas he needed to see. He even admitted to having brought concealed cameras into the facility and had taken photos of their processes.

In another example (circa 2005) a U.S. company found it necessary to lay off employees at one of its China offices and at its Hong Kong office. Obviously, management wanted to keep these plans confidential until the details were worked out and they were ready to discuss them with employees. However, management was surprised when they were suddenly confronted by angry workers who had learned of the planned move prior to its announcement. It seems an IT employee in the Hong Kong office, who was among those who were going to be laid off, had been reading confidential e-mails between the company’s general manager in Hong Kong and the corporate headquarters in the U.S. The employee shared all the information with other employees and, of course, the news spread quickly and caused problems with sabotage, threats to management, and loss of equipment and information.

In 2010, I was conducting a risk assessment for a high-tech multinational company operating in New Delhi, India. During the course of conducting the assessment I went to the basement to check on what might have been in the regular trash being removed by the cleaning crew. As I entered the dock area where the trash was being consolidated I found that two cleaning company employees were going through the trash and pulling out documents and laying them out on the dock. When they saw me they tried to cover up the documents with plastic garbage bags but I walked around and pulled back the garbage bags and found a number of company documents, including some that had proprietary and confidential markings. The cleaning crew claimed they sorted through the trash in order to get paid extra for recycling paper but a lot of other paper documents were still in the trash and the ones that had been pulled out and laid out on the dock were those that contained sensitive information—information that never should have been in the regular trash according to the company’s policy on information protection (the company used a document destruction company and also had a number of shredders placed around their offices).

Just after an incident detailed elsewhere in this book, where employees bought and planted listening devices before they resigned and left Hong Kong, another company called and asked us to do a TSCM survey and risk assessment, since it seemed to them that some of their employees knew certain sensitive information that had been kept secret. During discussions the employees would occasionally mention things that had only been discussed behind closed doors, which puzzled company leadership. A thorough TSCM assessment was done during off-hours and no active covert listening devices were found. During the assessment, however, it was noted that the company had an extensive speaker phone system installed within their conference room and even in the general manager’s office. Company leadership agreed to hold a telephonic conference with corporate headquarters in the U.S. and have us do some discreet monitoring from one of the senior manager’s offices during work hours. The veteran TSCM auditor began to see problems immediately, and we were able to trace the electronic monitoring to an employee’s cubicle where we found an employee listening to the meeting. He had left a portable microphone that was used for presentations in the room and he had turned it on so he could listen using a headset. He later acknowledged that he had shared the information with several other colleagues who were worried about downsizing in the Hong Kong office and were lining up jobs with competitors based on this information.

A hospital in the United States called me, in 2003, and asked for a thorough assessment and TSCM survey because some patients had complained that they had received calls from someone who obviously had inside medical information about some personally sensitive medical treatment they had received. Initially it was thought the information might have come from administrative staff, nurses or others that were involved in the surgeries and medical treatments. The information could have even been used for blackmailing some of the patients as it was very personal. During the course of the assessment, it was determined that the maintenance manager had some unusual software on his computer that appeared to allow him to record information. During the TSCM survey, a transmitter was found in the telephone public exchange box (PBX) that was monitoring the lines of senior hospital staff. No one suspected the maintenance manager because he would not have had access to any of the sensitive patient information but, thanks to his electronic eavesdropping device and access to the PBX closet, he also had access to the information that was compromised.

A firm called me in Hong Kong in 2000 and asked if I could find out if a current employee was being courted by his former employer to come back. The current employer was concerned that the individual would take sensitive information back to the old company, the current company’s major competitor. The current employer acknowledged that when the employee had joined them, he had provided considerable sensitive information about their competitor’s operations. After some calls, I was able to talk with the head of the former company. I managed to convince him that I was looking to hire this individual and I considered him, as a former boss, as a reference. The individual told me he wanted to get up and close his door, which he did, and he then told me that I would be foolish to hire the individual. He said that the individual had no ethics and had left him and took sensitive information with him to his competitor. He then added that the individual had recently called and asked about returning, promising to bring valuable information about his current company that would benefit the business. The manager said, “I was tempted but then I realized that at some point he would just do the same thing to me again.” This individual, he said, “would sell his own mother.” This kind of employee is out there so “buyer” beware.

In 2002, a company that specialized in manufacturing high-tech equipment told me they used some commercially available equipment in their manufacturing process but the way the equipment was used and the quality assurance techniques they had created made their product superior to their competition. They learned, however, that the maintenance people for the commercially available equipment were going to their competitors, who used some of the same basic equipment, and telling them how their company set up the commercially available equipment and details about how the specialized quality assurance measurements were conducted. After learning this, the company no longer allowed any outside service or maintenance people on their manufacturing floor. If the commercially available equipment had to be serviced, the service person was taken into and out of the manufacturing area blindfolded and in a wheel chair. Ten-foot high curtains were placed around the equipment so nothing else could be observed and security personnel monitored the activities of the maintenance person. Since instituting that policy/procedure, the company said they have not heard of any further “leaks” or compromises.

In 2001, a commercial printing firm that had operated for more than 100 years in the United States saw new competitor open up business in an adjacent city in the Midwest region of the U.S. It seems the new owner of the competitive print shop was the son of an employee of the original firm, and he got the pricing and costing details from the employee, his mother. It is believed that he also got a good list of customers. Now, years later, the start-up is still in business and the original firm has closed shop. The older firm just kept losing customers due to pricing and could not stay in business.

