Vanguard
Security Insights

Insider Threats, Informants and Whistleblowers: Different Animals, Same Stripes?

Along with Atomic Blonde and Kraftidioten, one of my all-time favourite movies is The Informant! A brilliant biographical-comedy, The Informant! is based on one of the biggest anti-trust cases in US history involving executives from one of the largest corporations at the time, Archer Daniels Midland (ADM).

The true story of Mark Whitacre, a young executive at ADM, the movie follows Whitacre as he discovers that ADM his executive colleagues are at the root of a massive, global lysine price-fixing scheme. Instead of colluding and going along with their scam, Whitacre flips, turning evidence for the FBI and throwing his colleagues to the sharks.

A rising star at ADM, Whitacre had, well, some issues, character issues. Whitacre was a bit of a sociopath with an outstanding talent for harnessing those flaws and using them for his benefit. In Whitacre’s duplicitousness, he was able to adeptly weave two personas: a dull, self-effacing bowl of oatmeal that cloaked a calculating, narcissistic egoist.

Aside from being dry and hysterically funny, the movie paints a complicated portrait of a snitch with only a glimpse into the back story and psychological profile of the real Mark Whitacre. That’s what makes the movie both interesting and poignant to the modern-day phenomena of whistleblowers, ‘pro-social’ activists, informants and insider threats.

All three differ in motive and intention, any of these actors can be damaging. So what’s the difference and why does it matter? We’ll get to that.

Going back to the movie for a bit of clarity, in an unexpected twist, just after the FBI wrapped up their covert taskings, Whitacre’s colleagues lay bare evidence – they had been gathering information on him for a while. From within the folds of the FBI investigation, Whitacre had been extorting millions from ADM.

At first, Whitacre appears to be a run-of-the-mill whistleblower. Motivated by a seemingly good conscious and desire to do the “right thing”, Whitacre is redeemed by being recruited as a government informant. But then he devolves into a treacherous thief, hoodwinking the good guys (the FBI) and then bad guys (his colleagues) by becoming an even worse guy than they were.

How can it be that Whitacre was able to manifest these two personas with vastly different moral baselines? That’s usually the first question asked after insider threat actors are caught.

The movie doesn’t tell us much about the Mark Whitacre before the lysine scandal so connecting the dots to form a picture is difficult, if not impossible, but it is unlikely it would have yielded much. We can assume he was someone who was at worst an opportunist and at the absolute worst a narcissist, incapable of staying out of the spotlight, whether for good or bad.

Often the case with insider threat actors not much is known about them beyond their professional life. Like Mark Whitacre, most come off as quiet, unassuming good, maybe only mediocre, employees. In a recent Vanguard article, I wrote on insider threats from the personnel screening and psychological perspectives (Spies Among Us: Are We Blind To Insider Threats? Sept. 2019) and what works, what doesn’t and maybe why. And that was the takeaway: we don’t really know.

We know more about whistleblowers. Whistleblowers are motivated by an altruistic form of snitching meant to benefit the public, an institution or sometimes the greater social, political or ideological goal common to the institution or their society. The important distinction is that whistleblowers – true whistleblowers – do not stand to personally advance or benefit from their actions, except maybe only attempting to regain what they once had or they felt they were entitled to.

A whistleblower’s actions and conduct are defining and essentially determine their legitimacy: Did they exhaust all formal processes before going public? Were their actions in good faith and meant preserve a public interest? How these are answered is important as they separate those motivated by benevolence from those with malicious or retaliatory intent.

Pro-social activists exist in a bit of a grey area but fall into the catch-all term insider threat. Focused more on benefitting a social theme for the public good, or what they perceive to be the benefit of the public (think Manning, Snowden, Assange), pro-social activists often emerge from areas of intelligence and extreme privilege.

Whistleblowing, the release of information on internal activities believed to be unethical or illegal by an insider to a particular group, is the appeal for outside review and intervention by a governing body or sometimes the public. Usually with that action comes the breach of a confidentiality agreement or oath of public.

While some agreements may be perceived as conditional or contradicting in the expectations of secrecy and ethics, others are clear. At the highest level of sworn oaths, Canada’s Security of Information Act binds those subject to it to permanent secrecy, particularly outside the walls of the organization. Even within those walls, that secrecy is only alleviated within certain governing processes and with certain individuals.

Swearing to an oath of permanent secrecy is a very conscious and personal decision. What it means is that in the face of malfeasance or serious criminal acts, one accepts there are only two options: to put faith in and engage the proper internal processes and never speak of it again … Or to voluntarily leave and never speak of it again. Having said that, it must also be believed that the principles of fairness and ethics are alive and well in that organization. In the absence of that, see option two.

But what about those who breach privacy, confidentiality or an oath for their benefit, whether material, monetary, ideological, political, psychological or, for lack of a better term, premeditative? Entirely different motives than that of a whistleblower, many in federal security are still trying to wrap their heads around the causality of insider threat actors. Although more complex, understanding any of these actors requires some basics in human psychology.

Looking at any behaviour, intent is an important factor. Tied to the ‘self’, intent is a distinctly separate mental process from motivation. Although formed on motivation and acted on through mental activities, such as purposeful rationalization, forethought, and planning, intent is what you are trying to effect as an outcome.

Motivation, usually rooted in an ideal like a philosophy or belief, is a compassionate or emotional basis for intent – it is gas in the tank. One can have motivation without intent; which is a loosely strung belief that is idealized as the ‘right way’ but never be put into a meaningful or overt action.

