security solutions magazine issue 76
DESCRIPTION
Sneak Peek of Issue 76 cover storyTRANSCRIPT
ww
w.securitysolutionsm
agazine.comSECURITY SOLUTIONS M
AGAZINEISSU
E 76 FEB/M
AR 2012 - W
ho Are You Really Hiring
A U S T R A L A S I A ’ S L E A D I N G S E C U R I T Y R E S O U R C E F O R B U S I N E S S A N D G O V E R N M E N T
ISSN 1833-0215
#76FEB/MAR 2012
$8.95 inc GST / $9.95 NZ
Who Are You Really Hiring?Identifying The Threats Within
COVER STORY
060 SECURITY SOLUTIONS
Who are you hiring? When The Threat Lies Within...
This article looks at the threat from insiders
deliberately or recklessly causing harm to an
organisation. Accidental security breaches –
losing a thumb drive containing corporate files,
or mistakenly including sensitive information in a
company newsletter, are not considered.
Case Studies – What Can Happen When Something Goes Horribly Wrong…The media has revealed a plethora of cases
of trusted employees across Australia and
internationally, causing devastating harm to their
own organisations – whether though violence,
security breaches or property damage.
2002: NSW -Volunteer Firefighter Arsonist – Peter Cameron Burgess Cameron Burgess was a young, unemployed
man who lit his first fire in January 2001 near
his home town of Albury. After watching the
admiration and respect for the firefighters of New
York after the September 2001 attacks, and the
NSW Rural Fire Service after fighting fires in the
Blue Mountains in 2001, 20-year-old Burgess
began a spree of another 15 fires across NSW,
By Fiona Peacock
Security-in-depth is a familiar concept. We
think of a system of layers of security measures,
designed to prevent unauthorised access. The
Deter, Detect, Delay and Respond model brings
to mind the fences and signage; the alarms and
CCTV systems, barriers and secure containers;
and the security response services.
These security measures are obviously
important, but they are to no avail if the person
harming your organisation is wearing your
company identification card and carrying the keys.
Protecting your organisation from the insider
threat begins when you advertise for new staff. A
key phase is clearly the recruitment process, but
personnel security doesn’t stop there. It continues
for the duration of an employee’s engagement and
maybe even beyond. It can be conceived as the
life cycle of the employer-employee relationship:
Advertising, selection process, induction, ongoing
staff development, training and supervision, the exit
phase and, potentially, a post-employment phase.
Employers have to trust their staff but should
have in place a range of strategies to help detect
the warning signs in those few cases where the
trust is going to be breached.
ending only when he was arrested in April 2002.
Burgess had applied to enter the NSW Fire
Service but had been rejected due to lack of
academic ability. He served as a volunteer bush
firefighter with a number of brigades across NSW.
He thought that serving as a volunteer firefighter
might help a future attempt at joining the NSW
Fire Service, but he was often the person calling
in the fires, and first on the scene.
After his arrest by NSW Police Strike Force
Tronto, Burgess pleaded guilty to 16 charges
of arson and was sentenced to two years’ in jail
In 2002, Burgess was just one of at least 17
volunteer bush firefighters charged with arson
nationally between 1998 and 2003.
2006: NSW – Stolen Army Rocket Launchers – Captain Shane Della-Vedova In December 2006, media reports began
emerging that “rogue elements in the Australian
military” had stolen nine armour-piercing anti-tank
weapons, and that the weapons had fallen into the
hands of Sydney’s underworld with terrorist links.
In January 2007, the media reported that Abdul
Rahman had apparently sold seven of the rocket
SECURITY SOLUTIONS 061
COVER STORY
062 SECURITY SOLUTIONS
launchers (for $5,000 each) to Adnan Darwiche, a
Sydney drug dealer who wanted the weapons for his
drug gang war. Police investigating those drug wars
bought one of the rocket launchers from Darwiche
for $50,000 in September 2006, uncovering the
possible theft of military weapons.
Darwiche allegedly on-sold five of the
launchers to a terrorist group – some Sydney
men who had since been arrested over a plot
to blow up the Sydney Harbour Bridge, and the
Lucas Heights nuclear reactor – investigated
under Operation PENDENNIS.
