The Unsolvable Problem of Insider Threats
Last week, Cameron Ortis - the leader of Canada’s police force’s intelligence unit - was arrested on charges of having stolen and attempting to sell highly confidential information. In this briefing we will take a look at the sparse details before diving into why insider threats are a critical issue with no real solution.
Earlier this year, Canadian police forces arrested a businessman called Vincent Ramos on charges of crimes related to illegal drug distribution. During the investigation, highly classified documents were discovered on computers related to the case. A separate investigation was started to determine the source of the leaks. This investigation led to the discovery and subsequent arrest of Mr. Ortis.
What information exactly was leaked is unclear do to its classified nature. However, government officials have called the impact “potentially devastating”, indicating that critical information was compromised. Such information usually includes scientific or military technology secrets, military or governmental policy planning or information damaging to the foreign affairs of a state. Whether or not the information was actually sold to a customer remains unclear.
Insider threat cannot be eradicated
There are plenty of mechanisms in place to combat insider threats in any major organization. Unfortunately, all of them are imperfect solutions. No matter how you reglement the digital or physical extraction of data (and obviously in this case even these mechanisms failed), at some point the information has to be read and processed by human beings. And unless the organization can keep all people with access to said information locked up, the risk of leaks cannot be eliminated. Brains cannot be wiped when employees check out at the end of their workday.
And even if all staff members were to be kept locked up, who would prevent cooperation with the guards? Or the guard’s guards?
This is, of course, an extreme example, but it illustrates the core issue. All information that humans need to access is inherently vulnerable to insider threats. And while some information such as credit card numbers, cryptographic keys or raw data can theoretically be stored and processed in ways that preclude humans, most information such as reports, emails, research, blueprints or negotiation results cannot.
This in turn leads us back to a fundamental problem in information security:
There are no absolutes. Just like you cannot protect a single server against a threat actor with unlimited funds and time, you cannot protect classified information against a threat actor high enough in the chain of command (or well funded enough to bribe someone in that position).
So what can organizations do to protect classified information from insiders?
While there is no absolute solution, there are several things organizations can do to at least decrease the risk of insider attacks.
Regulate access to classified information. Just because someone high enough in the chain of command can bypass the regulations that doesn’t mean that the regulations are useless. The fewer people have the potential to abuse the system, the better.
Monitor all data access. Highly critical data should be accessible from restricted physical spaces. Ideally these spaces should be secured by doors that require two or three staff members to open. This way, access to the data is never unsupervised.
Store false information along true information. If possible, create false information that can be explicitly made accessible to individual staff members. This reduces the risk of actual information being leaked and allows leakers to be identified quickly. At the same time, announcing a policy of false information spreading can deter bad actors.
Unfortunately, all three of the above approaches have medium to large impacts of workforce efficiency and morale. Their benefits must always be weighed against their drawbacks.