I have had the honor of participating over the past two years with the National Sheriff’s Association (NSA) Cybersecurity and Crime Workgroup. We have had elite Cybersecurity experts present to us on the chance that their methods might be made available to Sheriffs and Police Chiefs across our great nation. We submitted our report and NSA has accepted it.
THE PROBLEM
One of our key finds was “insider” cyber-attacks are one of the most formidable cyber security risks within the law enforcement community. Finding a reliable solution to “insider” cyber-attacks has eluded cybersecurity experts for the reasons mentioned in this article, but now there is a reliable solution. Read on . . .
One Sheriff recently commented that he would rather have his software platform locked down with ransomware than have it divulged publicly.
The DHS’s Cyber and Infrastructure Security Agency (CISA) defines “insider threat” as the threat that an insider will use his or her authorized access, wittingly or unwittingly, to do harm to the System mission, resources, personnel, facilities, information, equipment, networks, or systems. Various statistics suggest up to 60% of all cyber-attacks are “insider” cyber-attacks. This is based upon whether insider-attacks include all of the unintentional cyber phishing hacks from employees who are distracted, disjointed, lack proper training, and/or lack enough sleep.
Can local law enforcement leaders STOP CYBERSECURITY INCIDENTS BEFORE THEY HAPPEN? At least with respect to the intentional insider threat, local law enforcement leaders, and their constituents, can do just that. However, to do that, they are going to need to be aware of the importance of the human behavioral aspect of security and be open to upping their guard regarding those human behavioral aspects--factors which are outside the scope of technical cybersecurity measures that have traditionally been considered by most cybersecurity professionals.
THE INADVERTENT INSIDER THREAT: WHERE INTENT IS NOT THE DANGER
We know that humans can get tired, disjointed, and distracted and as such make foolish errors and/or omissions that make their systems vulnerable to attacks. “According to the ‘2020 IBM X-Force® Threat Intelligence Index’, inadvertent insider threats are the primary reason for the greater than 200% rise in the number of records breached in 2019 as compared to 2018.” So, the percentage of insider attacks could be considerably higher now, in 2023, as compared to 2019.
THE INTENTIONAL INSIDER THREAT: WHERE INTENT—BEHAVIOR—IS THE DANGER
Over the years, members of this Work Group have consulted with a number of Cybersecurity experts, and almost all have expressed the desire to prevent these intentional insider cyber-attacks by better understanding the “human behavior” of an attacker, and more specifically the ability to identify the behavioral precursors of an intentional cyber-attacker. Doing so requires avoiding the possible breach of privacy regulations such as HIPAA in our hospitals and healthcare facilities, FERPA on our campuses, and of course, the Civil Rights Act of 1964. Ensuring privacy regulation compliance while preventing insider cyber-attacks is especially important for Sheriffs and local law enforcement offices and personnel.
In trying to prevent insiders’ intentional cyber-attacks, experience has shown that the traditional approach of “See Something, Say Something” is not scientifically reliable. In large part, this may be because humans are not prepared to put their reputations or their jobs on the line, based upon subjective references. Also, subjective references have proven to be too often unreliable and anecdotal. Over the past years, members of this Work Group have searched for more predictive, scientifically reliable, objective, empirical and forensically measurable references.
CAN WE RELIABILY PREVENT THE NEXT INSIDER CYBER-ATTACK
Too often, the concept of “Security,” in the context of cybersecurity, becomes a question of “how to thwart an attack that has already begun.”.[i]”
“Prevention” of a cyber-attack as it is currently perceived in cybersecurity falls into three categories:
-
Access controls: These can include firewalls, intrusion detection, and access control lists that limit access to critical systems and data.
-
Encryption: Encryption can help to protect data by making it unreadable to anyone who does not have the appropriate key or password.
-
Security policies: Organizations can create policies that mandate the use of strong passwords, the use of antivirus and anti-malware software, multi-factor authentication, regular software updates, regular backups, and other security measures.
But do these measures reliably prevent the next insider cyber-attacker? The answer is a resounding, “No!”
There are several reasons why this answer is “No”:
-
Authorized access: Insiders have legitimate access to the organization's systems and data. This access is granted to them to perform their job functions, which makes it difficult to differentiate between their legitimate activities and malicious activities.
-
Human behavior: Insider cyber-attacks often involve social engineering tactics to exploit human weaknesses, such as greed, fear, or loyalty. Cybersecurity measures can't prevent these types of attacks because they rely on human decision-making.
-
Lack of visibility: Insiders are already inside the network, which means they can access systems and data that might be outside the scope of traditional cybersecurity measures. This lack of visibility makes it difficult to detect and prevent insider cyber-attacks.
-
Intent to do harm: Insiders who plan to commit cybercrimes may take steps to evade detection, such as using encryption or accessing systems during off-hours.
