US & Canada

Can governments spot whistle-blowers?

Close-up of computer keyboard

After the leaking of secret cables by Wikileaks, the US government is trying to work out if there are any more potential whistle-blowers in its midst.

Clearly there are different reasons why people leak information, the public spirited uncovering of wrong-doing being one of them.

But to organisations such individuals are usually viewed as an threat, and the White House is now urging US agencies to create what it describes as "insider threat programmes" to assess possible risk.

The issue was thrust into the spotlight after the arrest of Pte Bradley Manning, who prosecutors allege was the source of some of the leaks.

According to new documents obtained by NBC News, the US government is now urging agencies to use psychiatrists and sociologists as part of their efforts to root out potential moles.

Such techniques are already used within the intelligence agencies, but are now being encouraged across other government departments, such as the State Department, Health and Defense.

It all sounds rather Orwellian, but can organisations really successfully detect behavioural changes that could lead to leaking? In practice, experts agree it is rather difficult to do.


Under the heading "Deter, detect, defend against employee unauthorised disclosures", the government memo suggests using lie-detector tests to try to identify "unusually high occurrences of foreign travel, contacts or foreign preference" by members of staff.

It asks if the department has an "insider threat programme" and suggests the detection of "relative happiness as a means to gauge trustworthiness" and "despondence and grumpiness as a means to gauge waning trustworthiness".

While such methods may not have all the answers, the monitoring of changes in behaviour can provide warning signs, says Dawn Capelli, technical manager of the Cert Insider Threat Centre, who says research suggests there is often a "type" to look out for.

She says findings have previously highlighted the concept of the "disgruntled" employee, who exhibits "concerning behaviour".

Image caption Julian Assange's Wikileaks is alleged to have been given information by a US military employee

"What happens with these people is that something happens at work and it sets them off. Maybe others are disgruntled, but these insiders don't get over," she says.

"It may be that they are very angry, there are a lot of outbursts, sometimes their performance goes downhill... Sometimes they deliberately start sabotaging someone else's work," she says.

She says it is necessary to raise awareness of this kind of behaviour in the workplace, so that managers are alerted to the fact that an employee might need monitoring.

"A lot of the insiders use authorised access, they basically do what they do every day. It doesn't look alarmist. But organisations can't watch everyone.

"We believe you can do a combination of technical and non-technical measures so you can figure out who to look at."

'Wishful thinking'

Most organisations face an "insider threat" - the presence of a trusted employee with the potential to harm the company or its reputation.

There are many ways to detect the threats, "ranging from careful analysis to monitoring to random screening", says Shari Pfleeger, director of research at the Institute for Information Infrastructure Protection at Dartmouth College in the US.

"But nothing is foolproof, and there is a lot of wishful thinking being portrayed as science," she says.

"For instance, there are training programmes designed to help you identify a malicious insider. They are based on interviews or studies of malicious insiders who have been caught.

Image caption Wikileaks is releasing more than 250,000 classified US diplomatic cables

"But in my mind, the training profiles only what we already know how to do - because we have already caught them. This is like looking for your keys under the lamppost, because the light is better there," she says.

A number of reports suggest that insider cyber attacks have increased, and about half of all companies have encountered at least one "malicious insider attack", according to the Cert Insider Threat Centre.

"It is often more severe than an outside threat simply because insiders have access to valuable things more easily than outsiders do," says Ms Pfleeger.

In a possible reflection of this, Darpa, the research and development office for the US Department of Defense, began the Cinder project last year, which aims to increase the speed of detection of insider threats through the tracking of technological activity.

In a document seeking proposals for Cinder, Darpa said it was looking for an understanding of "observables" that could be used in the detection of "adversary missions".

But Mikko Hypponen, chief research officer at F-Secure, said that while there was an "obvious focus" on insider threats in the light of Wikileaks, he said he did not believe they were necessarily increasing, only that they had received more attention.

He said most organisations typically detect suspicious behaviour through data loss prevention (DLP) methods, which, for example, would alarm authorisers if someone wrote a sensitive keyword in an e-mail or tried to copy a critical file.

But, he says, essentially, "you have to decide whether to trust a person or not".

More on this story

Related Internet links

The BBC is not responsible for the content of external Internet sites