Artist’s rendering of WGS-11+

News

Beyond ‘See Something, Say Something’

  • Published
  • By Lisa Sodders, SSC Public Affairs
EL SEGUNDO, Calif. --  Your colleague - normally the most punctual person in the office - suddenly starts coming into work later and later. He receives an increasing volume of personal phone calls that he furtively takes with his office door closed. You’ve noticed him working unusual hours, seeing him on floors he has no reason to be on, or asking questions about a sensitive project he’s not assigned to.
 
You’ve seen something, noticed a pattern that doesn’t seem right – but what should you do? Is it such a big deal? Maybe your colleague is navigating a health issue or trying to develop their career by learning more. What if you’re wrong? But what if you’re right?
 
“Don’t ever be scared to say something,” said Larry Miller, director of security and information protection for SSC. “Let’s make sure we identify anomalous behavior. The majority of security failures caused by insider threats have been due to a failure to report questionable behavior. Someone saw something and said, ‘Oh, that’s just him/her, I don’t want to hurt their career,’ and didn’t report it and that’s how our secrets got out.”
 
OPSEC – Operations Security – broadly refers to the process that identifies critical information as well as the potential for that information to deliberately or inadvertently fall into the wrong hands. It’s not a new concept – the military has been using it since the Vietnam War – but the concept has become part of many civilian commercial workspaces as well.
 
One critical component of OPSEC is being aware of insider threats, Miller said. Insider threats are defined as a person willing to use his or her authorized access wittingly or unwittingly to do harm to the national security of the United States, their organization or themselves.
 
An insider threat can encompass espionage, workplace/kinetic violence, unauthorized disclosure of national security information, or the loss or degradation of departmental resources and capabilities – such as sabotaging a computer network.
 
When an individual reports a potential insider threat, they have no way of knowing which one of those potential disasters they may be preventing – or whose lives and/or careers they may be saving.
 
“Early detection is important, because you don’t know where it’s going to lead. It could be physical violence, an active shooter event, or something that weakens national security,” Miller said.
 
Most of the time, reporting suspicious activity isn’t going to end someone’s career, Miller noted. In many cases, the behavior may be accidental, or may even be a structural issue that can easily be fixed.
 
“If someone’s walking into a secured area with a cellphone, maybe it’s a structural issue,” Miller said. “We can put in an atrium where people can leave their cellphones. Reporting helps us create the conditions that help us drive the outcomes. If it’s not being reported, the right thing isn’t happening, and this leads down a path that’s negative.”
 
In other cases, reporting suspicious behavior can allow security and human resource professionals to work with a potentially troubled individual and get them some help, Miller said.
 
“Even though they may be going through something, we can help them keep their career on track,” Miller said. “I would like to instill the culture to report, that it’s OK to report. We will try to make the best decisions for both parties, the government and the individual, at all times, to save the career and protect the information.”
 
“There’s a belief that security will view everything as malicious,” Miller said. “Malicious activity is pretty low. What you see most of the time is either negligence or accident. If it’s an accident, there’s rarely negative repercussions. If it’s negligence, there are corrective actions, but those aren’t career-ending events: there are things we do to make sure that everybody is in a safe operating environment, information is protected, and all of the work that people are doing is taken care of.”
 
For example, if you receive an unexpected email, accidentally click on a hyperlink and realize too late it was a phishing attempt, it’s best to alert security professionals immediately, and not try to cover it up, Miller added.
 
“It’s rarely the action (that gets you into trouble), it’s the cover-up,” Miller said. “If you do something, we’re going to have to investigate. But if you start to cover it up, then it goes from being an accident to being malicious. And there’s very different consequences and very different actions for accidents versus a malicious action.”
 
“We’re trying to create partnerships with our people where we can talk about the things that lead to risk,” Miller said. “If we have good reporting relationships where people understand we’re creating value versus being a punitive tool of the command, it gives people the comfort to report things. This allows us to set conditions so that we can pull behaviors into norms, so when we see anomalous behaviors, it’s easier to identify them, and then we can really focus in on the people who are malicious actors.”
 