IDENTIFY BEHAVIORAL PRECURSORS AND PREVENT INTENTIONAL INSIDER CYBER-ATTACKS?
While cybersecurity continues to ask the question, “how do we thwart an attack that has already begun.” We focused instead on identifying the “Precursors” to an attack, which offers an opportunity to prevent the attack in the first place. We found this to be not only a very innovative approach, but also a novel approach.
Accordingly, some time ago, members of this Work Group began looking for a system, as described by our cybersecurity experts, that could provide the human behaviors of an attacker, and more specifically the ability to identify the behavioral precursors of an insider who is or may be or become an intentional cyber-attacker. Logically, these precursors must also identify the “intent to do harm,” such as the intent to do harm to a Sheriffs’ Office’s mission, resources, personnel, facilities, information, equipment, networks, or systems.
To truly be an effective law enforcement system, such a system must be science-based, intuitive enough to be useable by sworn personnel on the street, and include real-time observations of objective human body language, behavior and communication indicators. Furthermore, it must avoid the possible breach of privacy regulations. If the precursors used are too subjective, or too controversial due to the use of culture, gender, age, education, sexual orientation, or religion, Deputies simply won’t use them. We also wanted to avoid the use of mental health assessments because they are not practical in the hands of everyday users such as Sheriffs’ Deputies and police officers, and, even in the hands of mental health professionals, these assessments have been notoriously inaccurate.[ii]
Considering the findings described above (CISA, Cyber Security Intelligence Index, and the 2020 IBM X-Force Threat Intelligence Index), we sought to find systems that could identify someone who was trusted in the past, but who has become disgruntled, or worse yet, compromised, and is now wittingly, with an intent to do harm, moving toward treachery. Additionally, we also wanted a system to identify someone who, due to being disjointed, distracted, lack of training or lack of sleep, will unwittingly do harm to the department's mission, resources, personnel, facilities, information, equipment, networks, or systems.
FACTORS TO CONSIDER IN IDENTIFYING POSSIBLE SOLUTIONS
Finding a system that can do all of the above has been challenging. Most systems today use elements of mental health assessments, which are too subjective and may possibly violate HIPAA regulations; and/or use elements of culture, gender, age, education, sexual orientation, or religion, which violate FERPA on our school campuses, as well as the Civil Rights Act of 1964. These detractions make these programs and systems unreliable for use by all law enforcement agencies, including Sheriffs and Municipal Police Chiefs. Very few vendors offer services that have the ability to identify someone who has an “intent to do harm” to others.
SOLUTION
There is one solution that fulfills each of the above criteria. The Center for Aggression Management, Inc.’s Critical Aggression Prevention System (CAPS) has been developed over the past 29-years. It was originally developed to prevent assaultive and violent behavior, but then realized that the same sequential successive precursors used to prevent assaults could also be used the prevent lower levels of aggressive behavior, such as sexual harassment, abuse, bullying, and discrimination. Today we merely react to these forms of aggressive behaviors. Finally, now we learned that these same sequential successive precursors used to prevent sexual harassment, abuse, bullying and discrimination can also be used that identify someone who intends to do harm to others, such as an “insider” cyber-attacker.
"Insiders" who plan to commit cybercrimes may take steps to evade detection. CAPS can help identify these individuals by identifying early warning signs (precursors) of distrustful behavior, even if they are taking steps to evade detection.
While CAPS is not a cybersecurity one-size-fits-all solution, it is a promising approach to preventing “insider” cyber-attacks. A comprehensive and reliable approach to cybersecurity that inexpensively combines technology and training in the best way to prevent “insider” cyber-attacks. As insider cyber-attacks become more prevalent, organizations need to consider all available options to protect themselves and their data.
Would you like to learn more? Reach out to us at 407-718-2395 or Info@AggressionManagement.com
Watch a Short (4-minute) Movie.
[i] Harvard Business Review, “The Biggest Cybersecurity Threats Are Insider Your Company” Marc van Zadelhoff, September 19, 1016.
[ii] Seung-Hui Cho (Virginia Tech Shooter) was mental health-assessed three times and, on each occasion, was deemed to be “depressed and anxious, but not a risk of hurting himself or others.” See Wall Street Journal, Gunman's Evaluations Didn't Foresee Frenzy, Aug. 20, 2009.
Nikolas Cruz (Parkland Shooter) was mental health-assessed by the Florida Department of Children and Families and was deemed to be “not at risk of hurting himself or others.” See Washington Post, Red flags: The troubled path of accused Parkland shooter Nikolas Cruz, March 10, 2018.
Nikolas Cruz (Parkland Shooter) was mental health-assessed by the Florida Department of Children and Families and was deemed to be “not at risk of hurting himself or others.” See Washington Post, Red flags: The troubled path of accused Parkland shooter Nikolas Cruz, March 10, 2018.