Industry Insights

No One is Exempt from Insider Threat — Not Even the CIA

5 min Read

Joe Payne

Did you see the national news about the CIA yesterday?

CIA’s ‘Lax’ Security Led to Massive Theft of Hacking Tools, Internal Report Finds

Wall Street Journal

Elite CIA unit that developed hacking tools failed to secure its own systems, allowing massive leak, an internal report found

The Washington Post

The Washington Post, similar to the Wall Street Journal, has dubbed the latest security breach to make national headlines, “The biggest unauthorized disclosure of classified information in the CIA’s history . . .”

You’re probably wondering: was it the Russians? The Chinese? Al Qaeda? Nope. It was an American — it was a CIA insider. 

An organization that arguably should operate under the strictest of security standards was breached. And it wasn’t a sophisticated nation state attack or exfiltration scheme involving a foreign adversary that blindsided them. No, the breach was allegedly carried out by an employee because the CIA failed to follow some common security practices.

The take? As much as 34 terabytes of information or about 2.2 billion pages, exposing top-secret CIA computer hacking methods.

When did the CIA learn about the breach? According to the news, they didn’t discover the incident until about a year later when the information was published on WikiLeaks. The CIA even admitted that they may have never learned about it had WikiLeaks not published the story. No alerts went off in their security systems. No one even noticed that 2.2 billion pages of trade secrets went missing from an organization that gathers, processes and analyzes national security information from around the world.

I wish I could say that this heist was an anomaly, one in a million — just some bad luck. But the truth is, as people who sell software to detect insider threats, we see this every day. It’s sobering. The story is a painful reminder that — no one — not even the CIA is exempt from insider threats. And if the CIA, supposedly one of the most secure institutions in the land, can be breached, so can you. 

According to the Washington Post article, “‘The hardest thing to do is protect against your own people,’ said another former intelligence official who is familiar with the breach.” 

I couldn’t agree more. Too many times, we see companies pouring investments into preventing external threats and leaving the last 10% of their budgets to ward off internal threats. The reality is that’s just not enough protection and there’s not enough visibility — especially in our world today where millions of employees are working off of home networks, sharing sensitive company files across Slack and then moving them to a personal Dropbox account for “safe” keeping. 

Some reports say two-thirds of breaches are inside jobs. Others might argue the percentage is lower. And I could see why unsuspecting organizations — that are just plain unaware that their data is being exfiltrated — might think that insider threats are lower risk. My advice to them is don’t be naive. The CIA story should be a wake up call for all of us — to reassess the insider threat risk that exists inside our organizations. 

Think about this . . . We are experiencing some of the highest unemployment rates our country has ever seen with millions of job losses over the last few months. How many of those employees walked out the door with your customer lists, source code or sales pipeline data? Do you know?

Joe Payne

Joe brings to Code42 more than 20 years of leadership and a proven track record with high-growth software companies. He has a broad experience base in delivering software and Software-as-a-Service (SaaS) solutions to enterprises across numerous industries. As president and CEO of Code42, he drives the company’s strategic direction and oversees all operations. Joe currently serves on the boards of directors of multiple public and private companies, as well as the board of not-for-profit First Focus Campaign for Children.