Recently we learned that over 100 million Americans’ sensitive personal information — names, dates of birth, Social Security numbers, credit histories, income information — was stolen from a major U.S. financial institution from what is often touted as a new, “highly secure,” cloud-based data storage system. But here’s the reality: No one’s information is safe in the modern world, because all systems rely on human beings, who are inherently untrustworthy.
Many people think of “hacking” as the great danger posed to individuals’ and organizations’ sensitive computer data. Hacking refers to outsiders using various technical tools, guesswork, and vulnerabilities in software programs to illegally penetrate people’s email accounts, corporate databases, and industrial control systems. They may exfiltrate data for profit. They may be foreign intelligence services seeking to compromise adversaries’ classified information or uncover military response plans. Or they may just be having their version of “fun.”
We’ve seen much discussion of “hacking” in the news lately. The Russians supposedly “hacked” Democratic National Committee servers and provided embarrassing emails (such as those of Hillary Clinton’s campaign chairman, John Podesta) to Wikileaks. (More on that later.) Robert Mueller (or Andrew Weissmann) spent much of their ballyhooed Special Counsel investigation report on Russian interference in the 2016 election talking about Russian hacking.
But as cybersecurity experts will tell you, an equally, if not more serious, threat to computer systems are the insiders — people who have rightful access to information systems and their data but, for a variety of reasons, compromise that information and those systems. The insider threats can be more difficult to guard against than outside hacker threats, because they are trusted and often hold the keys to the IT kingdom.
The insiders come in various stripes. Many are simply careless. These are people who, either for reasons of convenience or nefariousness (or both), choose to disregard the most basic security protocols with respect to their computer use. Hillary Clinton, of course, is the most notorious recent example of this category of insider threat. Her knowing use of an unsecure personal email server to traffic the nation’s mostly highly guarded classified information would have landed any of the rest of us in jail.
Hillary engaged in this unbelievable behavior — as did dozens of government officials who knowingly corresponded with her on this system — with complete disregard for our nation’s security and the safety of people who put their lives on the line for our country. She did this in order to hide her corrupt pay-for-play operation, trading State Department favors for money to her Clinton Foundation, from public and congressional scrutiny.
One of the most interesting discoveries I made in my analyses for Judicial Watch of Hillary Clinton’s email traffic with her aide, Huma Abedin, was of a spear-phishing email that was sent to Hillary on November 20, 2009 from someone purporting to be from a Washington, D.C. think tank. The email, with the spidey-sense-raising subject line “I Thought You Might Enjoy This,” had a fairly sophisticated cover message and a file attachment. The cover note talked about the contents of the file, which related to U.S.-China economic matters. Hillary expressed interest in the email, even though she did not recognize the name of the sender, as indicated in the note she wrote to Huma when Hillary forwarded it on to her, which asked Huma to print it. When the email hit Huma’s computer, Huma’s computer’s anti-virus system slapped the word “VIRUS” in the subject line. The fact that Hillary’s own computer did not flag the email as virus-infected speaks volumes. Did Hillary open the file and infect her computer? You would think the FBI would want to ask that of her. (For more on this story, please see my column from May 2017.)
So Hillary falls in the category of the witless insider threat — people who either don’t know or don’t care that their computer practices pose a grave threat to their organizations.
The second category might be called the ideological insider threat. These are persons who decide to betray their organizations on the basis of righting some perceived wrong. I think Seth Rich best illustrates this category of insider threat, if recent revelations coming out of court filings stemming from a defamation lawsuit are to be believed.
The lawsuit was filed by conservative businessman Ed Butowsky against NPR and one of its reporters who claimed that Butowsky conspired with Donald Trump and Fox News to falsely paint DNC official Seth Rich as the source of the theft of DNC emails (and not “Russian hackers”). To buttress his argument that in fact Rich was the individual who stole the emails and gave them to Wikileaks, Butowsky’s court filings reveal that former Fox News reporter Ellen Ratner told Butowsky that Rich was the insider who stole the emails and passed them to Wikileaks. Ratner allegedly learned this from Wikileaks founder, Julian Assange, himself. Assange was legally represented by Ellen Ratner’s brother, now deceased, attorney Michael Ratner.
Butowsky bolstered his claim that Ellen Ratner was the source about Rich with an email from Rather herself, which seems to support his claim. Ratner was told by Assange that Rich was a Bernie Sanders supporter and was outraged by the DNC’s machinations to deny Sanders the 2016 Democratic nomination and ensure it went to Hillary. So Seth and his brother Aaron allegedly conspired to steal the DNC emails and pass them to Assange. Seth would mysteriously be murdered on the streets of Washington on July 10, 2016 — in a case still unsolved.
Seth Rich, therefore, would certainly fall into the ideological insider threat box.
Finally, this brings us to the last category under consideration, which might be called the malicious insider threat. This category is exemplified by a person born Trevor Allen Thompson, goes by Paige Adele Thompson and calls himself a transgender woman. Thompson had been a software engineer for Amazon Web Services, working on AWS’s Capital One cloud-computing account until 2016. Many organizations are migrating their data storage to AWS because it’s perceived to be very “secure.”
According to a federal complaint, between March and July 2019 Thompson, using his insider AWS and Capital One bank knowledge, stole the personal information of over 100 million Capital One bank customers, including names, dates of birth, Social Security numbers, income information and the like. Thompson, according to social media postings, where he used the handle “erratic”, was deeply troubled. He boasted of his theft to friends, saying at one point, “Ive basically strapped myself with a bomb vest, f***ing dropping capitol ones dox and admitting it.”
Clearly the motivations for insider threats can overlap, but Hillary, Seth, and Paige all share one thing in common: a betrayal of their loyalties. (While I sympathize with Rich in our mutual opposition to Hillary, it was a betrayal nonetheless.)
One thing they all clearly demonstrate and something that we should all keep in mind is that there is no such thing as a completely secure computer system, as long as human beings are involved. Until human beings can be taken out of the information technology loop, which will never happen, IT systems will remain fundamentally unsecure. The best we can hope for is that systems can be fortified to make them more secure, and to have detection and mitigation systems in place to catch perpetrators quickly and reduce the damage that they can inflict.