Insider Threats

Name:

Institutional Affiliation:

Table of Contents

Abstract 3

Introduction 3

2001 Anthrax Attacks 4

History of the 2001 Anthrax Attacks 4

Warning Signs of the 2001 Anthrax Attacks 6

Measures That Could Have Been Taken to Detect and Prevent the 2001 Anthrax Attacks 8

Barakah Nuclear Power Plant 9

Barakah Nuclear Power Plant Environment 9

Appropriate Measures to Prevent, Detect, and Respond to Insider Threats 12

Conclusion 13

References 14

Table of Figures 15

Appendix 16

Target Sets 16

 

Insider Threats

Abstract

This paper will discuss the 2011 anthrax attacks. It will further explain the failures to identify the warning signs and take action and the measures that could have been taken to detect and prevent the attacks. This paper will also discuss the environment of the Barakah Nuclear Power Plant and measures that should be taken to prevent, detect, and respond to insider threats.

Introduction

An insider can be defined as someone who uses their knowledge or access to an organization to cause harm. It can be anyone ranging from employees to contractors. The biggest asset of an insider is the proper knowledge of the target location. They usually have a very good idea of how everything inside operates. They have knowledge of all sensitive parts, blind spots, and weaknesses of the system. Insiders work to fully exploit such vulnerable places to their advantage. They are motivated by many things, including money and terrorism. Some are just angry at how they are treated at work and view it as a way of getting back at the organization. Insiders use various methods to conduct their attacks. They include the destruction of infrastructure or assets, allowing access of systems to unauthorized third parties, stealing of assets, disclosure of sensitive information to unauthorized third-parties, and smuggling of drugs and other contraband items. Not all insiders intend to cause harm. Some do so by not following set procedures. Such an omission can lead to the same level of harm that would have been caused by an insider who intends to cause harm. Consequences can be catastrophic, including massive loss of life and destruction of property. It is usually difficult to fully recover from the effects of such events. As such, it is important to ensure that there are measures in place to prevent, detect, and respond to insider threats. 

2001 Anthrax Attacks

History of the 2001 Anthrax Attacks

A week after the terrorist attacks at the World Trade Center, the Pentagon, and in Somerset County, PA, on September 11, 2001, media houses and congressional offices started receiving anonymous letters laced with spores of anthrax. The first batch of letters containing anthrax was mailed on September 18, 2001. Bob Stevens, who worked with American Media, was the first victim of the anthrax attacks. On October 24, 2001, Bob was admitted to the hospital with inhalation anthrax. The following day, he died. On October 8, 2001, anthrax was found in the offices of the National Inquirer in Boca Raton, Florida. The building had to be closed for some time. More letters laced with anthrax were posted on October 9, 2001 to Capitol Hill. They included a letter addressed to the Senator of Vermont, Patrick Joseph Leahy Figure 1. Luckily enough, he did not open the letter. At this point, the Federal Bureau of Investigation (FBI) started investigating the attacks. On October 12, 2001, a female employee at NBS offices in New York tested positive for anthrax. Three days later, on October 15, 2001, former South Dakota senator and Senate Majority Leader Thomas Andrew Daschle made a statement that traces of anthrax had been found in his office. On October 16, 2001, a son of a producer at ABC News based in Manhattan, New York, tested positive for anthrax. The child was only seven months old. The child had been brought to the offices before. On October 18, 2001, an employee of CBS and a postal worker in New Jersey were confirmed positive for anthrax poisoning. In Washington, D.C., two other postal workers were reported dead of inhalation anthrax on October 23, 2001. On October 26, 2001, a mailroom employee at the U.S. State Department was admitted to hospital with anthrax poisoning. Two other postal employees tested positive for anthrax poisoning between October 28th and October 30th 2001. On October 31, 2001, Kathy Nguyen, a 61-year-old woman who worked at the Manhattan Eye, Ear and Throat Hospital, succumbed to anthrax poisoning. On November 21, 2001, Ottilie Lundgren, a 94-year-old woman in Connecticut, also succumbed to anthrax poisoning. She was the fifth person to die of anthrax poisoning. 

The investigation took years to conclude. More than 10,000 interviews were conducted on six continents. The FBI investigated 1,024 people. They narrowed down to about 400 people who had financial motive or motive against any of the politicians to whom the anthrax-laced letters were mailed. Little did they know that the person they were looking for was an insider, a very proficient anthrax researcher. The main perpetrator of the 2011 Anthrax Attacks was a microbiologist and a vaccinologist known as Bruce Edwards Ivins. He was also a senior biodefense researcher based at the United States Army Medical Research Institute of Infectious Diseases (USAMRIID). Ivins was one of the best and most respected anthrax researchers. Before he became a suspect, he was a consultant for the FBI. The FBI discovered that the letters had been mailed by a single person. At some point, the FBI started suspecting that the perpetrator of the attacks was one of their own consultants, Ivins. The FBI realized that Ivins had a liking for driving at night for long hours. He sometimes sent letters under false names. The FBI also found out that Ivins had an obsession with sorority and images of blindfolded. Hundreds of those were found on his computer. Ivins had the technical know-how of making anthrax, lacing letters with it, and later mailing it to various addresses. Ivins started giving false leads to the FBI. For instance, in 2007, he wrote a memo to the FBI stating that two ladies whom he had an obsession over sent the letters. One of the women confronted Ivins about it, and he wrote back to her, stating that another personality within him he called ‘Crazy Bruce,’ who he described as anxious and depressed, mailed the letters. He said that he had been chosen to carry out the operation. Ivins eventually committed suicide on July 29, 2008. In 2010, the FBI concluded their investigation and revealed that Bruce Edwards Ivins was the sole perpetrator of the 2001 anthrax attacks. Ivins himself laced the letters with anthrax and mailed them to the victims. The FBI produced evidence to prove that Ivins was the terrorist who committed the attacks. Among the evidence were affidavits and confessions by Ivins. Unfortunately, Ivins was never charged (Federal Bureau of Investigation, n.d.).

Warning Signs of the 2001 Anthrax Attacks

Bruce Edwards Ivins had a history of mental illness and substance abuse. He also had a habit of going to sorority houses of the Kappa Kappa Gamma sorority and stealing items. