Zeeshan Shahid Khan
Insider threat has been one of the most dangerous security concerns for all organizations whether in the commercial world or dealing with national & international security. However, the severity of concern magnifies when the organizations are dealing directly with radiological materials due to the extent of damage they can cause if misused and their ease of transportation. Therefore, organizations working with these materials have become the focus of global security concerns especially post 9/11 due to threats posed by non-state actors.
According to the IAEA INFCIRC/225/Rev.5, ‘an Insider is defined as one or more individuals with authorized access to nuclear facilities or nuclear material in transport who could attempt unauthorized removal or sabotage, or who could aid an external adversary to do so.’ The ambit of insider threat includes sharing information and espionage, theft or sabotage to the facility or to the material during transport. An insider may act independently as a lone wolf, or collaborate with another insider to achieve his aim. Moreover, an insider may also collaborate with an outsider willingly or unwillingly as the case maybe. The list of possible targets for insiders is lengthy depending on their authority, access, knowledge, motivation and opportunity. However, they may target the reactor itself, its power supply, storage areas, or security systems. Transportation is likely to remain a risky affair as the material is not on its home turf and it is therefore difficult to mitigate the threat if an issue were to occur. Moreover, Cyber attacks to the facilities remain a dangerous threat internationally. The motivations due to which a person may become an insider threat may relate to financial gains, anti-nuclear protest, personal work or family issues, radicalization and coercion. Insider threat to any organization directly relates to its employees or people linked to the system, it is therefore imperative to understand the sociological dimensions of this phenomenon to be able to perhaps pre-empt an insider threat to an organization before it occurs.
Understanding Culture vis-à-vis Insider Threat
Culture is defined as “The totality of socially transmitted behavior patterns, arts, beliefs, institutions and all other products of human work and thought.” It is a learned way of thinking and acting developed over time by a group or society due to numerous factors ranging from geography, environment, history, experiences, traditions, and religious beliefs. A society’s culture is deeply ingrained and directs all thinking and actions of the society as a whole. Moreover, cultural variables are interconnected as subsystems of the whole (System Theory), and affect and change each other with new experiences, hence making Social Culture more dynamic and not static. The social culture thus forms the basis of all other sub cultures that flow from it i.e. national culture, strategic culture, national security culture and nuclear security culture.
To further understand how the social culture interacts with probability of creating Insider threat, we must analyze the social environment in Pakistan through multiple lenses including those of historical experiences, religious beliefs, and security challenges. Pakistan is a mix of numerous sub cultures based on its provinces and tribes, which differ from each other in many aspects. However, the common elements are tribal & family loyalties and strong religious beliefs. The social culture has developed over time partly due to the changing security situation over the years. From the time of creation of Pakistan leading up to 9/11, Pakistan faced the usual conventional and later nuclear threats. However, after 9/11 numerous non-state religiously oriented organizations now saw Pakistan as a legitimate target due to being a US ally on the war in Afghanistan. This suddenly created a real possibility of enhanced insider threat within all government linked organizations due to religious affiliations developed with Afghanistan during the Russian Invasion. These events not only changed the security environment but also shaped the social and cultural dynamics of the country.
To grasp the effect of this dynamic cultural evolutionary process vis-à-vis insider threat, Geert Hofstede’s cultural dimension theory has been used to understand the cultural fundamentals affecting it. The theory emphasizes six fundamentals namely: Power Distance, Individualism vs. Collectivism, Masculinity vs. Femininity, Uncertainty Avoidance, Long or Short Term Orientation and Indulgence. Out of the aforementioned, three indexes i.e. Power Distance, Individualism vs. Collectivism and Indulgence seem to have the most correlating effect on insider threat.