It was April 2007 when the police finally
announced the arrest of serving Army Captain,
Shane Della-Vedova, and former Defence member,
Dean Taylor.
Della-Vedova was a former Army Warrant
Officer munitions expert with 28 years in the
military. He was convicted of stealing ten rocket
launchers between 2001 and 2003 and selling
them to Sydney’s criminal underworld. Dean
Taylor was Della-Vedova’s brother-in-law. Taylor,
who served 15 years in the Army as a fireman,
also posted to Holsworthy before being medically
discharged. Taylor had offered to supply rocket
launchers and other military weapons to a man he
was visiting in prison.
In April 2007, Della-Vedova gave his version of
events to the court. He claimed that as a normal
day on duty disposing of out-of-date munitions, he
had driven a load of M-72 rocket launchers 300
km from the munitions bunker at Holsworthy Army
Barracks to the School of Infantry in the Hunter
Valley. On his return to Holsworthy, he found that
he had mistakenly left 10 of the launchers in his
Army vehicle. In his “I forgot” confession, Della-
Vedova told police he panicked and hid them in
his Holsworthy office, painting over the serial
numbers with black paint. He then hid them in the
garage of his family home in a nearby suburb. They
apparently stayed there while Della-Vedova was on
deployment to Iraq. Della-Vedova told police that
after removing the weapons “accidentally”, he later
sold them for “a pittance” to a man who wanted them
as trophies.
And the stolen rocket launchers ? One has been
recovered and the other seven are believed to be
still buried in PVC pipes somewhere in bushland,
despite police attempts to locate them.
Despite Della-Vedova’s version of events, this
appears to be a case of military weapons being
stolen to supply to the criminal underworld. What
were the systems in place to account for such
weapons, and have these systems improved to
prevent another such incident occurring ? How
can a serving Defence member be associating with
criminals – visiting them in prison – and not come
to notice?
2009: Victoria – Anti-Terrorism Investigation – Victoria Police Detective Charged With Media LeakOperation NEATH was the joint agency
investigation into the plot by Islamic extremists to
attack Holsworthy Army Barracks near Sydney.
The details of police raids in August 2009 were
allegedly leaked to a journalist of The Australian
and were published hours before the raids were
conducted, potentially endangering the success
of the raids and the safety of the officers involved.
A Victoria police officer, Simon Artz, was charged
in November 2011 with a number of offences
relating to unauthorised disclosures.
2009: USA – Mass Shooting At Fort Hood, Texas – US Army Psychiatrist Charged With MurderIn November 2009, a US Army psychiatrist
walked into a building at Fort Hood, Texas, and
committed fratricide, shooting dead thirteen
and wounding thirty more. Media soon carried
stories that Major Malik Nadal Hasan, a US-
born Muslim, had been calling for Muslims to
rise up and attack Americans, and had been
in angry disputes with other officers about his
views. Other articles suggest that he had been
trying to resign from the Army, and was dreading
being posted to serve in the Middle East. Some
media articles suggest that the shootings were
triggered by senior officers refusing Hasan’s
requests to prosecute some of his patients for
war crimes, based on statements they made
during psychiatric sessions with him.
Two years on, survivors and relatives of those
murdered have filed for damages against the
US Army, saying that the Army knew of Hasan’s
radical beliefs and should have prevented the
incident. Sergeant Munley, a claimant, and one of
the police officers who helped bring down Hasan,
stated, “I brought this claim because I strongly
believe this tragedy was totally preventable and
that the Army swept under the rug what they
knew about Hasan.” The 83 claimants are
063SECURITY SOLUTIONS 0063
064 SECURITY SOLUTIONS
COVER STORY
seeking $750 million in compensation from the Army
Hasan faces the death penalty if convicted at the court
martial scheduled for March 2012.
2010: USA – The Largest Leak Of US Classified Documents – Private Bradley Manning And WikileaksIntelligence analyst Bradley Manning is alleged to have
leaked US government cables to the whistle-blowing
website Wikileaks, resulting in the biggest leak of classified
information in US history. The classified documents
included more than 250,000 classified US diplomatic
cables. A cache of nearly 400,000 documents relating to
the war in Iraq, known as “war logs”, were also leaked to
the anti-secrecy site, including a video of a 2007 helicopter
attack in Iraq in which journalists and civilians died.
