-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 One midsummer night in 1977, the power went out in New York City. "Thousands of people took to the streets and smashed store windows looking for TVs, furniture, or clothing... The police made 3,776 arrests, although...many thousands escaped before being caught. 1,037 fires burned throughout the City..." (Blackout History Project) Cover of July 25, 1977 Time Magazine showing the New York City blackout of 1977 (Wikipedia)The troublemakers weren't faceless terrorists but local youth and ultimately, mainstream moms and dads. The most notable shift in the demographic of the looters occurred between the hours of 11:00 P.M. and midnight when stable, normally law-abiding citizens began to participate in the scavenging and mayhem. The massive extent of the looting, especially compared with the few disruptions that occurred during the 1965 blackout, was partly due to the economic downturn. By 1977 the unemployment amongst young blacks in New York City had reached 40%, compared to roughly 20% in 1965. Many people were out of work and the standard of living had decreased; however, television and media constantly reminded people of the material goods which they could not possess. (Time, 1977) It's no wonder that in the current economic downturn, companies are starting to worry more about the "insider threat" and white-collar looting. "Information security experts are bracing for the law of unintended consequences to swing into action in 2009 as layoffs, downsizing and low morale bring the worst out of trusted insiders looking to profit off of proprietary intellectual property, customer contact lists, trade secrets and any other sensitive information. ...[L]ast December the majority of participants in a survey reported that if they were fired tomorrow they would definitely take company data with them to their next employer." (Lumension, 2009) Today, as downsizing becomes rampant, there are increasing numbers of disgruntled former employees, who sometimes have deep knowledge of an organization's IT infrastructure. There are also more disgruntled current employees, as downsizing places greater burden and stresses on staff that remain. As scholar Ho Yanxi quoted, "The one who treats me well is my leader, the one who treats me cruelly is my enemy.'" (Cleary, Art of War). Exacerbating the situation, fewer staff means less people to monitor and maintain already out-of-control networks. This increases the risk of security vulnerabilities and lowers the risk that a theft will be noticed, proportionally increasing the likelihood of exploitation. Cutting already overworked IT staff leads to a downward spiral of network disrepair, security incidents and stressed IT workers. The risk-vs-reward calculations are illustrated in this interview with one of the first blackout looters: Interviewer: “What kind of money would you need to stop you from [looting]?” J: Oh, it wouldn’t just have to be money. It would have to be my position in life. Like if I was to go to law school, and have a nice paying job, and be established in a firm or something... I wouldn’t take the risk of getting busted and havin to go to jail and blowin’ my schooling. It’s not worth the risk. (Blackout Looting!, p.176) As white-collar workers feel increasingly disenfranchised, the risk of insider data theft proportionally rises.

Who are "we," anyway?

The "insider threat" is even more serious when a large percentage of workers are contractors, who have even less incentive to ensure long-term organizational stability. The war in Iraq nicely illustrates this phenomenon. Last week the GAO released a very interesting report on US operations management in Iraq and Afghanistan, in which they stated, "As of July 2008, there were approximately 162,400 DOD contractors and, as of December 1, 2008, approximately 148,500 U.S. troops in Iraq." This enormous ratio of contractors to military staff proved overwhelming. "Lack of adequate numbers of contract oversight personnel," was cited as a serious issue. "[T]oo few contract oversight personnel limited DOD’s ability to identify savings, monitor contractor performance, or resolve contractor performance issues." (GAO, 2/2009) Lacking oversight, training and incentives, contractors took enormous advantage of their situation. "KBR employees who were contracted to perform construction duties inside palaces and municipal buildings were looting," said Linda Warren, a contracted laundry foreman, during Senate hearings. "Not only were they looting, but they had a system in place to get contraband out of the country so it could be sold on eBay. They stole artwork, rugs, crystal, and even melted down gold to make spurs for cowboy boots." (The transcript of her testimony is definitely worth reading.) Even contracting officers took advantage. Yesterday the New York Times released a front-page exposee, in which they reported, "Maj. John L. Cockerham of the Army pleaded guilty to accepting nearly $10 million in bribes as a contracting officer for the Iraq war and other military efforts from 2004 to 2007, when he was arrested. Major Cockerham’s wife has also pleaded guilty, as have several other contracting officers.... Former American officials describe payments to local contractors from huge sums of cash dumped onto tables and stuffed into sacks as if it were Halloween candy. “You had no oversight, chaos and breathtaking sums of money,” said Senator Claire McCaskill."(NYTimes, 2/15/2009) Iraq is an extreme, but informative, example. Given these recent graphic illustrations of the results of contractor mismanagement, it's worth examining the current situation in the IT sector, where contractor jobs are rising even as general employment falls. "Contract work fuels rise in tech job postings" reported CNET news last week. "Tech job listings rose to 57,337 as of February 2...But if you're looking for full-time work with health benefits, you may not find the new data to be especially good news: Helping to drive that modest increase was a 7.3 percent gain in the number of contractor positions... 'In uncertain times, companies are looking for flexibility in their payrolls to continue with critical projects," said Tom Silver.. [of] Dice.com. Those critical projects often involve improvements to a company's infrastructure... 'For the last year or so, contractor jobs have accounted for 38 to 40 percent of the positions, but I expect that increase,' Silver said. He noted he wouldn't be surprised if the percentage for contractor job postings eventually reached to 50 percent later this year." (Kawamoto, 2/2009) In other words, the people being hired to work on "critical" infrastructure projects are increasingly those that do not receive health benefits and have little invested in the long-term survival of the company. Furthermore, as the ratio of full-time to contractor staff shrinks, there are fewer full-time employees to provide oversight.

