In the world of “insider threat” defense, one of the biggest fears security officials share is the malicious actor who gains legitimate access to a company or organization, unhurriedly probes for access to privileged information, and patiently cultivates relationships with colleagues and contacts who, wittingly or unwittingly, can contribute to achieving the insider’s goals.
The speed and brazenness that former Tesla employee Martin Tripp used in attacking the company almost certainly contributed to how fast he was identified. The example of Russian gun rights advocate and suspected spy Maria Butina is considerably more troubling because her activities appeared innocuous -even admirable or praiseworthy- while her true, long-term objectives were concealed.
The threat that develops over months and years, and the insider willing to play “the long game” are what keep security officials awake at night.
The Motivation
It is important to understand what Maria Butina’s actual ambitions were in coming to the U.S. Butina is almost certainly an intelligence operative assigned to pursue the means—and contacts—to influence American political opinion. As part of that effort, she met and evaluated Americans who, because of their academic, political and/or social positions and connections, are members of the leadership strata or likely to enter those ranks.
The Plan
To do this, she enlisted an American citizen already working in the political realm, used him to arrange or attend events where leadership figures socialized, and enrolled in a prominent university program that attracts potential government officials.
Based on the FBI’s affidavit, it seems the Bureau is confident the Russian government is behind Maria Butina’s activity. Nation/States have the need, time and resources to employ and train individuals like Butina.
But is this threat pertinent to non-government organizations? Are U.S. companies at risk from malicious insiders hoping to influence or undermine them? Is philosophical or political opposition a legitimate motivation for wanting to penetrate a company?
The answer to all three questions is yes. Detecting the “agent of influence” may be more difficult than finding the fraudster, intellectual property thief or saboteur, but the techniques are essentially the same.
The Big Picture
A mole like Maria Butina was clearly not immune from discovery. The fact of the matter is that you can’t wield influence unless you have access, and spotting the person working to develop access, no matter how slowly or subtly, is something every Insider Threat Program should be designed to do.
Is there an employee who attempts to open files to which he doesn’t have access?
Does the employee attempt to elicit sensitive information outside the scope of his responsibilities?
Does he apply for accesses for which he has no need?
Does he socialize and network with colleagues outside his own group?
Does he promote himself as a striver, i.e., as an upwardly mobile, management prospect?
Is he a gossip or a manipulator?
Does he say provocative things to gauge reactions?
Has he expressed disappointment with the company’s direction or changes to the company’s “founding philosophy”?
An affirmative answer to any of these questions does not necessarily signify a spy inside the wire. It does, however, suggest closer attention to the employee and his activities, and a review of his background check and interviews.
Maria Butina’s arrest should be viewed primarily as an episode in a bigger political story, i.e., our current relations with Moscow and Russian meddling in the U.S. political process. Nevertheless, security professionals see her activity as a reminder to remain alert to possible closet malcontents or ideological dissenters in the workforce. Though perhaps lacking the geopolitical magnitude, companies can suffer the same kind of internal disorder that the Maria Butinas of the world hope to instigate.
Learn how to protect your organization from Insider Threats:
Download our whitepaper.