Mitigating Insider Threat Within Correctional Facilities

Care and custody, public safety and security are the hallmarks of correctional facilities. The primary asset associated with a correctional facility is its personnel. An unfortunate aspect of reality is that human behavior is subject to individual failings that have the ability to Inflict adverse

consequences on any enterprise. In any organization, one common security mishap that may be attributed to personnel is insider threat. Recent history clearly establishes that no organization is immune to this threat. Administrators and managers of a correctional facility must always be aware and concerned with insider threat during their normal operational activities.

Correctional institutions are essentially enterprises that revolve around the day-to-day interaction of those charged with the care and custody of the incarcerated population. Human behavior, with its associated strengths and weaknesses, assures that a small percentage of individuals within organizations will abrogate their responsibilities and violate the provisions of trust they have sworn to uphold. Some correctional facilities will inevitably face the trauma of an insider gone bad; this article presents information that may prove useful in mitigating insider threat.

Three ingredients are typically present when insider abuse occurs - motive, opportunity and a specific triggering event(s). Motives vary but typically Involve a sense of bitterness or dissatisfaction, or a desire for revenge, financial gain or increased recognition. The opportunity for insider abuse is obvious; an insider must have access to sensitive information or the power to influence the environment in a positive manner for those incarcerated. In a correctional environment, the susceptibility of employees to receive bribes by or on behalf of inmates has historical precedent and requires constant vigilance and training as a deterrent. The coalescing of motive and opportunity must be triggered, and this occurs when an event ignites the underlying tensions that push an employee beyond the threshold of acceptable behavior. In situations where motive, opportunity and triggering events converge, insider betrayal occurs.

A 2005 insider threat study sponsored by the United States Secret Service developed data pertaining to the specific event or series of events that triggered the insiders' actions.1 In 9 percent of the cases, work related events such as termination, disputes with a current employer, and employment related demotion or transfer were the specific triggering event resulting in the insiders' behavior.2 Other common triggering events include: financial difficulties, romantic discord, substance abuse problems, and absence of moral values and loyalty to the employer or co-workers. The absence of effective deterrence policies and procedures often make the difference as to whether an actual betrayal may or may not occur. Damage assessments subsequent to publicized espionage incidents, such as those of Aldrich Ames3 and Robert Hanssen,4 indicate that the absence of an adequate deterrence policy contributed to the decision to cross the line and commit espionage.

Insider opportunities within a correctional facility are present in many guises, the most common of which involves the relationship between correctional officers and inmates. Inmates, despite being incarcerated, assume a role similar to a professional intelligence officer in their efforts to "recruit" a corrections employee willing to cooperate. The process, although informal and intuitive, follows the same process that a case officer uses to recruit spies. The process involves spotting, assessing, approaching, recruiting and running the "prospective agent." Spotting involves identifying an insider with the access or power to achieve the end desired by the inmate. The assessment phase requires identification of perspective candidates' weaknesses or personality traits that would make the potential insider susceptible to a recruitment offer. The approach typically is the most precarious step in the process because if the inmate has miscalculated during the spotting or assessment, his plans will be brought to the attention of authorities and result in severe consequences. If the approach is successful, the next step is to draw the insider in by obtaining his or her cooperation and furnishing the agreed upon reward. Once the initial act of cooperation is accomplished, the insider has lost control of the situation and the risk of exposure is so great that future cooperation is virtually assured.

At first glance, a correctional facility housing an inmate population might seem like an unusual place for insider opportunities. However, upon reflection there are significant information assets within a correctional facility that have potential value for abuse by an insider. Prisoner records typically contain a wealth of information that is susceptible to manipulation and abuse. Records containing personal identifying information, such as date/place of birth, social security number, medical information, criminal history, family contacts, gang history, criminal associates, past addresses, cell/work detail assignments, visitor/ telephone logs, aliases and more, have the potential to be used for nefarious purposes. This data can be useful to an insider intending to barter or profit financially by selling information to a rival criminal faction or a revenge motivated victim or as a means to perpetrate identity theft. An insider at a correctional facility, either an inmate or an employee, may have access to the IT infrastructure, and with access comes the potential for a plethora of abuse.

Stealing the identity of an inmate may seem to be an unattractive proposition; however, for an illegal immigrant, a terrorist or someone concealing his or her identity, it is an option that is better than the alternatives and has the additional advantage of reduced risk of detection. It is reasonable to presume that a corrupt corrections employee could easily engage in marketing prisoner identification to willing buyers. While incarcerated, a prisoner would have no need to monitor their credit report for fraudulent cards, charges or accounts, increasing the appeal of inmates as victims to entrepreneurial-minded staffers.

Beyond the traditional uses for data appealing to insiders, there are some types of information that are unique to a correctional facility. Would an inmate be interested in knowing or even altering his or her own, or someone else's work assignments? Is there value in knowing, or being able to alter the shift schedules of corrections officers? Could a map detailing patrols, surveillance or other security measures be useful to anyone? In each of these instances, inmates or disgruntled correctional officers could utilize this data for their own self-serving purposes. It is not too far-fetched to envision a scenario whereby correctional institution employees collaborate with inmates to furnish this type of data in return for an agreed upon medium of exchange.

Potential insider abuse is not limited to unauthorized acquisition of data; sometimes it may involve altering or even adding data to existing records. What damage could an insider do with the ability to alter the medical, allergy or prescription data of an inmate? Might a disgruntled corrections employee be interested in influencing the duty schedule or patrol assignments of a rival or other person that they have targeted for revenge? In many instances, employees receiving poor performance reviews believe they have been slighted or overlooked and strike out by altering or damaging systems, data or the reputations of others, and a correctional facility employee subject to stress may be no different.

The miniaturization of recording and data storage devices does not just increase the chances that an employee or trusted agent of a facility may bring valuable data out of the facility, it also allows someone with vindictive intent to transport harmful data, such as viruses, malicious software, keystroke loggers or hacking programs, into a secure facility. Keystroke loggers and other similar malicious software can be configured for the surreptitious recording of every keystroke typed into a computer, storing them as plain text in encrypted files or even transmitting them across the network to other storage devices. Even the low end of the most common electronic devices found today such as digital cameras, cellular phones, personal digital assistants (PDAs) and MP3 players are all capable of storing at least one copy of War and Peace as plain text, approximately 1,500 pages or about 5.8 megabytes (MB). Many newer models have storage capacities from as small as 16 MB to as large as 60 gigabytes (GB) or more. These devices are capable of containing between 4,000 and more than 30 million pages of clear text, non-encrypted data.

Enterprise protection planning must address standard issues facing all enterprises; however, in the corrections profession, special consideration should be devoted to assessing the unique circumstances present. Many organizations worry about industrial espionage and disgruntled employees, but the volatile correctional facility environment increases the danger and challenges for a facility to implement policy and procedures that reduce the circumstances conducive to insider exploitation.

Every facility should examine its enterprise protection and disaster recovery plans, to ensure that they are living documents, capable of covering emerging technological and societal challenges. An organization that does not continually evaluate the changing nature of evolving technology in the modern world will ultimately pay a price in the occurrence of adverse incidents. Security violations and the accompanying negative publicity may be mitigated or avoided with forethought, planning and awareness of nontraditional threats.