By Karl J. Paloucek
As an organization greatly concerned with cybersecurity, InfraGard puts a lot of focus on dealing with hacking and cyber exploitation from outside sources. And rightly so — hackers are a fact of modern life, and cannot be eliminated from the list of threats we face each day. But what about threats that come from inside our businesses, that involve people we may see in our offices every day? People whose positions and access within the company might belie their actual motivations and allegiances, which may have long-term consequences for their employers?
The insider threat is very real, and we talked with SA Mark Aysta to see just how insidiously real it is. Aysta, Public Sector Coordinator for the Charlotte division of the FBI, was part of a team that successfully investigated and weeded out an infiltrator who had been siphoning trade secrets from the small energy company that employed him, and who intended to develop and use the information upon returning to China.
As Aysta points out, this is just one among untold numbers of cases like this that happen in the U.S. each year. “We are losing literally hundreds of billions of dollars a year in intellectual property from American corporations,” Aysta says, “by criminal groups, by nation states that are coming in from either a cyber perspective, or by insiders within the company themselves.”
While insider threat certainly isn’t new, it’s perhaps been overshadowed in recent years in terms of attention in favor of the omnipresent cyberthreat. But while the quantity of insider threat attacks may be dwarfed by the number of cyberattacks out there, the potential damage of insider threat poses special risk that should not be ignored. “It’s my personal opinion that over the last few years, cyber has become recognized as a threat, and companies are getting very good at it, but what they are still not very good at defending against is the insider who is going to not only steal their crown jewels like a cyberthreat would do, but know their value and know what to do with them,” Aysta says. “In my mind, that makes the insider exponentially more dangerous.”
And even though the number of potential insider attacks may be dwarfed by the number of cyberthreats, there really is no way of knowing exactly how many bad actors have infiltrated U.S. corporations in an attempt to undermine them and steal highly valued trade information. “This is the $64,000 question,” Aysta says. “What do you know, and what don’t you know? This is partly why this new position of the public sector coordinator was created by the Bureau. … How much of this is going on? A tremendous amount of it.”
In part because of the wild variable of unknowns involved, facing the new age of insider threat requires a different approach to its solution. “How we are starting to deal with it is, now, embedding ourselves with companies, becoming very closely associated with American corporations and helping them to harden their defenses in protecting their intellectual property,” he says. “We’re building trust relationships so that if something does come up within the company that doesn’t look right, rather than just brushing it off, they will have somebody within the FBI that they know, that they’ve got a relationship with, that they trust, and they’ll call us. And we can send it to the appropriate unit within the Bureau that looks at it, and if it turns out to be nothing, and it is nothing, then essentially, no harm, no foul. But if there is something, and we’re seeing similar patterns in similar companies within the industry [then that needs to be addressed].”
For Aysta, having that established relationship, that trust, at the outset is absolutely pivotal to being able to ascertain the threat and working together with the company under threat to mitigate the potential for damage. By forging a relationship with the local FBI field office and working together on training for the development of an insider threat program, a company can save itself and the FBI a lot of wasted time at the outset in the event of an actual threat from inside.
The training offered by Aysta and his colleagues at the FBI asks a lot of good questions. How does a company know whether or not it has an insider threat? How do you identify that person? What are the warning signs, if any? The answers are there, and it typically takes a lot of working together on the part of different personnel to confirm them and establish the probability of a threat, but it can be done — and Aysta and his colleagues illustrate how.
“We’ve got several case studies, and we show how these things happen,” Aysta offers. “Sometimes people start out nefarious. Sometimes they have life events where something bad happens, and they come into some financial difficulty through no fault of their own — through a sick child, through a nasty divorce, or bad business decisions. So we give them behavioral indicators of the insider threat. … These were the things that were going on in his or her life that, had somebody noticed these things, they could have reported it and mitigated the theft.”
The Identifying of the Insider
The particular case that we discussed with Aysta, which he and a team of others helped to break, involved a man who was working for a small energy company in North Carolina. Xiwen Huang initially had been employed at a U.S. National Laboratory from 2004-2008, where he had worked on government contracts. In 2008, he went to work for another outfit that the FBI in its investigation refers to as “Company A.” After four years there, he arrived at the small energy company in North Carolina, which the FBI refers to as “Company B.” And even there, it was quite a while before anyone raised a red flag of concern about his level of access.
Part of Xiwen’s duties at Company B involved a certain degree of travel to China. It was one of these trips that initially triggered suspicion on him, but initially, nothing was done. “It started with unreported foreign travel,” Aysta explains. “He lied to his superiors at the company who said he was going to be going to Chicago to visit some friends, when in fact he went to China, because he was in the process of negotiating the sale and development commercialization of the stolen technology. And it was when he was in China that somebody recognized that he was in China. Either he’d spoken to somebody at the company, or he confided in somebody, but word got back to the company staff — the executive management — that he was not in Chicago. He was in China.”
