Much to everyone’s surprise April has been Insider Threat Month here on the American View. I didn’t intend to write four columns in a row on the subject, it just sort of … happened. Insider Threat Management is a topic that I have strong feelings about, both pro and anti. Much to my frustration, I don’t get to talk about it nearly as much as I’d like since many people find the topic unsettling. That compels me to keep quiet, lest I accidentally offend someone.
Funny, isn’t it? That sort of “keep quiet or be cast out” pressure is, in itself, a great way to slowly corrupt a normal employee into a smouldering insider threat. I promise I’ll come back to this idea in a minute. First, let’s take a break and have a laugh.
I was contacted around this time last by one of the folks working on “Isolation Con 2” … an all-online information security convention run by The Many Hats Club. The organizer asked me to participate in a tongue-in-cheek debate as part of the convention’s charity fundraiser for Child’s Play. I was happy to help in principle; I was thrilled when I learned that the “debate” wasn’t intended to be a serious dissection of topical issues. The organizers wanted it to be a freewheeling comedic argument between witty InfoSec pundits. That ask was right in my wheelhouse.
Our moderator was the incomparable Lisa Forte. She paired me with InfoSec social media rock star Ray [REDACTED]to be “Team USA.” Our opponents on “Team UK” were Holly Graceful and Philip Ingram. All these folks were awesome. Had this been a serious round table, we’d likely have put on a lively and informative show. That, however, was not our mandate. We were there to lighten the mood at the 6 pm (UK time) break. Lisa asked both teams to come up with questionable arguments and spicy rebuttals that would entertain rather than inform.
That was fine by us. Ray and I put together some bombastic and stereotypically “Murican” debate positions that would obviously tip off for any audience members that weren’t already in on the “debate” joke. Team UK then took the *#& out of our positions with dry quips. I thought the debate was a success. We fed our “opponents” some great counterattack lines and made poor Lisa laugh so hard that she nearly passed out live on camera. Mission accomplished! 
Of course, arguing for entertainment required us to advance political positions that we didn’t actually believe. As an example, our third challenge was to take the “pro” side on this statement:
“Fake profiles on LinkedIn have been flagged by Governments as becoming a serious problem to security. The fastest way to completely stop this threat is for platforms to take action and require proof of identity.”
We were deliberately playing to lose. We figured the best way to accomplish this would be to ignore the core element of the statement (what’s the fastest way to stop the threat). Don’t address it at all. Instead, we’d use the statement’s premise to springboard into a completely different topic. Go for the laughs, then let Team UK eviscerate us for “missing the point.” Ray passed the baton to me at the off and I delivered the following with blatantly feigned righteousness:
Keil: “Team USA not only agrees with this position but feels quite strongly that it does not go nearly far enough! If I remember right, folks in the UK believe ‘you are what you drink,’ whereas in American culture we believe that ‘you are what you do.’ A person’s profession is the defining characteristic of a person’s identity. More so than one’s face, name, heritage, batting average, or bank balance.
Ray: “What the hell is LinkedIn?”
Keil: “Ah, yes. LinkedIn is a Microsoft-owned social media meat-market where businesses and job candidates advertise themselves. Like a ‘red briefcase district,’ or ‘Tinder for MBAs.’ The problem is, LinkedIn is fundamentally flawed because it’s more of a performance art theatre than a searchable file cabinet.
‘Consider … when you browse LinkedIn, what do you see? Profiles for people who don’t exist? The façades of spies and ne’er-do-wells? Assuredly! But more often than that, we see the grotesquely inflated profiles of mediocre mid-career minions masquerading as magnificent masters of management.”
Ray: “I feel attacked.”
Keil: “In reality, most of these ‘profiles’’ are works of Mary Sue fan fiction; they’re portraits of larger-than-life Arthurian conquerors that no sane company could afford to live without … when, in reality, the actual people they’re marketing are dime-a-dozen uninspired systems analysts who can type 40-words-per-minute and whose most admired skill is the ability eat a powdered sugar doughnut without ruining a dark-coloured dress shirt.
“For the sake of Human Resources screeners everywhere, we need national standards for LinkedIn profiles. Not just proof of identity, mind you, although that’s a good start for getting rid of the lurkers. No … we need proof of accomplishment! We need a fool-proof method for flagging and eradicating the amateur pulp fiction that saturates LinkedIn talent searches like ragweed in an untended football pitch. We need verification mechanisms that will prove beyond doubt that when ‘Larry from Lancashire’ claims to have ‘revolutionized Agile synergies in cross-domain win-win paradigms,’ we, the potential employer, can know at a glance that Larry actually spent an average of 38 hours per work week reposting dank memes on Reddit forums.
“This one fundamental change will revolutionize LinkedIn, making it the platform of choice for businesspeople everywhere, as it was intended to be.
