NCSC issues insider threat mitigation report

On March 23, the National Counterintelligence and Security Center (NCSC) issued “Insider Threat Mitigation for U.S. Critical Infrastructure Entities: Guidelines from an Intelligence Perspective.”

The new publication focuses on the human threats to U.S. critical infrastructure, including employees at critical infrastructure organizations who may be exploited by foreign adversaries.  The publication provides guidance on how to incorporate these threat vectors into organizational risk management plans and offers best practices for critical infrastructure entities to mitigate insider threats.

All organizations are vulnerable to insider threats from employees who may use their authorized access to facilities, personnel, or information to harm their organization, intentionally or unintentionally.  The harm can range from negligence — such as failing to secure data or clicking on a spear-phishing link — to malicious activities like sabotage, intellectual property theft, fraud, or workplace violence.

“Although often less appreciated than remote-access cyber threats, insider threats to critical infrastructure entities are growing and can be more difficult to mitigate.  Whether intentional or unintentional, the actions of insider threats in critical infrastructure can cause grave harm to national security, public safety, as well as individual organizations and state and local governments,” said Acting NCSC Director Michael Orlando.  “This publication provides a roadmap for critical infrastructure organizations to build effective insider threat programs.”

To help guard against such threats, the publication recommends that critical infrastructure entities, at a minimum: 1) have an insider threat program that identifies individual anomalous behavior at an early stage and the resources to respond appropriately, and that they 2) respond in a way that fosters trust across the organization and leverages the workforce as a partner.

While insider threats come in many forms, foreign adversaries often seek to exploit employees in U.S. and allied critical infrastructure entities to advance their interests.  In October 2018, the Justice Department announced charges against Chinese intelligence officers and their hackers who recruited employees at a French aerospace manufacturing company to introduce malware into the company’s networks in order to steal trade secrets.  The employees later alerted the hackers when the company learned about the malware so they could cover their tracks.

Some recent examples of insider threats at critical infrastructure entities include:

  • Transportation / Manufacturing:In March 2021, a Russian national pleaded guilty to offering an employee at a U.S. electric car manufacturing company $1 million to introduce malware into the company’s computer networks.  The Russian national planned to use the malware to exfiltrate data and extort the company.  The employee reported the approach to his company and the FBI later arrested the Russian national.
  • Energy: In February 2020, a former scientist at a U.S. petroleum company was sentenced to 24 months in prisonfor stealing trade secrets via a thumb drive from the petroleum company.  The stolen trade secrets related to next-generation battery technology and were valued at more than $1 billion.  A participant in China’s Thousand Talents Plan, the scientist planned to move to China with the trade secrets for use at a Chinese company where he had been offered a job.
  • Health Care: In February 2021, a former researcher at a U.S. medical institute was sentenced to 30 months in prisonfor stealing trade secrets on the treatment of pediatric conditions from the medical institute and attempting monetize the secrets via a company she had created in China.  She had received benefits from the Chinese government and had applied to multiple Chinese government talent programs.
  • Defense: In November 2020, a former engineer at a major U.S. defense contractor was sentenced to 38 months in prisonfor illegally exporting controlled data associated with advanced missile guidance systems to China.  While employed by the defense firm, the engineer transported the data on his company-issued computer to China.

The NCSC houses the multi-agency National Insider Threat Task Force (NITTF). Since its inception in 2012, the NITTF has been working to assist federal agencies build programs at their agencies that deter, detect, and mitigate insider threats, considering the distinct needs, missions, and systems of each individual agency.  NITTF has also expanded its outreach to entities beyond federal agencies to help raise awareness of insider threats and best practices for mitigation.

Source: NCSC