Their suspicion elevated, senior management at Company B began to jog their memory for other incidents that might have raised a flag. They remembered a time about nine months previously when Xiwen had been in China on legitimate business, and went out of contact for three days. “He just wouldn’t answer his cellphone,” Aysta says. “They started to get concerned about his wellbeing. And then, on the fourth day he just showed up and explained that he’d been sick, and he tried to pacify them with that answer. At the time, they thought that was very suspicious, but they didn’t have any other facts to go on, so they let it go.
“The second time, when he now had an unreported foreign trip to China, they started doing some open-source research and said, ‘What do you suppose he was doing there?’ and they ran his name,” Aysta continues. “They saw an open source that he had been sitting as a member of a board for a startup in China, and there were members of the Communist party also present, and they were talking about throwing the party’s support behind this new business.”
Now very concerned about what Xiwen had been up to, they began to dig further in to find out information on the company that was mentioned in the Chinese news site, called H & Z Technologies. As Xiwen’s name was Huang, and the partner’s name Zhang, it wasn’t hard to deduce the derivation of the name. Further Google searching uncovered that Xiwen was the registered agent for this corporation, and that it was based in North Carolina. “Furthermore, when they delved into it even further, they saw — because it was just a scanned, signed incorporation paperwork — they saw that it had been faxed to the North Carolina Secretary of State’s office from the company that he was currently working at — at the small energy technology company.”
The Quiet Call for Assistance
At this point, senior management hired a cybersecurity company, headed by InfraGard member Theresa Payton, to come in and survey what they could find out to determine the extent of Xiwen’s subterfuge. “They did a number of covert exploitation techniques, and found that he had been forwarding confidential personal documents to his personal email, and to people outside the company — his co-conspirator,” Aysta says.
Aysta was soon brought in to learn the technology that Company B was hoping to protect. Aysta was able to acquire a search warrant for Xiwen’s personal email account, and from there, the FBI began to collect evidence on Company B’s behalf.
“Once they discovered what he was doing, they suspended him and then fired him, because they couldn’t keep him working there, with access to their crown jewels,” Aysta says. “They had one technology that they were developing, and if that technology was gone, then their company was over, so they got rid of him. He then moved to China.”
With Xiwen in China, moving forward was a delicate operation. “We had to work it discreetly and covertly, because if word got out at all that the FBI was involved, he was just never going to come back, and we never would know the scope of the thefts that occurred,” Aysta explains. Through the exploitation of the evidence discovered via the search warrant, Aysta and his colleagues found that not only had he been stealing information from Company B, but that during his entire stay in the United States, he had been stealing every bit of information he could from his two previous employers, the National Laboratory and Company A. The audacity Xiwen showed was incredible. “He would download it to thumb drives, he would download it to hard drives, he would forward it from his company email to his personal email account, and he was physically picking up documents and walking out the door with them,” Aysta says.
The Capture
Through covert means, Aysta and his colleagues at the FBI set up a bit of a sting to capture Xiwen. “We knew where he was going to be at a certain time, because we knew he traveled back to the United States a couple of times a year to see his daughter,” Aysta says. “So we were able to arrange to have our undercover in the same place at the same time as the subject. And we knew through email communications that even though he had all of this intellectual property, he needed funding to develop it — he didn’t have the money to build research and development facilities, and factories and production facilities, and pay labor rates.”
The lure that the FBI employed was an undercover agent posing as a venture capitalist who just happened to be involved in energy projects in China, and who was interested in funding Xiwen’s prospective work. “The two of them were able to have a conversation in which Xiwen, our subject, admitted that he was involved in the type of business that Company B does — their sole technology,” Aysta recalls. “There’s only literally a handful of companies across the globe that do this technology. Really, only two in the United States. And he admitted that that’s what he was doing. So that was enough to satisfy the intent for our prosecutors that he was going to use their technology that he stole, and then commercially develop it.”
This was an important distinction, because, as Aysta pointed out, the U.S. Attorney’s Office had pointed out that as a defense, Xiwen could claim that he had just collected the materials with no intent to do anything with them.
Once Xiwen returned to the United States, he was put under surveillance and eventually arrested and subjected to a series of interviews in which he confessed to the theft of information, though without admitting why. “He gave some false, exculpatory [explanation], but he admitted to a number of the things that he didn’t think we knew about,” Aysta says.