Private Bradley Manning joined the US Army in
2007, a talented ‘geek’ who had been drifting through
low-paid jobs. In October 2007, he was sent to Iraq as
an intelligence analyst – low ranking, but with access to
phenomenal amounts of highly classified data.
In July 2010, Pte Manning was charged with several
offences relating to stealing secret information. In
March 2011, the US Army charged Manning with
22 additional counts relating to the unauthorised
possession and distribution of more than 720,000
secret diplomatic and military documents. On 12
January 2012, an investigating officer recommended
Pte Manning face a military court martial.
2011: NSW – Quakers Hill Nursing Home Fire – Nurse Charged With MurderIn November 2011, Australians shared their grief over the
death of at least eleven elderly nursing home patients in
a fire at a residential facility. Horror turned to disbelief
when police announced they had charged a 35-year old
male nurse from the nursing home. Roger Dean allegedly
started the blaze in the early hours and then presented
himself for media interviews as a hero who had helped
evacuate some patients from the fatal fire.
Dean had apparently been interviewed by police on
another matter, at his home on Thursday evening, just
hours before the fire began early on Friday morning. He
had been working at the Quakers Hill Nursing Home for
two months, following a dispute with a previous employer.
The Advertising And Recruitment ProcessesThere’s no magic solution – no questionnaire,
psychometric test or interview proforma – that will
enable employers to detect all potential offenders at
the selection process.
Employment screening merely provides a snapshot
of what the person is like at that point in time. People
change across time, as a result of life experiences and
sometimes as a result of their work-related experiences.
If an employer is considering imposing character
or background checks on new employees (such
as checks of credit references, or mandatory drug
testing), these requirements should be mentioned
in advertising of vacancies. To do so, gives a clear
forewarning to potential candidates – some of
whom may opt out of the recruitment process as a
result. It also enhances the professional reputation
of the organisation, making a clear statement of the
standards of character required of their staff.
There are guides on good practice that can assist
an organisation in making their selection processes as
robust as possible – such as the Australian Standards on
employment screening.
065SECURITY SOLUTIONS 0065
COVER STORY
066 SECURITY SOLUTIONS
desk and it was several days before anyone noticed.
Is that a team you would want to belong to?]
The language used in government personnel
security policy refers to “any changes in
circumstances” or “concerns about the continued
suitability” of a worker to access classified or
sensitive information.
There is obviously a balance between caring
about a colleague’s welfare, and invading their
privacy, but it is a balance that most mature
adults can find when the culture supports it. That
culture should seek not only to promote good
security awareness, but also workplace health
and safety. Security concerns and duty-of-care
often share common ground, such as if there are
signs of mental illness, drug or alcohol issues, or a
gambling addiction.
In the same way that reporting of, not just
incidents but also near misses, can identify a safety
hazard in the workplace, so can potential personnel
security vulnerabilities be identified. Apart from
a healthy range of social behaviours and security
awareness, an organisation needs sound policies
and procedures for the reporting and analysis of
any issues of potential security concern.
Once your staff are aware of something being
not quite right with a colleague, the systems must
be in place so that they can report their concerns
with confidence that the privacy of the individual will
be balanced with the security requirements of the
organisation, and that concerns are handled with
suitable confidentiality so as to protect the source,
if necessary.
However, it does not stop there. A filing cabinet
full of reported security concerns is of no value
unless someone suitably qualified is analysing those
reports for specific security threats and for systemic
vulnerabilities – and then acting upon those issues.
Underpinning such policies and processes must
be a combination of security induction training and
then ongoing security awareness programmes. It is
important that all staff receive security training during
their induction phase so that they immediately know
what is required of them. Annual refresher training
is then generally considered to be a suitable interval
to retain a level of awareness.
This may take a variety of forms, depending on
the nature of the organisation. At its most formal,
it may be a mandatory requirement to attend
a formal briefing or complete an online training
package. Or it may involve more creative security
awareness activities tailored to the nature of the
organisation. Discussing case studies of other
organisations’ security incidents can be a useful way
of reviewing whether the same could occur in your
own workplace.
If a public servant is required to have ongoing
access to resources classified at PROTECTED,
or above, then the department will need to seek
a formal security clearance for that individual.