“Also, we should probably do something about those weirdos who think LinkedIn is a dating site. We suggest summary execution.”
It was crap, obviously. All but that last bit … I really do believe that more action must be taken to purge LinkedIn of sleezy users who sexually harass other users. Creeping on people is vile behaviour that LinkedIn’s own professional community policies expressly forbids:
“Do not engage in unwanted advances: We don’t allow unwanted expressions of attraction, desire, requests for a romantic relationship, marriage proposals, sexual advances or innuendo, or lewd remarks. Do not use LinkedIn to pursue romantic connections, ask for romantic dates, or provide sexual commentary on someone’s appearance.”
Irritatingly, this “forbidden” conduct happens to our colleagues every single day. It’s shameful. More importantly, this sort of harassment drives folks off the platform, depriving everyone else of their talent, insight, and participation. You’d thinkthat this wasn’t a controversial position. Except … it is. I’ve heard several friends describe how they’ve been pressured to shrug off such harassment and not make a fuss. It’s the “price of doing business” on social media.
That sort of “turn the other cheek” policy is doubly dangerous for organizations. I’ve argued in InfoSec forums that this sort of creeper behaviour is a legitimate warning sign of anti-social beliefs and, therefore, is an accurate predictor of future Insider Threat behaviour.  Bluntly, an employee who wilfully engages in targeted offensive conduct on a buttoned-down social media platform has violated both the site’s terms of service and many social taboos. They’ve demonstrated they don’t believe in reining in their offensive behaviour … and they’ll likely escalate over time.
This isn’t just me opining – this isn’t a fake debate for charity, after all – this position comes right out of the textbook. Literally, from Eoghan Casey’s Digital Evidence and Computer Crime, 2nd Edition, page 160, section 6.4.2, Power Assertive (Entitlement):
“Offenders evidencing this type of behaviour exhibit little doubt about their own adequacy and masculinity. In fact, they may be using their attacks as an expression of their own virility. In their perception, they are entitled to the fruits of their attack by virtue of being a male … Offenders evidencing this type of behaviour may grow more confident over time, as their egocentricity may be very high. …”
This isn’t just some rando’s opinion; it’s the sober findings of decades of criminology research. More importantly to us in the cybersecurity community, it’s the sort of reliable threat analysis data that cybersecurity and physical security professionals should be using to plan our Insider Threat detection, interdiction, and recovery operations. If we can detect who’s about to escalate their already unacceptable behaviour, we pre-empt their next transgressive act and – maybe, hopefully – walk them back from the point-of-no-return. At the very least, we can stop an offensive, morale-corroding, loyalty-draining personal attack against one of our people.
Strangely, nearly every time I propose scanning social media and other online activity for evidence of prohibited sexual harassment behaviour, the reaction I usually get is a shocked gasp and immediate condemnation. “We mustn’t do that!” … “Monitoring personal activities is going too far!” and “Don’t even suggest such things!” I understand the trepidation; now that we’re all connected 24/7, the lines between “personal activity” and “work activity” are too blurry for lawyers’ tastes. We might get sued is the chilling counterargument to every darned tactic that security experts propose to find and neutralize potential Insider Threats. I understand.
Unfortunately, this pragmatic trepidation means that organisations could take steps to prevent the harassment of their people but choose not to out of fear. That’s understandable. Unfortunately, by the time such a miscreant finally goes “too far” on the lawyers’ rubric, it’s already too late to salvage the loyalty and continued service of the miscreant’s victim(s). Had we acted before things went “too far,” we could have shown our commitment to protecting our staff. Waiting until after sends a clear declaration that our financial position is more important to upper management than any given employee’s well-being.
Therefore, as unpopular as it may be, I’m going to keep advancing this argument in whatever forum I’m given. It just … I have to eat too. As much as I might enjoy it, I can’t mount a solitary charge against entrenched company interests and expect to be heard. Instead, I have to find more subtle, stealthier ways to bring the conversation around to the important topics.
Sometimes, the best way to reach an audience is to make them comfortable through laughter first, and then gnetly transition into more serious topics. Like … sharing a funny story about a whimsical convention appearance to “hook” a reader’s interest so they’ll keep reading and hopefully consider a new argument at the end of the column about why it’s important to search for and act on evidence of improper conduct on employees’ social media activities. Actively prevent harm by identifying burgeoning Insider Threats early. Listen to people when they tell you who they really are … then act swiftly to excise them from the ranks.
There’s usually a method to the madness.
Thanks for coming, everyone! Be a good sysadmin and remember to tip your server.
 You can judge our performance for yourself. A recording of the live stream is up on Twitch now. The “debate” starts at the 1 h 46m mark on the Blue Stream channel.
 I told you we’d be looping back to the initial premise.
Pop Culture Isolation Con 2 – The Second Wave, 24 April 2021