M&E Journal: The Achilles Heel of Critical Infrastructure Protection? Insider Threats

By William F. Flynn, Partner, The Power of Preparedness (TPOP) –

In the aftermath of 9/11, the U.S. Department of Homeland Security (DHS) focused on protecting government and private sector infrastructure and the vulnerability of large populations. As DHS matured, the focus became building regional capabilities by deploying security experts across the U.S. and expanding public/ private partnerships. As the threats and tactics of our adversaries continue to evolve, DHS and the private sector alike must likewise re-examine their engagement and develop mitigation strategies to counter a dynamic and morphing threat.

And this applies to media and entertainment companies, which must protect their precious human resources along with their intellectual property, customer data, critical infrastructure, and applications.

Media and entertainment organizations need to establish industry security standards and begin working closer with government to create an industry security culture, to enhance preparedness and protection from physical and cyber threats.

Terrorist exploitation of the internet and social media has eroded the significance of geographic boundaries. Homegrown violent extremists, inspired to carry out attacks wherever they are, have created a whole new set of challenges with a greater volume of threats, according to the FBI, which is currently investigating about 1,000 cases of homegrown, violent extremism in the U.S.

Following Islamic State propaganda aimed at concerts and venues, a recent piece of terror propaganda aims to motivate would-be jihadists and takes aim at the media and entertainment industry, singling out an array of Western movie studios and networks as enemies in the media realm. The film shows the creation of a pressure-cooker bomb and quickly breezes through snippets of movies and news shows, flashing the names and logos of several companies, channels and networks.

The video tells online jihadists to “terrorize them, fill them with fear, ignite the fires of conflict and create a climate of anxiety and distress on every one of their platforms.”

Chief among the broad spectrum of threats to public assembly venues, including media and entertainment, are acts of low-tech violence including such threats as active shooters, vehicle as a weapon attacks, explosive devices, edged weapons, and hate-based physical assaults.

And we can’t ignore the insider threat that has become the Achilles heel for protecting our facilities, staff and patrons. While data breeches and theft of information have received much of the attention, the impacts also include fraud, sabotage, espionage and workplace violence, with 2017 being a record year with 579 workplace homicides.

The insider threat is ubiquitous, impacting all sectors, with the potential for both cyber and physical security consequences. Examples range from Edward Snowden, a former contractor for the U.S. government who copied and leaked classified information from the National Security Agency, to the mass shooting at Fort Hood by U.S. Army major Nidal Hasan, to the sophisticated assault on the Metcalf transmission substation where gunmen fired on 17 electrical transformers, resulting in more than $15 million of damage.

Perhaps the most noteworthy insider threat incident was the attack in San Bernardino, Calif., where 14 people were killed and 22 seriously injured. The FBI’s investigation revealed that the perpetrators were “homegrown violent extremists” inspired by foreign terrorist groups, individuals who had become radicalized over several years, consuming “poison on the internet” and expressing a commitment to jihadism and martyrdom in messages to each other.

Observable behaviors

Case studies analyzed by Carnegie Mellon University’s Computer Emergency Response Team have shown that insider threats are seldom impulsive acts. Rather, insiders move on a continuum from the idea of committing an insider act to the actual act itself. During this process, the individual often displays observable behaviors (e.g., requests undue access, violates policies, and demonstrates disgruntled behavior) that can serve as potential risk indicators for early detection.

An effective insider threat program should take a holistic, proactive and risk-based approach to mitigation. Establishing a secure, vigilant, and resilient program requires a carefully guided implementation and the maturation of three core insider threat capabilities: Prevention, detection, and response. While we can never eliminate risk, it is prudent to build an early detection capability into an organization’s operations to increase resiliency with the goal of limiting damage.

DHS has been successful educating and engaging the public on the “If You See Something, Say Something” campaign, which respects citizens’ privacy, civil rights, and civil liberties by emphasizing behavior in identifying suspicious activity.

This successful initiative should be modified to assist organizations in identifying and reporting precursors associated with insider threat.

Corporate security officials should work closely with human resources to establish a proper vetting process for all employees and contractors, as well as those that may work for third parties and have access to one or more of the organization’s facilities. To support this collaboration, DHS should expand development of best practices and outreach to associations representing – media, entertainment, exhibitions, convention centers, performing arts and other “soft targets.”

The private sector must step up and take responsibility for enhancing workforce preparedness. On the government side, more than 130,000 law enforcement officers across the nation have been trained by the FBI and SWAT specialists in tactical response to handle active shooter incidents. Every organization has a responsibility to train its workforce in active shooter preparedness: the fundamentals of “Run, Hide, Fight,” as well as the company’s procedures for reporting the anomalous behavior of employees.

Today, media and entertainment organizations face new challenges in preventing, detecting and responding to a wide variety of threats. An increasingly mobile workforce, evolving workforce dynamics, and the digital reach of technology pose additional risks to an organization’s critical assets.

Mitigating insider threats requires a comprehensive, risk-focused program involving a broader range of stakeholders and operational areas. DHS and the private sector have successfully built programs and partnerships to counter traditional threats, but as these threats continue to evolve, so too must our strategy.


Click here to translate this article
Click here to download the complete .PDF version of this article
Click here to download the entire Spring/Summer 2018 M&E Journal