“He’d been preparing himself,” Aysta continues. ”He’d come up with a strategy and a story if he was ever confronted. But what he didn’t realize was that through his email communications, we recognized that he’d stolen a number of materials from Company A, and we knew what they were, and we knew the value of them. And through the course of our conversations with him, when we asked him what he was working on — because he denied working on any of the stolen intellectual property from Company B, in Charlotte — when confronted with, ‘What are you, indeed, working on now?’ he admitted to working on projects that were all the development of Company A’s stolen intellectual property, because he didn’t think we knew about it.”
Xiwen pleaded guilty to the charges before him, and over the course of many interviews, it came to light that his value to the company for which he was working in China was to steal the technology from Company B for its exploitation. “He was the sole possessor of this technology,” Aysta says, “and he would let it out a little bit at a time in order to get funding to develop the stolen intellectual property.”
Ultimately, Xiwen would send a letter to the FBI with an exculpatory explanation that sounded good … but maybe just a little too good. “He said that at the time, he didn’t think it was wrong, but now he realizes it was,” Aysta recalls. “Was that heartfelt? Was that genuine? … I guess I’d like to believe him, but his whole time in the United States, all he did was steal and lie to people, so … I’d like to believe him.”
The Takeaway
The lessons learned from this case study, per Aysta, are simple and straightforward. Corporations looking to protect their intellectual property from insider threat need to take the prospect of that threat seriously, and do everything they can in their power to prevent it, starting with establishing a relationship with someone in their local FBI field office. In the case of Company B and its insider threat problem, things turned out sufficiently well, but they could have gone better. “There was quite a bit of time on the front end, valuable downtime, that was wasted,” Aysta remembers. “It would have been a lot better had we had a trusting, personal relationship between the FBI and this company to begin with. It would have eliminated a lot of wasted time on the front end. We could have gotten right to mitigating the theft and getting to the bottom of what happened.”
It may seem counterintuitive to some CEOs, but picking up the phone and calling their FBI field office’s public sector coordinator to discuss the security of their most valuable intellectual property is where the planning begins. “Companies have to have some type of insider threat program,” Aysta asserts. “They have got to identify what their crown jewels are, and figure out how to protect them. They have to give only people who need access to those crown jewels access to them. They have to have some type of a reporting system where, if their co-workers believe somebody is acting inappropriately or doing something they shouldn’t be, that there’s a method to report that.”
Joining InfraGard is another way that CEOs can maintain an edge on the insider threat, Aysta says. “Once you become a member of InfraGard, real-time intelligence comes out in the form of emails. As soon as there are threats to whatever sector you’re in, you get automated emails” to help stay abreast of any relevant security concerns arising within the industry.
The keys, though, are communication with the FBI and the establishment of a solid security program to protect the core assets central to any organization’s business. Aysta points out that there are some free resources out there, like insider threat resources available free via Carnegie Mellon University (www.cert.org/insider-threat) but that for truly effective security, a CEO should be prepared to put money toward the development of an appropriate security plan — because many companies’ situations are different, and every company is likely to have unique variants.
“It’s like asking, ‘What kind of car do you need?’” Aysta suggests. “It depends on whether you’re a single college student, or whether you’ve got a family of 12, right? You’ve got to develop a security program that is relevant to your company. If you’ve got one technology — the easiest example is Coca-Cola, the formula for Coke. It’s locked in a vault somewhere. It’s been saved like that for how long? If you’ve got one really good thing you want to protect, you’re going to go about it a lot differently than if you’re a Microsoft and you’ve got all of these different product lines, or some of these companies that are constantly developing technologies.”
One of the most important things a company can do as part of its security program is to have regular and solid communication between departments with regard to any observed anomalies in their regular routines, Aysta says. “Physical security — who handles the badges and the access cards — if they’re noticing someone is coming in late at night, and they think, ‘Well, that’s a little strange. Maybe he’s working on some strange projects.’ If they’re not talking to IT security, who says, ‘Hey, this guy’s doing some unusually large downloads, and he’s x filling large amounts of data from some very sensitive projects.’ If these two aren’t talking, and they’re not talking to HR, who says, ‘This guy is going through some serious financial problems, and he’s getting divorced from his wife, and he’s been a disciplinary problem at work,’ then that’s a problem. So communication among stakeholders in the company is a must. You’ve got to have somebody who coordinates that.”
Most of all, though, what Aysta believes is most important is that CEOs and other company directors realize just how serious the threat is, and how vital it is that they take action to protect their most valuable intellectual assets. “CEOs have to recognize that our adversaries will devote tremendous resources to stealing their intellectual property,” he says. “A lot of people think this just happens in the movies, and it doesn’t.”