Pakistan, like the rest of South Asia has a high Power Distance, which may be due to the colonial past of the region. High power distance suggests that people with authority are culturally accepted to have higher privileges and rights. This points to probable deference to authority in the culture and therefore security systems in the region. Considering this factor in an insider threat scenario, a subordinate may feel hesitant to question the actions or instructions from his superior even if they are out of the superiors’ authorized clearance. Moreover, employees may also avoid reporting a questionable action by a superior in the reporting chain. Special attention needs to be paid to the cultural aspect of High Power Distance while making a practical security solution for any high risk facility. This may be done by providing education, training and casual interactions between superiors and subordinates at the organization level.
Low Individualism index in Pakistan shows that there is also a strong sense of collectivism in the society, which is based on strong family ties or tribal and religious affiliations. These strong associations therefore give root to nepotism, since trust and loyalty are highly valued commodities, and whom would you trust more than your tribe or family. However, high collectivism indicates that individuals may feel more loyal to their tribe or family, rather than their parent organization, creating a probable red flag in case members of an affiliation, decide to collaborate in a dangerous activity. The positive aspect maybe that since organizational structure may be fused with high concentration of people from one specific strong affiliation or background, it may reduce the probability of an individual insider activity. Moreover, in an environment of high collectivism, individuals may also feel reluctant to report cases for the fear of being deemed as traitors to the tribe, family or religiously affiliated group. One of the ways the effect of this index can be minimized is by subordinating employees of a nuclear facility to superiors from other provinces or tribes. This will minimize nepotism thereby reducing the grouping effect. Moreover, security individuals at nuclear facilities should always be grouped in pairs from different tribal affiliations for the same reason.
Another cultural aspect of Pakistan is the absolute Low Indulgence index lying at a mere zero with no emphasis on gratification or “having a good time”. This shows that the society is controlled not only due to the obvious religious norms but also due to having lesser means to indulge. Low wages, expensive education, or expensive housing leave little means for gratification. A regular person barely makes ends meet. This social marker leaves a huge gap, which can be used by an outsider individual or organization for exploiting an employee of a nuclear facility for its own end by using financial enticement. The effect of this index can be minimized by paying higher salaries to the employees of nuclear facilities compared to other government organizations of the same grade considering the job sensitivity. Moreover, special subsidies may be provided in utility bills and at grocery stores. In addition, special funds for education of their children may be made available from government exchequer.
Some additional recommendations to thwart insider threat are:
- Personnel Reliability Programs must cater for the aforementioned social/cultural aspects of employees during enrolment and also ensure that ‘trust worthiness’ monitoring is carried out at shorter intervals within the organizations.
- PRP must prioritize insider threat analysis and possible contingencies in security framework of nuclear installations.
- Employees should be educated regarding cultural issues and resulting breaches in security. Media can also be used for increasing the social indexes favorable to security and inculcating national pride to elevate loyalty to the country and organization above that of tribe or family.
- All employees must be educated in the visible indicators that may lead to an employee becoming an insider threat and must be comfortable with the reporting mechanism.
- More collaboration with international organizations with reference to trainings and information sharing must be carried out.
- Knowledge sharing must be done internationally regarding security breaches by insiders and the mitigation strategies & techniques implemented afterwards.
- At the organizational level, psychological evaluation of select individuals on monthly basis as well randomly to judge the present psychological condition of the individuals must be done. This can be done by employing a psychologist at every facility.
- Regular ground test exercises must be carried out in which different insider threat scenarios can be played centered on design based threat compatible to our social and cultural environment.
At national level, a long term Social Engineering Project must be initiated by the Federal Government for cultural evolution from grass root level in the needed direction for increasing unity & national pride. This medium to long term project may encompass the following:
- Workshops – social values, security culture – Ministries of Culture & Education.
- Interaction & workshops of nuclear organization staff with academia – PAEC & Ministry of Education.
- Re-vamping of the education system to instill a sense of patriotism higher than tribal ties – Ministry of Education.
- Instilling religious schools with understanding of national security vis-à-vis survival – Ministry of Religious Education.
- International training study tours from universities to be increased –Higher Education Commission.
Zeeshan Shahid Khan was United Nations Military Observer in Sierra Leone from 2003 to 2004.