Protecting Against Insider Threats – Lessons of Past Disasters

By Matthew Bunn
The tragic news Wednesday about the shooting at Fort Hood highlights again the importance of protecting against insiders.  In the nuclear world, all of the genuine thefts of plutonium or highly enriched uranium (HEU) appear to have been perpetrated by insiders or with the help of insiders. 

(There are only a few where we know how they occurred – but the others involve bulk material stolen without anyone noticing it was gone until it was seized, strongly suggesting insider theft.)  Similarly, most of the sabotage incidents that have occurred at nuclear facilities – there are many, but apparently none done with the goal of causing a major meltdown or radioactive release – were perpetrated by insiders.  The insider threat, in short, is most of the nuclear security problem.

Scott D. Sagan of Stanford and I have a new paper out, offering a “worst practices” guide on protecting against insider threats.  In it, we look at past disasters caused by insiders, from the assassination of Indira Gandhi to the previous shooting at Fort Hood, and draw from them ten lessons about what not to do in designing protections against insiders.  These lessons range from assuming all your organization’s people are trustworthy to assuming there could only be one insider and not a conspiracy.  We describe a remarkable set of cases of organizations failing to detect red flags and failing to pay attention to organizational culture and employee disgruntlement. The key point is: don’t assume.  Assess, test, and always be looking to find and fix more vulnerabilities.

The paper is one part of a larger project on insider threats under the aegis of the “Global Nuclear Future” project of the American Academy of Arts and Sciences.  Scott and I organized a workshop with cross-industry perspectives on insider threats at Stanford two years ago, and we have another coming up in Cambridge.   Many others in the nuclear community – and in other industries – are working on the problem.  But there is still a great deal of thinking to be done about how to deal with threats from trusted people who may already know the security systems in place and what their weaknesses are.  Our new paper is one contribution to what will have to be an ongoing global effort.