Solutions: Maintaining Security in a Weakening Economy

The blackout of 1977 and the Iraq war illustrated two important factors which ultimately led to widespread security failures and looting:
  1. Reduced incentives for large numbers of individuals to support the current system;
  2. Limited oversight and low perceived risk of personal repercussions.
These two factors are increasingly present in the IT sector today, where a growing percentage of disgruntled employees and contractors have access to critical IT infrastructure, and where companies do not have the staffing or technical resources to monitor access and lock systems down. How can we correct these fundamental problems that lead to the "insider threat?
  1. Help workers to feel invested in the current system;
  2. Increase the perception of oversight and perceived likelihood of repercussions.
Any time there is a fundamental disconnect between the incentives of the people versus the organization, there is naturally internal conflict and greater risk of people undermining the status quo. When workers do not feel invested in the system, security incidents abound. Conversely, organizations can reduce the risk of insider attack by giving people a stake in the company's success. A favorite of the security industry, ancient military strategist Sun Tsu wrote about the importance of "inducing the people to have the same aim as the leadership." World War II posterEven on a tight budget, organizations can still foster worker loyalty. As demonstrated during World War II, it is possible to maintain-- and even grow-- a dedicated workforce during tough times. The WWII propaganda effort was implemented as a massive postering campaign on an unprecedented scale. During a period where civilians re-used scraps of paper because supplies were so limited, the US Office of War Information sought to "[ poster ] America every night," and treated posters "as real war ammunition." (Design for Victory, p. 11-12) The investment paid for itself hundredfold. Without resources for appropriate staffing and equipment, a high-return security investment for many companies might be a simple PR campaign, designed to motivate employee loyalty. Similarly, even organizations that lack the resources to install and maintain proper monitoring capabilities can still at least create the perception of oversight, which can dramatically reduce incidents. Physical security professionals have long utilized this tactic, for example by installing $30 dummy cameras and warning signs which advertise that the premises is actively monitored. I often say that "humans are unreliable components," but that's not really true. Humans are unreliable when placed in unstable situations and given conflicting incentives. Much like transistors in a circuit, humans within organizations tend to act predictably based on perceived incentives and risk. In today's downward economy, companies are dramatically reducing incentives for workers and expanding the ratio of IT contractors to employees, even while IT oversight and monitoring capabilities are already very limited. As with New York's 1977 blackout and the Iraqi occupation, workers find themselves with conflicted incentives, and some will invariably decide to serve their own well-being rather than the larger organization. How can organizations lower the risk of "white-collar looting"? Advertise incentives for workers to support the organization, and instill at least the perception (and better, the actuality) of oversight and monitoring. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Use GnuPG with Firefox : http://getfiregpg.org (Version: 0.7.4) iEYEARECAAYFAkmaTfYACgkQSAUOoW73R4yRPgCfdifDeqXNTWxxKUtL8S/Gvf6u R7sAn2I6KJwPWosSCKT1UiVIWxMmOp90 =JnAi -----END PGP SIGNATURE-----