author photo
By Clare O’Gara
Fri | Nov 29, 2019 | 5:15 AM PST

On the surface, it's a classic example of CIA espionage.

A former CIA officer was just sentenced to 19 years in prison for conspiring to give national defense information to China.

But what can this case reveal about the insider threat in your organization?

How is CIA espionage like an insider threat?

Think about it like this: someone at your organization has vital data and information that give your company an advantage. Would they sell out?

Now imagine your organizations are two countries—specifically, the United States and China. The stakes might be higher in this case, but the principles are the same.

And if you were Jerry Chun Shing Lee's employer, you wouldn't be too happy with him.

Lee's case is so similar to insider threat in a company that he even used a computer and thumb drive setup to leak his information.

The U.S. Department of Justice puts it like this:

"...Lee created on his laptop computer a document that described, among other things, certain locations to which the CIA would assign officers with certain identified experience, as well as the particular location and time frame of a sensitive CIA operation. 

After Lee created this document, he transferred it from his laptop to a thumb drive. The document included national defense information of the United States that was classified at the Secret level."

The DOJ says all of this happened after Lee left the CIA. He allegedly took secret information with him. What do your former employees have in their possession about your organization?

Check out the complete case here.

The incentives that can increase the risk of insider threat

Chinese intelligence officers (IOs) offered Lee a hefty incentive for his espionage.

"The IOs also told Lee they had prepared for him a gift of $100,000 cash, and they offered to take care of him 'for life' in exchange for his cooperation."

Cash rewards and protection can be major motivations to get former CIA officers—and your employees—to sell out.

And we've seen similar motivators used in insider threat cases before.

Do you remember what happened at Twitter?

[RELATED: Insider Threat Case: Twitter Employees Bribed by Saudis]

Or what about the AT&T Wireless insider threat case?

[RELATED: Insider Threats at AT&T Wireless Activated by Cybercriminals]

When companies discount red flags involving insider threats

We can't speak for this most recent CIA insider threat case, however, in general, we know your organization might be staring at an insider threat and ignore it.

"We found that companies err on the side of goodness," explains Dr. Larry Ponemon of the Ponemon Institute.

When SecureWorld interviewed Ponemon at SecureWorld Twin Cities, he revealed some shocking information about organizations and insider threats.

According to his research, many companies actually choose to ignore major red flags.

"They don't want to accuse somebody without full evidence of a crime, so they write it off as negligence. And we discovered insider threats are not viewed as seriously as external threats, like a cyber attack. But when companies had an insider threat, in general, they were much more costly than external incidents.

This was largely because the insider that is smart has the skills to hide the crime, for months, for years, sometimes forever."

The insider threats in this story all got caught and are facing jail time. But how many may be operating now and remaining undetected or unrecognized?

That's something for every cybersecurity team to consider.

[RESOURCE: SecureWorld cybersecurity conference calendar]

Comments