What CISOs can learn from the US Navy insider who stole nuclear secrets

The theft of government secrets by Jonathan Toebbe and others raises the question: How should CISOs deal with insider threats who have had insider threat training?

eliminate insider threats 1
Thinkstock

The legal entanglement of the entrepreneurial U.S. Navy engineer, Jonathan Toebbe, who hoped to parley sensitive nuclear submarine secrets into a cool $5 million is now in hiatus as he sits in a West Virginia jail cell awaiting his December trial. We can only imagine the discussions within the Navy’s information security teams upon learning some of the most sensitive of secrets were hand carried out of classified environments, back to the residence of the employee, and then passed on to an unauthorized third party. The epitome of insider threat realized.

Those involved in the commercial side of mitigating insider threats are almost universally agreed that an individual’s proclivity to lift proprietary secrets from their place of employment increases as they inch closer to separation or departure. Court documents certainly appear to paint a picture of Toebbe hoping to score an extraordinary payday and separate from employment with the Navy. Whether overt acts also signaled to his colleagues and leadership that he was contemplating an exit is not known.

Your malevolent insider is insider threat trained

Toebbe, wrote how he had been taking information from the Navy in such a way that he would not raise the suspicion of his colleagues.

I was extremely careful to gather the files I possess slowly and naturally in the routine of my job, so nobody would suspect my plan. We received training on warning signs to spot insider threats. We made very sure not to display even a single one. I do not believe any of my former colleagues would suspect me if there is a future investigation.

The court documents reveal that while he took more than 10,000 pages of documents over the course of many years, he claims to have taken only that to which he had natural access. He also memorized information and recreated diagrams at home. Furthermore, his theft of these secrets occurred at multiple Naval research locations. His correspondence and his attempt at the execution of impersonal espionage tradecraft indicates he was reading a lot of espionage history and methodologies used by other insiders who had successfully broken trust and stolen information.  

Toebbe’s methods defeated the infosec systems

As far as Toebbe’s data exfiltration methodologies, four hallmark cases of government insiders who successfully went undetected come to mind. All four of these individuals received counterintelligence briefs, which included portions on insider threat. They were also schooled in the need to self-report any errors in handling classified information and to report any suspicious activities within the workplace.

  • The mid-1980s saw a Navy analyst, Jonathan Pollard, take documents out of his workplace two or three times a day on multiple days of the week. He stored the documents in a suitcase pending delivery to his Israeli intelligence officer handler. Pollard’s theft of documents went undiscovered for the better part of a year. Discovery of Pollard is rooted in a colleague seeing something and saying something. The colleague saw Pollard mishandle classified materials and reported it. In the end, the government determined that Pollard had taken the equivalent of 18 cubic feet of classified materials out the door.
  • In 2015, Reality Winner, a contractor for the National Security Agency (NSA) printed a classified document at her workplace, shoved it into her pantyhose and carried it out the door past the security guards and mailed it to a media outlet. She had received insider threat training. She was detected when the media outlet asked the NSA to confirm the data sent to them and the NSA’s investigation showed Winner was one of a limited number who read the document and the only one to have printed it.
  • Then there is Harold Martin, a contractor within the intelligence community who was discovered to have secreted information from his various places of employ from 1996 to 2016. When he was found out, FBI investigators found the equivalent of over 50 terabytes of information that he kept at his residence and other locales. During his trial, the government noted how he had received insider threat training. His tirades levied against the NSA caused an investigation to be opened that revealed the massive data theft.
  • Ana Belen Montes, who was sentenced to prison in 2002, was at the time of her arrest the lead Cuba analyst within the Department of Defense (DoD). She was also for the entire time of her tenure as an analyst (approximately 17 years) a covert asset of the Cuban government. She was gifted with a near photographic memory and thus it is believed she never took any documents from the workplace. Rather, she memorized the content and then recreated it for passage to her Cuban handlers. A Cuban defector provided the clues that allowed the identification of Montes.

How should have Toebbe the insider been detected?

Was Toebbe’s pilfering of the documents over a long period of time sufficient to trigger the insider threat monitoring technologies available today? Should it have triggered colleagues to have detected anomalous events involving classified documents? These are questions that the damage assessment within the Navy is no doubt striving to answer.

Joe Payne of Code42 notes there exists differences within government and private sector. He observed how the bar is considerably higher in government than in the private sector when it comes to setting expectations on employee behavior and operating within the very real expectation that a government employee from the beginning is trained and has engrained the mantra of “see something, say something.” He continues how there are “always breadcrumbs,” which will be available to investigators to detect Toebbe’s behavior.

While Rajan Koo, chief customer officer at DTEX Systems notes that their investigative experience has shown that, “Rarely is the malevolent individual only breaking the data control rules.” Toebbe had been cleared for continued access to national security information following a reinvestigation—which included a background and financial investigation. Examination of his personal finances and engagement with neighbors and colleagues were all part of the reinvestigation.

Koo’s colleague, Armaan Mahbod, director, security and business intelligence, notes how technology should have detected Montes (if it was available) and Toebbe, both of whom stayed in their swim lane and recreated copies of classified information. He explains, “The user who is reading/scanning is not lingering. Technology should be able to tell how long a user is in specific documents compared to others and alert upon anomalous activity.”

CISO lessons from the harsh insider threat reality

The reality, Mahbod concedes, is the lack of personnel. The insider threat function is very transactional and those who engage in slow and methodical theft of documents from within their natural access might not percolate to the top given the understaffing within the audit functions. “What we find is that organizations have varying degrees of cross communication between departments like HR, IT, and security,” he says. “The end goal being that the whole organization strengthens their communication, which further strengthens security.” 

The CISO focusing on insider threats needs to be attached at the hip to the other areas of the enterprise and infrastructure to ensure that when an employee’s behavior in one domain is being investigated their behavior in all domains are being reviewed.  The C-suite should be encouraging all employees and contractors to embrace the “see something, say something” frame of mind when engaging with their colleagues. 

Payne offers how those who are combating insider threat should “enable your personnel to do their job, in a trusted manner, with an umbrella surrounding them so that if they venture away from the processes and procedures—for example, load to web-based storage—they are corrected in the moment.”

Copyright © 2021 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline