The NRO, which is responsible for designing, building and managing satellites used by the U.S. government to gather intelligence, began beefing up its focus on internal threats after determining that an IT attack from an outsider costs US$56,000 to repair, while an attack from an insider costs more than $2 million to fix. Excerpts from the interview with Theis follow:
You mentioned that most companies are naively secure because they have their perimeter security set up and are not paying enough attention to insider threats. What are some first steps companies can take to begin to address the threat from insiders? One of the first things they need to understand is what their crown jewels are. They need to find out what would other people be trying to get from [them]. Maybe they have this new business technique that other people haven't duplicated yet. Maybe it is a widget they have created. It doesn't have to be the classic espionage in that aspect, but other companies want to know what they are going to be doing in five years. Now they can start to understand if they need to put some kind of security around it. But security is kind of a bad word, because it is a tax. It always costs extra, and it doesn't give you anything. Maybe some of those employees in those crown-jewel areas need to be vetted a little bit differently, or they have to be monitored closely.
Other aspects are those simple aspects we give away all the time. One of the great ways we would penetrate a business is to come in and do an interview like you are doing right now. So I say, "Come in and let me show you my office," and you're taking pictures, and on the wall I have my five-year plan. That is an aspect of business intelligence. People talk to me about business intelligence all the time, and I say, "Yeah, we can get into any company and get anything." Not "we" as in the government -- but folks who have the skills that I do.
There are whole groups of people out there who make their money on business intelligence in just that way. It is something that has to be considered because a professional who does this job does not get caught. Company A does not pay somebody to steal Company B's information and have Company B ever find out about it.
You mentioned that for companies to have agile IT security, they really need to look at the online behavior of employees and possibly limit certain types of access for specific people. Why is that important? We want to limit behaviors at the time they need to be limited. If you and I are in different departments and we are talking over instant messaging, that is fine. But then someone else comes from the outside and tries to make an instant message connection, we might not allow that because you didn't know they were [on] the outside. Those are the kinds of things we would be trying to do from an agile aspect. Companies are going to partner with other companies, and the IT folks will be told to be able to connect the servers between the two. Internal employees don't realize that other companies are connected to them.
Education is a big aspect so employees understand what would be a problem. When I first started consulting in the business -- up until three years ago -- I never used antivirus software. And I never had a virus because the whole point was to tell people the only things they should be clicking on are things from these departments and only these kinds of attachments.
You described a new project called the Model of Human Behavior in Cyberspace that NRO is involved with. How does this project work? It is not officially a government project. There is a lot of interest in the government and certain sectors of the government that would like to provide funding for it, but with distributed development [and] centrally managed by a core board of directors. The people who sit on that board are people like myself, but we also have a psychologist, people from universities and a neuroscientist. In a bricks-and-mortar world, police agencies and the FBI will go to a psychologist and say the guy [criminal suspect] has been exhibiting these things. What should we know? They will give you a profile, what you can do to counter it. If you bring them stuff from the computer and say, "These are his e-mail names, etc.; what should we expect?" they will say they have no idea.
What is the status of the study? It is in Phase 1 -- determining what questions can be answered and which ones can't. Could I ever produce a mathematical formula that could describe a human's behavior? We are trying to determine if that is even a question we can answer. We also have to understand the real sample size. Ultimately, we would love to be able to do everyone in the U.S., but that is not realistic. Are there issues between genders, ethnicity and age? We're also trying to figure out how the funding works.