In 2012, an electronic game maker was working with several major international sports stars. Part of their gaming contract included some sophisticated imaging of sports stars playing their respective sports. For example, a golf star swinging his driver, a baseball star swinging his bat, and a tennis star serving. Since the sports stars’ time was valuable, the company was careful with scheduling. When the stars began contacting the game maker and complaining about scheduling, it was determined that individuals pretending to be from the gaming company had persuaded the sports stars to undergo the imaging. The sports stars had incorrectly assumed they were performing and being recorded for the authorized game maker. Most likely, someone in the company, who knew about the discussions with each sports star, had used that insider information and the company name to steal valuable intellectual property from the sports stars and the game maker. In fact, at least two Asian competitors came up with games that appeared to use the same kinetic information the U.S. game maker was trying to utilize.

In 2008, in Hong Kong, an American who studied in Beijing, China, decided to stay in Beijing and work. He had learned a great deal about Chinese history and was a physical fitness buff. As a student he had frequently ridden a bicycle for cheap transportation. As an innovator, he decided to open a historic bicycle tour business in Beijing. The business took off and was very successful. In fact, it was so successful that some of employees of the company decided they could do the same thing and make more money if they opened their own competing firm. Most of the company’s employees left and formed their own company, using customer lists, pricing information, and tour scripts. Within a matter of months, the American entrepreneur was forced to give up his failing business and go to work for a multinational firm. His business failed because it was the victim of business espionage.

In 2012, a large multinational aerospace company with a major manufacturing site in southern California reported some potential issues with Chinese employees that had been brought from the People’s Republic of China to work at the site. Because of some of the contractual requirements, they had offices that were in a separate building but they also had access to sensitive business and manufacturing information. While the offices had CCTV monitoring, the data was only retained for investigation after something happened, and no one was actively monitoring. When one of the U.S. employees came in at night to make a call to another branch in Asia, he noticed several of the Chinese employees entering the office building across the street from the main complex. He reported this to a manager who checked the access control logs. It was determined, and confirmed by checking the CCTV records, that the Chinese employees were coming in at night on a regular basis. They were printing out data at night and were faxing and emailing it to another company in China. This had been going on for nearly 6 months and no one had detected it until it happened accidentally. Fortunately, someone finally followed up and an investigation determined a considerable amount of sensitive business data was lost to a potential competitor.

Vulnerabilities Identified

Insider threat is one of the most significant threats faced in business espionage. As I noted, companies often do not like to think about this threat because it makes them suspicious of their own employees and undermines loyalty. But the truth of the matter is that they should be a little suspicious of their own employees, because disloyal employees can do catastrophic damage. There are things a company can do to make internal spying less likely, but it’s always still possible. The “ostrich syndrome” attitude (bury your head in the sand) is one of the biggest vulnerabilities a business can have when it comes to business spying. While many insider spies are working or will be working for a competitor, this doesn’t mean this an external threat exclusively. If a competitor hires someone with internal access, it becomes the most dangerous threat possible: an insider and exterior threat combined.

It is also especially important to know if an individual is resigning and leaving. Such individuals may have already been taking information and it is important to check that before formal departure takes place. In the twenty-first century, this is where IT comes into the picture in for the form of a forensic examination.

Just because the individual is high level does not mean he/she cannot become a spy. There are multiple examples of this happening. Of course, it should also be clear from the examples that the insider does not have to be a high-level employee or engineer. It could be a secretary in the company. It is not who you are but what access you have.

Likewise, an “insider” may not be a direct employee. It might also be a contractor who is given access to areas such as manufacturing processes, server rooms, and executive offices. This could also be cleaning staff, security staff (see Chapter 3), contract maintenance, or others that are allowed in sensitive areas. You should think long and hard about giving contractors such as security, cleaning, and maintenance staff unsupervised access to your most sensitive areas.

It is also important to do monitoring of CCTV, access control systems, and even IT systems to look for unusual activity that warrants further investigation. These systems can offer early detection if someone does at least periodic checks to see what kind of activity is occurring. But these systems provide limited value if they are only used after a problem occurs.

Insider threats are tied to all threat vectors. Insiders can plant eavesdropping devices, they can steal information on the company IT systems, they can reveal interior strategic thinking and planning, financial data, and research/development data. Senior executives can influence decision-making within the company or office, and they can even allow individuals access that circumvents other security controls that have been put in place to protect against exterior threats.

Summary

There are many business espionage threats. While most businesses tend to focus on the outside/exterior threats, often the most damaging losses (highest consequence/business impact) occur as a result of insiders that betrayed their trust. Insiders may be employees or contractors that have authorized and legitimate access to a facility. In our examples in this and other chapters we have seen IT managers, maintenance managers, regular staff, security personnel, cleaning staff, secretaries, and R & D managers all targeted or involved in business-spying activities. They may have had different motivations but they were already inside the company or were being recruited to become an inside spy or to get inside information.

Many companies acknowledge that there is some potential business-spying threat to their sensitive business information, and some will even relent to improving physical and IT/cyber-security, conducting TSCM assessments, etc. But their approach is mainly designed to protect the company from external business-spying threats. Very few companies seem to understand that it is critically important to protect from a potential insider threat too. Realizing that one of your co-workers or employees could be a spy is just not something many companies want to deal with, but, again, this threat will not go away and it can become the most significant business espionage vulnerability you can have.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.141.26.230