ArchiveOODA OriginalSecurity and Resiliency

Durham’s Filing: Lessons Here On Insider Threats at the Highest Level

The recent John Durham filing alleged that a Tech Executive used his then-company’s access “to nonpublic domain name system (DNS) data” in order to analyze potential links between the Trump organization and a Russian bank. Per the filing, the purpose of this effort was to purposefully gather “derogatory information” about Donald Trump. Ostensibly, the Tech Executive ultimately used the company’s contract with the Executive Office or the transitional team to exploit this relationship to spy on Trump’s residences when he was a candidate and the White House when Trump was president. According to one forensics expert, the data was “highly manipulated” suggesting that the Tech Executive selectively chose data intentionally trying to manufacture connections between Trump and Russia. The Tech Executive was a willing participant in the process, having stated his dislike for Trump when he stated he’d never take the top cybersecurity job from Trump if offered the position.

Insiders are a pervasive threat. A recent 2022 report by a company specializing in insider risk revealed that there was a 72 percent increase in insider incidents with 42 percent of these activities focusing on the theft of sensitive information. Additionally, an aggregation of this data cited government being in the top five of industry sectors exploited. The report cited three types of insider threats: an insider not intending to do harm but may do so because of negligence; an insider who intends to do harm via data theft or sabotage; and a “super malicious” insider threat whose technical skills and understanding facilitates malicious activities demonstrating an ability to conceal his operations from detection. If Durham’s filing proves correct, the Tech Executive clearly demonstrates this third category of insider threat as he was well positioned to “normalize” his actions in the specific environment without raising immediate red flags.

Interestingly, February 18 marked the anniversary of the arrest of another infamous insider, Robert P. Hanssen. the Federal Bureau of Investigation (FBI) agent had spied for the Russians on and off for approximately 15 years of his 25 years in the FBI. Representing one of the worst types of insider threats, Hanssen’s espionage compromised some of the United States’ most sensitive counterintelligence and military secrets. Hanssen also exemplifies the super malicious insider, one whose access and technical skills enabled his malicious activities. An unclassified copy of Hanssen’s damage assessment by the Department of Justice marked significant shortcomings in the FBI’s internal security practices as one of several reasons Hanssen was able to operate for so long. The biggest one may have been the Bureau’s failure to continuous vet individuals in positions of trust, preferring to look elsewhere instead of internally.

Those that work for or in contract to the government typically don’t bring their personal political leanings to work. While this may be true for the vast majority of this workforce, like any threat, it only has to be successfully executed once to have a tremendous impact. Durham’s filing revealed that the Tech Executive and his recruited researchers all shared anti-Trumpian biases, which motivated them to act against a sitting president for the purposes of committing deliberate malfeasance. The lead researcher that worked for the Tech Executive was reported to have said “the only that that drives us is that we don’t like [Trump].” It appears that political animosity coupled with insider access helped fan the flames of a major political fiasco with national security ramifications in the balance.

This should be a paramount concern to both political parties as it has set precedent that such activities are not just a notional threat to be gamed in security planning scenarios. It also raises an important question when it comes to cybersecurity concerns at the highest levels of the U.S. government. When a new administration assumes the Executive Office, that individual is often focused on getting senior government positions filled in order to execute his agenda. This can be a time-consuming process, especially in a charged and divisive political climate. The types of contract work performed by Tech Executive and his company likely would fall well under the radar of a new president.

This mindset and approach to internal security at the Executive Office must change as protecting the confidentiality of communication channels is not reserved solely for hostile outsiders. While this may have seemed impossible or at least implausible before, new ground has been broken in the insider threat space. More information will materialize from Durham’s investigation no doubt, but the damage has been done, and understanding the full consequences of the Tech Executive’s activities should raise new concerns and new strategies to mitigate the threat of politically-motivated actors from taking advantage of trust. Therefore moving forward, it would behoove any new administration to take the lessons learned here, and like any Cabinet position, consider immediately replacing or at least rigorously vetting any individual or company that performs the kind of functions performed by the one with which the Tech Executive was affiliated.

Cybersecurity continues to be a challenge for any public or private organization. Threats are numerous, and the potential consequences of successful attacks can be costly and catastrophic. But as history has taught, failing to learn from past incidents and applying the necessary steps to mitigate future threats risks them being repeated in the future. It is always difficult to get the horse back into the barn when the door has already been opened.  The horse is out now and if the door is not fixed expeditiously, more can be expected to follow suit.

 

Become A Member

OODA Loop provides actionable intelligence, analysis, and insight on global security, technology, and business issues. Our members are global leaders, technologists, and intelligence and security professionals looking to inform their decision making process to understand and navigate global risks and opportunities.

You can chose to be an OODA Loop Subscriber or an OODA Network Member. Subscribers get access to all site content, while Members get all site content plus additional Member benefits such as participation in our Monthly meetings, exclusive OODA Unlocked Discounts, discounted training and conference attendance, job opportunities, our Weekly Research Report, and other great benefits. Join Here.

 

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Explore OODA Research and Analysis

Use OODA Loop to improve your decision making in any competitive endeavor. Explore OODA Loop

Decision Intelligence

The greatest determinant of your success will be the quality of your decisions. We examine frameworks for understanding and reducing risk while enabling opportunities. Topics include Black Swans, Gray Rhinos, Foresight, Strategy, Stratigames, Business Intelligence and Intelligent Enterprises. Leadership in the modern age is also a key topic in this domain. Explore Decision Intelligence

Disruptive/Exponential Technology

We track the rapidly changing world of technology with a focus on what leaders need to know to improve decision-making. The future of tech is being created now and we provide insights that enable optimized action based on the future of tech. We provide deep insights into Artificial Intelligence, Machine Learning, Cloud Computing, Quantum Computing, Security Technology, Space Technology. Explore Disruptive/Exponential Tech

Security and Resiliency

Security and resiliency topics include geopolitical and cyber risk, cyber conflict, cyber diplomacy, cybersecurity, nation state conflict, non-nation state conflict, global health, international crime, supply chain and terrorism. Explore Security and Resiliency

Community

The OODA community includes a broad group of decision-makers, analysts, entrepreneurs, government leaders and tech creators. Interact with and learn from your peers via online monthly meetings, OODA Salons, the OODAcast, in-person conferences and an online forum. For the most sensitive discussions interact with executive leaders via a closed Wickr channel. The community also has access to a member only video library. Explore The OODA Community

Emilio Iasiello

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.