Social media is a good case-in-point: People may post or tweet about their “ideals” and may have “intent” through those low-level social actions but lack the motivation to move it into real-life social processes for actual effect. This is probably a good thing; social media is an electronic psychologist.

The long-held, but often disputed, radicalization theory helps illustrate these dynamics; intent kicks in partway through, preceding decisions to act and what those actions are formed on. Motivation is what brought you there in the first place – it’s how you think things should be. Often self-actualizing, intent helps satisfy elements of power, control, agency, and ego. Going back to the concept of self, motivation is an outward view and intent is inward.

Only scratching the surface of what is a complex concept, two questions fall out of the above musings: what is the Government of Canada doing about whistleblowers and insider threats? Well, there’s been a fair amount of conversation on both due to recent events in federal security and intelligence, renewing interest on this unique and difficult-to-predict threat.

Under federal legislation, “whistleblower protection” and provisions are spread across several pieces of legislation, subject the purview of the department that it occurred in, such as the Public Servants Disclosure Protection Act (PSDPA), the Public Service of Ontario Act (PSOA) and the Securities Act. Similarly, informer privilege is well-embodied by federal justice, to some extent provincial statutes and is reflected in the Canadian Criminal Code.

Whistleblowers are (somewhat) welcomed and are suggested to be important to the integrity of private institutions and, in some cases, public ones. The problem is, as, with any label that provides a safe harbour, the term whistleblower is often misapplied and misused. Insider threat actors are entirely different and, rightfully so, the only protection afforded to them is what we call “a lawyer”.

In the earlier mentioned Vanguard article, academic and evidence-based approaches in personal screening security were examined along with improved definitions in legislation, stronger partnerships for detection and interdiction and comprehensive, continuous resource assessments.

Some of Canada’s national partners have made important advancements in developing agency, department and state-wide insider threat programs. At a recent classified conference on insider threats, several were showcased. But Canada’s wasn’t one of them. Not yet, at least.

The US leads the charge on this issue with the National Insider Threat Task Force (NITTF) in developing the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs for executive branch departments and agencies in 2012.

After maturing and refining the Standards, the NITTF developed the Insider Threat Program Maturity Framework (ITPMF) in 2017 through a series of working group sessions, vetted in focus groups attended by representatives from the Intelligence Community, Department of Defense and other federal partner insider threat programs. Detailed and comprehensive, the ITPMF applied to the vast, complicated US intelligence landscape.

Here’s a primer: The US Intelligence Community is composed of seventeen organizations. The Office of the Director of National Intelligence (ODNI) and the Central Intelligence Agency (CIA) are independent. Eight Department of Defense elements – the Defense Intelligence Agency (DIA), the National Security Agency (NSA), the National Geospatial-Intelligencee Agency (NGA), the National Reconnaissance Office (NRO) and the intelligence elements of the four Department of Defense services; the Army, Navy, Marine Corps and Air Force.

Then, there are the seven elements of other departments and agencies – the Department of Energy’s Office of Intelligence and Counter-Intelligence, the Department of Homeland Security’s Office of Intelligence and Analysis and U.S. Coast Guard Intelligence, the Department of Justice’s Federal Bureau of Investigation and the Drug Enforcement Agency’s Office of National Security Intelligence, the Department of State’s Bureau of Intelligence and Research and the Department of the Treasury’s Office of Intelligence and Analysis.

In Canada, things are simpler than that. But the Government of Canada’s insider threat programs are still in more of a concept or incubation phase. Well, we have a publication; Public Safety Canada’s Enhancing Canada’s Critical Infrastructure Resilience to Insider Risk that touts eight steps in promoting and adopting a preventative insider threat program. But first, it poses these questions:

What if the keys to the castle were in the hands of those that you were trying to defend against? What if the contractor building your IT infrastructure was working for your competitor? What if your most important asset was also your biggest vulnerability?

This is a bit of a problem. First, “resilience” is not a defence. Second, there is no “set of keys to the castle” – there are many keys, many locks and many doors called controls and safeguards, which are subject to vulnerabilities and vectors that spider from asset to asset. Third, typifying a threat actor preloads and prejudices the detection processes from the start. All actors have to be assessed, on criteria, as potential threats even the most highly credentialed and thoroughly vetted. And fourth? An organization’s most important asset is its biggest target – whatever protects an asset is ripe for attempts to exploit.

A far cry from the multi-layered approach the US has implemented, Canada is still maturing the thinking around insider threats and how to assess their risks. We already know it’s not enough to address only one area or domain when tightening the controls around sensitive or valuable assets.

We have hardworking folks in various government security departments but the Government of Canada needs to call a prohibition on publications and use those resources to focus on delivering operationalized programs.

At the end of the day, we still have the same problem: defeating insider threats requires accounting for the dynamic aspects of humans – how they can be influenced or coerced through external means, what they internalize that may shift morals, values, ideologies or political views and how we detect these features.

For now, there is no easy formula in monitoring, detecting and intervening on insider threats. But The Informant! is available on NetFlix; you should watch it. So should the Government of Canada.

Related posts

Implied Trust … in Supply Chain Security – Part Two

Valarie Findlay
November 9, 2018

Cybersecurity Comes of Age

Sajith Nair
July 26, 2021

It is time to reconsider the development of Resolute Bay

Colonel (Retired) Pierre Leblanc
March 29, 2022
Exit mobile version