Exclusive: How the US is fighting insider threats
By Joshua Chambers and Nurfilzah Rohaidi
Interview with Adam S. Hickey, Deputy Assistant Attorney General at the US Department of Justice.
Image: US Embassy Singapore
Hickey notes how the US government is seeing a “concerted effort to target US government officials”. And increasingly, the private sector is also a target of foreign intelligence for nefarious reasons, he tells GovInsider at a recent media briefing in Singapore.
“To put it colloquially, it's no longer spy versus spy,” he says. “Particularly with corporations - it's spy versus you”.
The threat landscape
Hickey’s wide ranging portfolio includes economic espionage, election security, foreign investment review, and national security cyber threats. This role was created as a response to the rising tide of sophisticated, coordinated and hybrid threats in cyberspace. “We see some nations engaged in outright theft,” he adds, referencing the recent attack on the central bank of Bangladesh by alleged North Korean hackers.
Foreign intelligence services have set their sights on private sector, with the intent of stealing intellectual property or technologies, proprietary business information, or sensitive personal health information, Hickey says. Attackers are using various ways to infiltrate companies - for instance, through hiring company insiders to steal trade secrets, he continues.
Another tactic that attackers use is by exploiting foreign investment, where “a foreign company achieves a certain amount of leverage or influence over an American company and can use that to obtain technology or confidential information,” Hickey explains.
Other worrying trends include attacks via supply chain: “the ability of a trusted provider of equipment or services to facilitate this kind of theft”, he warns.
“All of these efforts reflect our increasing awareness of the importance of network security, whether we're talking about our telecommunication networks, computer networks, or the like, and are rooted in that concern about protecting national security,” says Hickey.
What private sector can do
Hickey shares ways that companies can secure their data. The US’ National Institute of Standards and Technology has introduced a cybersecurity risk framework that provides some fundamentals, he says.
It is essential to think about separating the company’s assets from non-sensitive data, as a first step. “Companies have a lot of information on their network,” Hickey notes. “The daily lunch menu might be on the same server as the trade secrets.” The most sensitive assets naturally need greater protections and resources to keep them secure.
Companies need to “plan for failure” as well - a response or defence to a data breach or attack. Hickey notes how “planning to keep the adversary out is unrealistic, because you're probably going to have some intrusion at some point.”
And a final key factor is whether a company’s networks can detect and track suspicious movements on its networks, through network logs. “A big piece of response and recovery is understanding what happened, but if you haven't been logging what happened on the network over the last six months, you're not going to understand what the adversary did,” Hickey points out. This can shine a light on how attackers managed to gain access to a system and will inform future security efforts.
Employees’ part to play in security
Beyond having these basic security strategies in place, Hickey offers some insights into how private sector can guard against insider threats. The first step is to set up a programme that helps to spot any suspicious behaviour, he says. What’s more, companies can widen their net by encouraging their employees to “report suspicious behavior if they see it” through this programme, he adds.
Suspicious behaviour can take many forms. For instance, fellow employees that attempt to access particular networks that may hold sensitive information or trade secrets - but at odd times of the day. Perhaps they might take company laptops on holiday with them, or show up at work one day driving an expensive car that displays unexplained wealth, Hickey continues.
It is important to have buy-in from employees for these security policies, Hickey remarks. The point is to ensure that the company does not design policies in a way that is “adversarial” to the employee, he elaborates.
“The key is to create an environment where employees all feel that they're invested in the company's security and that its intellectual property is something that benefits all of us as employees, because it's a key to our livelihood.”
As a final thought, Hickey notes that law enforcement can be allies to companies. It helps to be prepared with contacts in the police in the event of an attack, he emphasises. “We tell American companies all the time that if you see something that you know who to call, and how to react,” he concludes.