“The effort to counter insider threats is not just a security effort,”: said Ashley Benefiel, deputy chief of the Information Protection Office and OPSEC program manager for SSC. “The entire organization is involved via proper hiring practices, security education, training and awareness. Organizations also need to continuously identify critical assets and information, evaluate the risks, and employ countermeasures.”
 
“It’s an organizational culture of awareness,” Benefiel said.
 
“Many organizations don’t consider the full spectrum of threat and risk,” said David Luckey, senior international/defense researcher who has done studies on insider threats, counterterrorism and domestic terrorism for the RAND Corporation, a nonprofit research organization.
 
“If it’s a company that has no connection to government work, there’s still a potential economic impact” from economic espionage or violence in the workplace that could lead to a catastrophic incident,” Luckey said.
 
“They don’t need to take it to CIA, NSA or FBI levels, but they should have a program that accounts for those threats and risks to their organization,” Luckey said. “It may be a low-probability event, but if it’s an event that could pose an existential threat to the organization, it doesn’t matter how low the probability is: you need to do something.”
 
The insider threat is something that should be focused on constantly and continuously, but it can be challenging to maintain that awareness throughout the year, Luckey said.
 
“If there’s a big event, then everyone’s aware of it,” Luckey said. “But this is an issue in American society in general: we are not a patient people – we have a great proclivity to recency bias (cognitive bias that favors recent events over historical ones) and I think there’s a general malaise of, ‘This doesn’t apply to me. I don’t have any critical information. Why are they troubling me and wasting my time?’”
 
“In most aspects of security and law enforcement, it’s about not being the weakest link,” Luckey added. “You don’t have to make yourself impenetrable, you just have to make yourself less penetrable than your neighbor.”
 
Human beings are fallible, and fatigue can set in – which is why many companies have annual security training, Miller said: it’s to remind people what their responsibilities are, and what they should look for.
 
“The best defense is our people,” Miller said. “It’s all of us, working together to make the safest, best possible environment for everyone, where we’re protecting national security and the work that we’re doing.”
 
Detecting, deterring and mitigating insider threats – What to look for
 
Any behavior that’s out of the ordinary could be an indicator of a potential insider threat, Miller said. Sometimes a life situation – a contentious divorce, spiraling debts, a sudden medical issue, gambling or substance abuse addictions – can make a person vulnerable and tempted to do things they normally wouldn’t do.
 
“It could be that they’re going through something personal, and they’re not necessarily a threat, but we still need that report,” Miller said. “If you say something early enough, we can get them that help and it keeps their career on track, instead of going down that deep hole.”
 
People who are struggling with their mental health might be afraid getting help will negatively affect their security clearances, Benefiel noted. “But it’s 2024 – it’s OK to seek help. Seeking help is actually something that looks favorable during security clearance adjudications.”
 
While there are lists of potential indicators, an individual displaying one of them by itself is not necessarily significant, Luckey said. Your colleague who loves to travel abroad once a year on vacation is probably not suspicious. But if she becomes noticeably unhappy at work, suddenly seems to have unexplained wealth, and begins traveling more frequently to foreign countries that are not normally seen as tourist destinations, that should raise a red flag.
 
“It’s when these traits start aggregating, and you’re seeing many of the traits in the same person, that’s when organizations should start to be concerned,” Luckey said. “Any individual factor, without any other factors associated with it, is probably not something to be concerned about.”
 
Security professionals also consider the month prior to and the month after a person leaves an organization to be a critical period that carries an outsized risk, Luckey said.
 
The Insider Threat is Real
 
United States’ adversaries – including China and Russia - are highly motivated and determined to gain access to top-secret information, emerging military technology, or to disrupt or destroy America’s access to critical infrastructure or computer systems. A vulnerable insider is an excellent cat’s paw for them to achieve their goals, Miller said.
 
These attempts aren’t necessarily obvious, Miller said. It may not be a shadowy figure in a trench coat with a foreign accent, lurking in a parking garage, asking you to steal top-secret documents. These days, artificial intelligence and machine learning can be used to “scrape” social media sites and aggregate personal data, which can then be used for “phishing” and “spearfishing” attempts.
 
“It doesn’t take a human to be involved in that any longer,” Miller said. “Now you can start to build profiles of people, movement and activities and programs. The things that were more protected because of a lack of data aggregation are more vulnerable now.”
 
When human connection is involved, adversaries often take a soft approach. “They get into your life a little bit, you become friends, you end up giving out more information and meanwhile, they’re piecing the puzzle together, getting information from others,” Miller said. “You don’t even feel like you did anything, but you’ve been socially engineered.”
 
Individuals also shouldn’t assume they’re not important enough to target, Benefiel said.
 
“A lot of people let their guard down because they think, ‘Oh, I’m just part of the cleaning crew,’ or ‘All I do is just (computer) help tickets; I don’t deal with sensitive, classified information that could harm the United States,’” Benefiel said.
 
“Everybody is a potential target. Even if someone doesn’t think they have information that’s valuable, they could be an entrée to someone else who has valuable information,” Luckey said. “If a criminal is trying to go after the president of a company – or the president of the United States – that’s probably not their entrée point: it’s probably someone else.”
 
People should be careful how much they share about their jobs in public settings and how much they share on social media, Benefiel said.
 
“It’s a really fine line to walk, but don’t go participating in discussions about the U.S. Space Force or your command’s activities because you could be unwittingly putting out information that foreign entities are able to piece together,” Benefiel said. “You think it’s an innocent, harmless conversation or social media post regarding launches or potential new vendors – but it’s not. One of the biggest places where I’m seeing that kind of discourse and conversation is on LinkedIn.”
 
“Even something that someone thinks is unimportant or doesn’t matter – it might matter in the aggregate,” Luckey said.
 
Artificial Intelligence bots can be generated to target individuals in a “honeypot” scheme. That attractive person you “met” on a dating site who is oh-so-interested in your job? He/She may be a bot, created to get as much intelligence from you as possible.
 
Carelessness also leaves not only individuals but the organization vulnerable, Miller said. Using secured communications, shredding documents when they are no longer needed, and making sure people don’t “tailgate” behind you when entering a secured facility are all basic, and extremely important, OPSEC practices.
 
Most people know they need to use secure passwords but may not be as vigilant against using “waterfall” passwords: if your password begins with Rudolph.1979 and you are prompted by your computer to change it, don’t choose Rudolph.1978. If the adversary has obtained your previous password, it won’t be hard for them to crack a waterfall password with hacking software, Miller said.
 
Basic cyber hygiene – not sharing passwords, not giving others access to your accounts, using complex passwords – may sound simple, but remains one of the most effective defenses because those are the potential weak points most often probed first by adversaries, Luckey said.
 
Say Something – to Whom?
 
If you’ve noticed some suspicious behavior, to whom do you report it? Miller said it’s always a good idea to start by reporting it to your immediate supervisor. If you don’t feel that your concern has been properly addressed, then go to your security professional or your commander to report it.
 
“All those lines of authority are places you can report,” Miller said. “The supervisors and the commanders are just as important an avenue as the security professionals.”
 
Another thing to keep in mind is that the person who reports something suspicious is NOT the investigator, Benefiel said. Leave the actual investigations to the professionals.
 
“It is not the individual’s responsibility because we don’t want them to be in harm’s way,” Benefiel said. “Individuals are not investigators; they just report.”
 
A version of this article was posted in the October 2024 issue of Milsat Magazine

 

 

United States Space Force

Official United States Space Force Website