Similarly, if someone employed in the private
sector is contracted for government work involving
such classified information, they will also require
a security clearance. The majority of Australian
Government clearances are now processed
through the Australian Government Security Vetting
Agency (AGSVA) currently administered through
the Department Of Defence.
The Ongoing Management And Supervision Of Staff – AftercareIt is a good organisational security culture when
supervisors actually know their staff and take an
appropriate level of interest in them. This means
that you can know when something’s not right –
when someone is behaving out of character, when
their standards are slipping, or maybe when they
seem to be espousing new or radical views. It is
only by knowing what is normal that you can detect
was is abnormal. Similarly, it is a sign of a healthy
workplace when colleagues know each other and
show an appropriate level of interest.
[Many have heard the story of an American
office-worker who supposedly died seated at his
A filing cabinet full of reported security concerns is of no value unless someone suitably qualified is analysing those reports for specific security threats and for systemic vulnerabilities
067SECURITY SOLUTIONS
COVER STORY
068 SECURITY SOLUTIONS
Security issues should also feature in staff exit
processes. If an employee has held a security
clearance, there are specific requirements,
including notifying the Australian Government
Security Vetting Agency of the change in
employment status. Exit interviews also present
an excellent opportunity for an organisation to
gain some candid feedback on a variety of issues,
including any weaknesses in security practices.
Any specific issues raised, or insights from
departing staff, should be evaluated.
The Final Phase Of The Employer – Employee Relationship – Beyond AftercareSome American government agencies are
particularly adept at keeping former employees
within their networks. This form of extended
aftercare is not just for the social pleasures.
Whether staff have retired or simply moved on,
maintaining those social networks serves to
keep those staff within the watchful gaze of the
organisation’s network. This occasional contact
with the organisation and other former colleagues
can have numerous benefits to an organisation.
That invitation to a Christmas barbeque may
help prevent a former employee from turning
bad and divulging sensitive corporate information
(especially if they left as a result of a grievance). It
may provide an opportunity to detect and intervene
when someone is showing signs of stress – raising
those interrelated issues of security and duty-
of-care (particularly if they resigned due to work-
related stress). Former staff can also be a valuable
talent pool when an organisation is recruiting.
Recycling a good former employee saves on
training and induction, and can deliver someone
with years of corporate knowledge, improved upon
by their intervening experience elsewhere.
A Risk Management ApproachGood personnel security involves applied risk
management. There are some basic principles of
risk management to consider:
The likelihood of a threat being realised is a
function of the threat source’s intent and capability,
combined with the vulnerability of the assets.
How does this apply to personnel security
and the trusted insider? It means that the risk of
deliberate harm from a trusted insider results from
a combination of the individual having both the
intent (the desire) to do harm and the capability
(the skills, knowledge, tools). They can only act on
their intent if there is a vulnerability – an opportunity
arising from flawed security practices.
Risk management is not a perfect process.
When it comes to interpreting or predicting
human behaviour, the best we can hope for is
an educated guess. Suffice to say, the more
educated you are (the more information you
have), the better your guess.
Faced with a potential insider threat, the security
manager faces a number of options – which each
carry their own risks:
One possibility is that your information might
lead to a false positive (reacting to a perceived
security threat, but it turns out that the concern is
unfounded). Alternatively, you might run the risk of
a false negative (you don’t act on the information
available, and a serious incident occurs as a result).
There is even the chance that you might get
it right – correctly identifying and acting on the
concern, or correctly assessing and dismissing
the concern.
In examining the available information, factors
to consider include the impact on the subject of
the allegation, the potential security harm to the
organisation and its stakeholders, legal implications
and the potential impact on reputation, either way.
The level of risk is determined as a function of
the assessed likelihood of the event occurring, and
the anticipated consequence if it does occur.
Fiona Peacock has a Masters degree in Investigative
Psychology from theUniversity of Surrey UK, a
B.Sc Honours degree in Psychology and a B.A
in Criminology from the University of Melbourne.
She has worked in law enforcement, intelligence
and security roles in Australia and the UK for more
than 20 years. She holds a CPP (Board Certified in
Security Management) from ASIS International and
a Diploma in Security & Risk Management. Fiona's
interest is intelligence-led security, applying risk
management principles.
069SECURITY SOLUTIONS 0069