07 September 2009

Red Zone: Behavioral Analysis Interviews...

Industrial Espionage and the theft of trade secrets is on every Operational Risk Management executives mind these days. The recent milestone conviction under the Economic Espionage Act of 1996 in the United States marks the starting point for accelerated investigations by the counter intelligence and OPSEC units of major public and private organizations:

A former Rockwell and Boeing engineer from Orange County was remanded into custody this morning after a federal judge convicted him of charges of economic espionage and acting as an agent of the People’s Republic of China, for whom he stole restricted technology and Boeing trade secrets, including information related to the Space Shuttle program and Delta IV rocket.

How 250,000 pages of classified, proprietary and otherwise sensitive information was found under this employees house is a good question? What might be an even more interesting question is pertaining to the controls for OPSEC and INFOSEC at Boeing in Orange County, CA.

Information Operations (IO) or Information Security controls are only as good as the creativity and the will of the individual human being that exploits the vulnerabilities in the design, configuration or implementation of the layers of defense. This is why the counter intelligence and OPSEC capabilities within the enterprise must be ever vigilant and continuously adapting to the internal insurgency within the organization.

The Operational Risks that the OPSEC team is focused on these days has to do with data leakage prevention (DLP) and insider threat prevention and data exfiltration prevention capabilities. As companies such as Boeing and other Defense Industrial Base (DIB) institutions utilize the latest software, hardware and other technology to assist in the "insider" detection and prevention of stealing, changing or deleting sensitive information there still remains the risk of human factors and social engineering.

Sometimes the low tech or human designed detection systems that work on behavioral sciences can be just as effective as the newest software running on the fastest computer box. One example is "The Reid Technique" in the context of doing routine interviews and investigations with a set of "Red Zone" employees. Who are the red zone employees? Those individuals who have certain access to systems or information, leave the organization for involuntary reasons or people that may be 3rd party suppliers to the key people in the red zone. So how does the Reid Technique help?

The Reid Technique is a method of meeting, conferring with, and evaluating, the subjects of an investigation. It involves three different components — factual analysis, interviewing, and interrogation. While each of these are separate and distinct procedures, they are interrelated in the sense that each serves to help eliminate innocent suspects during an investigation, thereby allowing the investigator to focus upon the person most likely to be guilty.

Organizations spend thousands of dollars if not hundreds of thousands doing what are called background investigations. These are many times outsourced to 3rd parties to provide a level of comfort that the person they are going to hire is a person with integrity and has not committed any crimes or lives a lifestyle that is not commensurate with the policies and regulations of the organizations hiring and employment practices.

The Integrity Interview is a highly structured interview with a job applicant. The purpose for the interview is to develop factual information about the applicant's past behavioral patterns.

Specifically, the following areas are assessed during the interview:

Employment History
Theft and Related Activities
Work Related Alcohol Use
Violations of Company Policy
Recent Use of Illegal Drugs
Criminal Behavior

The philosophy behind the interview is very straightforward. The most accurate indicator of an individual's future behavior is their recent past behavior.

The same technique can be used on a departing employee with the emphasis on adherence to all "Acceptable Use" policies regarding digital assets and cyberspace access to organizational data repositories. Individuals who have the characteristics associated with deception could be the target of a further investigation to determine whether any unauthorized information has been sent to a webmail account or if a 4 GB Thumb Drive happened to be plugged into a corporate laptop the night before the last day on the job.

This low tech method may be one of the most effective means for industrial espionage. Old school methods with 21st century technologies. All of the detection hardware and software, CCTV cameras, tagged files or RFID countermeasure will not be able to thwart a diligent, patient and trusted insider. Utilizing Behavioral Interview Analysis can make the difference between early detection or late reaction.

And while the OPSEC group is working on the "Lone Wolf" insider, there are swarms of non-state attackers initiating their 4GW strategy on the cyberspace front of corporations and governments worldwide. Just ask Jeffrey Carr:

The Cyber Domain consists of inter-related threats (financial crimes, espionage, network warfare) that have traditionally been segmented off to different agencies with their own siloed areas of responsibility. What is needed, however, is a unified approach to collection and analysis that mimics the non-traditional, multi-faceted strategies used by non-state actors in both cyber and kinetic conflicts. Project Grey Goose was our proof-of-concept.

Economic espionage and attacks on nations states critical infrastructures requires a substantial shift in policy and taxonomy if we are ever going to be effective in defending ourselves. GreyLogic may be on the right track when it comes to educating those who need it so that they can make the leap to be "Wired for War." While the CEO's and the General's are being briefed on the latest facets of "Weaponizing Malware" we can only hope that OPSEC is conducting the behavioral analysis interview. A face to face encounter, with someone who may just be that one person, who has your most valuable intellectual property or trade secret in the brief case at their feet.

No comments:

Post a Comment