The Hollywood version of a hacker who infiltrates a computer system may look like someone hunched over a laptop in a dark remote location.
In fact, according to the FBI, between a quarter and half of all daily cyberthreats come from “insider threats.”
On March 16, law enforcement, private industry, and academic leaders convened at Fordham’s Lincoln Center campus for a day devoted exclusively to the challenges of stopping those threats.
The conference, “The Insider Threat: Before, During, and After an Incident,” featured three panel discussions and a “fireside chat” on bringing lawless “dark web” sites to justice.
The half-day event was jointly sponsored by Fordham and the FBI and served as a complement to the larger International Conference on Cyber Security (ICCS), held every 18 months at Fordham. The University also runs a Center for Cybersecurity and offers a master’s program in the subject.
In her welcoming address, Tania Tetlow, president of Fordham, noted that because universities are frequent targets of cyberattacks, they have a vested interest in working to stop them.
“We do it in that way that we’re so proud of in higher ed, and in particular, as a Jesuit institution, by being open to the answers, by constantly trying to challenge ourselves to think differently, to be one step ahead of those very creative enemies that we’re up against,” she said.
Testing and trust came up repeatedly in the first panel, which featured Dave Fitzgibbons, acting assistant director of the FBI’s Insider Threat Office; Richard Aborn, president of the Citizens Crime Commission of New York City; and Chris Farr; executive director of commercial strategy for the strategic intelligence firm Strider.
Aborn said in large organizations, programs that train employees to spot threats are only effective if they’re practiced zealously.
“I think it’s an oxymoron to say you train too much. You have to refresh, you have to train over and over and over again,” he said, noting that his organization had recently sent out test phishing e-mails to its own members.
“We had about a 35% failure rate, and I was pretty shocked at that. We train a lot.”
Farr said a common misconception is that the first place to start is in the technical realm. In fact, it’s far more important to focus on individuals and have in place a dedicated team to assess behavioral indicators and raise red flags about potential workplace violence, espionage, or fraud. Those indicators might include visits to websites that promote violence, unusual travel patterns, and inexplicable income increases.
The trick is to cultivate a culture of respect where it’s okay to alert a supervisor to a co-worker’s worrisome behavior. It’s tricky, given Americans’ expectations of privacy, but it can be done.
“Employees have to trust your process though,” he said. Programs that have anonymous reporting and policies of no retaliation are super important.”
In the Mix
A key lesson from the second panel, which featured Harold Chun, director of security legal at Google; Darron Smith, insider threat program manager at Bloomberg L.P., and Bill Claycomb, principal researcher at CERT Division’s National Insider Threat Center, was that any insider threat team should also have clear parameters about how to respond.
Is the threat from a full-time employee or a contract one? Is it a one-time issue or an ongoing problem? Is there a threat of physical violence? The response should be commensurate with the problem, said Smith.
“You may not want to raise the fire alarm immediately. It’s really important when you’re thinking about things like duty of care to the employee or privacy,” he said.
Learning from the Past
The final panel featured FBI supervisory special agents Scott Norwell, John Reynolds, and Paul F. Roberts Jr., who specialize in employee, state-sponsored, and white-collar insider threats, respectively. They shared the lessons that have been learned from past cases, such as the 2017 conviction of Kun Shan Chun, a longtime member of the bureau, of passing sensitive information to a Chinese government official.
In that case, Norwell said the bureau had learned that there is a long-term, concerted effort by the Chinese government to identify and recruit people, like Chun, who appear to be vulnerable to flattery, cajoling, or intimidation.
Lessons From the Dark Web
Ed Stroz, GABELLI ’79, co-founder and president of Stroz Friedberg and Fordham trustee, closed the day out with a discussion with Andy Greenberg, senior editor of Wired Magazine and the author of Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency (Penguin RandomHouse, 2022).
Greenberg’s book shows how agents were able to track down the founders of dark web marketplaces such as Silk Road by analyzing Blockchain, the technology that underlies the cryptocurrency that was being used to facilitate the sale of drugs, child pornography, and weapons.
Blockchain was thought by the site administrators to grant them anonymity, but it did not. The path to Silk Road’s demise also included the apprehension of two federal agents who were using the site to commit crimes. One of them was initially accused by an anonymous tipster.
“When people ask about insider programs, it’s easy to think ‘Oh, we’re going to get somebody in trouble,” said Stroz.
“But in many instances, it gets someone out of trouble, or it makes it easier … for people to have a way to raise something so that it can be pursued responsibly. ”
Students Learn from the Pros
Among those in attendance was Jakub Czaplicki, a senior at Fordham College at Lincoln Center working on a five-year, accelerated master’s degree in cybersecurity. He became interested in cybersecurity when he was in middle school, and hopes to join law enforcement after graduation.
He said he enjoyed the case studies in the third panel as well as Greenberg’s talk.
“When the FBI agent was talking about how there is this risk of China and different nation-state actors, it really got me thinking, yeah, we have to secure this. Even though it’s a low percentage, it is a genuine problem for large organizations and the FBI,” he said.
“I learned a lot about cryptocurrency, nation-state actors, and what to look out for.”
Czaplicki was one of six Fordham students who attended, said Thaier Hayajneh, Ph.D., university professor and founder and director of Fordham’s Center for Cybersecurity. Grants that the center won in 2019 from the National Security Agency and the Department of Defense made it possible for them to attend.
“We really want to expose them to the real world and also excite them to work with the executive branches of the federal government,” he said.
“Here, they saw the real cases, and they got to connect the theoretical, the technical, and the practical aspects of cybersecurity.”