Insider Threats: Humans in the Loop
2–10–2025 (Monday)
Hello, and welcome to The Intentional Brief - your weekly video update on the one big thing in cybersecurity for middle market companies, their investors, and executive teams.
I’m your host, Shay Colson, Managing Partner at Intentional Cybersecurity, and you can find us online at intentionalcyber.com.
Today is Monday, February 10, 2025, and I’ve got thoughts about the Super Bowl, but in a cyber context, will say that you saw with the Eagles last night how much of a difference a strong defensive line can make - enabling the rest of the position players to play aggressively and create value. The same is true in cyber.
In fact, this week, we’re going to talk about some people issues in cybersecurity that seem to be popping up lately, and that’s the idea of Insider Threat.
Insider Threats: Humans in the Loop
I realize the irony of talking last week about the ways in which AI will replace humans, and this week focusing on the human element, but such is the reality we’re all dealing with these days.
Insider Threats are always a tricky part of cybersecurity, mostly because - at the end of the day - we do need our information systems to be usable by humans, therefore there always needs to be some way to essentially “defeat” our security controls and access our sensitive information.
That said, controls, policies, procedures, and awareness about how these threats can come to life is useful, and I’m going to use a few recent examples to highlight those times.
Most visible, at least here in the US, is DOGE - or the newly created Department of Government Efficiency, headed by Elon Musk. Headlines from last week called DOGE “A Cybersecurity Crisis Unfolding in Real-Time” and noted “Cybersecurity, government experts are aghast at security failures in DOGE takeover.”
For those of you who may still be on a news blackout, I’m referring, of course, to the group of young - think late teens, early twenties - engineers who have been given seemingly unfettered access to systems at the US Department of the Treasury (my former agency), the Office of Personnel Management, and the General Services Administration.
I think the framing of an insider threat is valid here - even though you could frame this as a physical attack. These aren’t government employees turned rogue - they’ve had no background checks, and it’s honestly not even clear who they work for (or if they’re actually getting paid at all), much less what they’re doing with their access.
It’s not just this access, however problematic, that we need to worry about. The ways insider threats can manifest are numerous. In fact, last week the New York Times reported that, in an effort to comply with these DOGE efforts, “The C.I.A. sent an unclassified email listing all employees hired by the spy agency over the last two years.”
The Times notes, “It included a large crop of young analysts and operatives who were hired specifically to focus on China, and whose identities are usually closely guarded because Chinese hackers are constantly seeking to identify them.”
We saw two different reports last week of other ways in which China was using insiders to carry out attacks, with the Department of Justice return “a superseding indictment today charging Linwei Ding, also known as Leon Ding, 38, with seven counts of economic espionage and seven counts of theft of trade secrets in connection with an alleged plan to steal from Google LLC (Google) proprietary information related to AI technology.”
According to the press release, “Google hired Ding as a software engineer in 2019. Between approximately May 2022 and May 2023, Ding uploaded more than 1,000 unique files containing Google confidential information from Google’s network to his personal Google Cloud account.” Are you able to detect and prevent this type of activity on your network?
We also saw a bulletin from the Department of Homeland Security last week outlining the ways in which “Internet-connected cameras made in China are giving the Chinese government the ability to "conduct espionage or disrupt US critical infrastructure.” In this case, the insider threat is a commodity webcam - not a human - but a threat nonetheless.
Other adversaries are also actively recruiting insiders to do their bidding. Reuters reported last week that “An ex-employee of major Dutch computer chip equipment maker ASML held on suspicion of stealing and selling corporate secrets to a Russian buyer also had contact with Russia's FSB intelligence service.”
Meanwhile, Russian ransomware gangs “are offering individuals millions to turn on their employers and divulge private company information.”
I don’t share all of these stories to overwhelm, but rather to spur action. Building an insider threat program - that includes policies, technical controls, and procedures around things like dual control for certain transactions, takes time. It ruffles feathers. It adds friction and reduces productivity.
But not having such a program leaves you vulnerable to attacks that can be both devastating and difficult (if not impossible) to detect.
If you’re not yet ready to build an insider that program, I’d suggest looking at an insider threat scenario for your next tabletop. If you’re in need of support from leadership for this effort, that’s a quick way to show them just why it matters.
Meanwhile, a healthy level of skepticism is warranted - but be mindful not to overshoot the mark. It can be a fine line between leery and jaded.
Fundraising
From a fundraising perspective, we saw more than $20B in newly committed capital last week, with the bulk of that being put up by Balbec Capital, who raised over $17b for its sixth private credit fund.
We mentioned last week in this section that volatility persists. Axios had some numbers today noting “Global M&A activity is down 20% from this same period in 2024, with U.S. activity off 25%, per LSEG.” Furthermore, “U.S. IPO proceeds are down 24% year-to-date, per Renaissance Capital.”
Axios suggests tariffs, inflation, and consumer attitudes are all contributing to these metrics. Hard to say they’re wrong.
A reminder that you can find links to all the articles we covered below, find back issues of these videos and the written transcripts at intentionalcyber.com, and we’ll see you next week for another edition of the Intentional Brief.
Links
https://cyberscoop.com/musk-doge-opm-treasury-breach/
https://www.nytimes.com/2025/02/05/us/politics/cia-names-list.html
https://www.darkreading.com/threat-intelligence/cybercriminals-traitorous-insiders-ransom-notes