Australian Government departments are at serious risk of large-scale loss of sensitive and classified data, according to a senior U.S counterintelligence advisor.
Keith Lowry, who led the Edward Snowden counterintelligence damage assessment team and an executive at Nuix, says many departments within organisations are exposed to serious data security risks because they do not conduct ongoing insider threat assessments, despite strict vetting processes of new staff and contractors.
According to Lowry, the number of spies or insiders caught using background checks is minimal. In his professional opinion, the number is very likely close to zero.
“Governments need to understand insider threats are about tomorrow, not yesterday,” he states.
“It is one thing to vet personnel, but background investigations and security checks only verify past behaviors and activities - they are absolutely useless in predicting future behaviours.”
Lowry’s warning about insider threats follow the recent arrest of a former National Security Agency contractor Harold Martin in the U.S. Prosecutors have accused the former Booz Allen Hamilton contractor of illegally removing top-secret information that could cause ‘exceptionally grave danger’ to US national security if disclosed.
“Edward Snowden, Chelsea Manning, and Harold Martin would all have passed background checks and other screening devices like polygraph examinations but in the end, they and others all made choices after being screened to do the wrong thing,” Lowry explains.
“Regardless of their intentions, in the end, they each took data that did not belong to them.”
Lowry is briefing senior government security, intelligence and business representatives in Australia this week to discuss insider threats.
The Nuix-led briefings involve Alastair MacGibbon, special adviser to the Prime Minister on Cybersecurity, David Irvine AO, former head of ASIO and chair at the Australian Cyber Security Research Institute, and Nuix’s CEO, Eddie Sheehy.
Sheehy says to counter insider threats, governments must first appreciate the insider threat issue is a people problem rather than a technical problem.
“Employees and contractors who jeopardise the protection of critical data, either with intent or not, represent one of the greatest cyber security threats to government and corporate organisations,” says Sheehy.
“When the threat is understood from a people perspective, organisations can start to build effective counter insider threat strategies to help them respond quickly to serious data breaches,” he explains.
"That’s why leaders need to create a culture of data security across their organisation so everyone is aware of the risks and responsibilities they have to protect important data,” Sheehy adds.
“They must also know exactly where their critical and sensitive data is held so it can be prioritised and protected.”
Lowry says insider threats take many forms.
“Unintentional insiders put an organisation’s data at risk through negligence, ignorance or by accident. Their actions can cause just as much damage as malicious insiders who for example may be planted by nation states, terrorist networks, crime syndicates or individuals who want to steal and use information for gain or to cause harm,” he explains.
“Because organisations usually view insider threats as a technology issue rather than a people problem, insider threats are often managed by IT departments instead of being a whole of organisation responsibility that should be driven by senior executives and board members.”