Edward Snowden's case reminds us that employees often pose a greater risk than foreign cyberspies.
The National Security Agency leaks by Edward Snowden will easily go down as one of the biggest revelations of the year, if not the decade. But the episode also raises new questions about the risk that insiders pose to government and corporate cybersecurity, in spite of the attention lavished on foreign hackers.
Snowden's case is unique in that it uncovered a previously unknown surveillance apparatus that's massive in size and scope.The way the whistle-blower did his deed, however, is not unique. Two-thirds of all reported data breaches involve internal actors wittingly or unwittingly bringing sensitive information to outsiders, according to industry analysts.
"It's not an either-or proposition," said Mike DuBose, a former Justice Department official who led the agency's efforts on trade-secret theft. "But amidst all the concern and discussion over foreign hacking, what gets lost is the fact that the vast majority of serious breaches involving trade secrets or other proprietary or classified information are still being committed by insiders."
DuBose is now the head of the cyber investigations unit at the risk-management firm Kroll Advisory Solutions. In February, his team authored a report warning that contractors, information-technology personnel, and disgruntled employees—all descriptors that fit Snowden pretty well—pose a greater threat than hackers, "both in frequency and in damage caused."
Not everyone agrees. Even though insiders generally play an outsized role across all reported data breaches, their role in confirmed data breaches is rather small, according to an annual study by Verizon. In 2012, specifically, internal actors accounted for 14 percent of confirmed data breaches. Of those, system administrators were responsible for 16 percent.
"Our findings consistently show," the Verizon report read, "that external actors rule."
However common they are, cases like Snowden's show how devastating one insider can be. The extent of the damage depends on what's being exfiltrated and from where, and there aren't many standards for calculating losses. Most companies estimate the value of their trade secrets based on how much money they sank into the research and development of that knowledge. But for the government, it's the potential security impact that takes precedence—and that turns the question into a matter of subjective debate.
Last month, The Washington Post reported that Chinese spies compromised the designs for some of the Pentagon's most sensitive weapons systems, including the F-35 Joint Strike Fighter, the V-22 Osprey tiltrotor aircraft, and the Navy's new Littoral Combat Ship.
If true, the report could have major consequences for national security. But Snowden's case is equally consequential, if for different reasons, and it bolsters DuBose's point about the relevance of insiders. Snowden may have rightfully uncovered evidence of government overreach, but if a mid-level contractor can steal top-secret information about the NSA and give it to the public in a gesture of self-sacrifice, someone else could do the same—but hand the intelligence to more nefarious actors.