The Resource Exfiltration Project: Findings from DoD Cases, 1985-2017

The Resource Exfiltration Project: Findings from DoD Cases, 1985-2017  | Defense Personnel and Security Research Center (PERSEREC)

Stephanie L. Jaros- Defense Personnel and Security Research Center, Office of People Analytics

Katlin J. Rhyner, Shannen M. McGrath, and Erik R. Gregory- Northrop Grumman Technology Services

Released by – Eric L. Lang

PREFACE

In the aftermath of the John Walker spy scandal, DoD established the Defense Personnel and Security Research Center (PERSEREC). Since its founding, PERSEREC has been committed to helping DoD stakeholders better detect, prevent, and mitigate malicious insider threats, to include espionage and unauthorized disclosures. This report is the latest contribution to that effort, and is designed to provide DoD stakeholders with empirically based, operationally relevant behavioral indicators that signal potential future threats and opportunities for intervention.

Eric L. Lang

Director, PERSEREC

INTRODUCTION

Despite changes in policies and practices over the years, perpetrators continue to exfiltrate resources from DoD and transmit them to unauthorized recipients. In recognition of this persistent and evolving insider threat, the Defense Personnel and Security Research Center (PERSEREC) examined cases of resource exfiltration, or cases that involve the intentional and unauthorized removal of DoD resources from authorized locations, to identify potential intervention points along perpetrators’ pathways to criminal behavior. The purpose of this project was to analyze the current state of resource exfiltration and provide operationally relevant, empirically based recommendations to DoD stakeholders in order to improve efforts to detect, prevent, and mitigate these insider threats.

METHOD

Eligible cases included those perpetrators who:

1) had exfiltrated a DoD resource;

2) had been arrested after November 19, 1985, the publication date of the report issued by the Commission to Review DoD Security Policy and Practices; and

3) had been convicted or pled guilty by December 31, 2017. These criteria resulted in 83 eligible perpetrators.

All information gathered for this project was publicly available. A codebook containing 392 variables organized into eight categories was created for this project. These eight categories were designed to capture the perpetrators’ characteristics, the circumstances surrounding the incident, and pre-arrest behavioral indicators that signaled malicious intent and therefore, intervention opportunities, along the pathway to exfiltration

RESULTS

Nearly all of the perpetrators were male. They varied by age, citizenship, marital status, parental status, and education. Most exfiltration careers lasted less than 2 years, and nearly all ended within 10 years. To remove resources, perpetrators most often carried them out the door of a secure facility, usually concealed in an everyday object such as a bag or briefcase. Among those who transmitted material to a foreign entity, Russia was the most common recipient. The most common motive was money, followed by ideology.

Researchers broke down the 13 Adjudicative Guidelines into 75 disqualifying factors in order to identify pre-arrest behavioral indicators. The 10 most common disqualifying factors clustered in four of the 13 Adjudicative Guidelines (i.e., Guideline B: Foreign Influence, Guideline C: Foreign Preference, Guideline E: Personal Conduct, and Guideline K: Handling Protected Information). In contrast, the least common disqualifying factors clustered in Guideline D: Sexual Behavior, Guideline F: Financial Considerations, Guideline G: Alcohol Consumption, Guideline H: Drug Involvement, and Guideline L: Outside Activities. Researchers also leveraged the behavioral threat assessment framework (Fein & Vossekuil, 1997) in order to identify potential indicators. Overall, 65 out of the 83 perpetrators (78%) exhibited behavior that corresponded with at least one of the 10 behavioral threat assessment variables. Notably, nearly one-quarter of all perpetrators talked about their exfiltration activities to someone who was neither a handler nor an accomplice, and in 32 out of the 83 cases, people noticed concerning behavior or changes in behavior prior to the perpetrators’ arrests.

FINDINGS & RECOMMENDATIONS

Finding #1: User activity monitoring enables DoD to observe the electronic movement of its resources, but there appears to be insufficient protections against unauthorized physical movement.

Recommendation #1: Where possible, DoD should reduce the number of locations within a facility where critical electronic assets can be printed and/or physically reproduced. Then, DoD should institute random physical inspections, again when possible.

Finding #2: The majority of perpetrators exhibited pre-arrest behavioral indicators, but the behavioral threat assessment framework appears to yield more actionable results than those indicators derived from the disqualifying factors associated with the Adjudicative Guidelines.

Recommendation #2: DoD should integrate best practices for behavioral threat assessment into the insider threat training mandated by the National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs for both Insider Threat Program Personnel (Section F) and the general workforce (Section I).

Finding #3: Employees who experience professional stressors, such as a demotion, could target DoD for retaliation against perceived wrongs.

Recommendation #3: DoD should ensure that its personnel who issue disciplinary notices are trained in conflict resolution and/or de-escalation strategies, and security personnel should be on hand to ensure those who are terminated do not retain physical or logical access. DoD also should prioritize additional research to identify best practices to reintegrate employees into the workforce after serious disciplinary action, such as a demotion or suspension. Together with wellness programs such as Employee Assistance Programs, these practices should help to ensure employees successfully recover from difficult events and situations.

The post The Resource Exfiltration Project: Findings from DoD Cases, 1985-2017 appeared first on Small Wars Journal by Arizona State University.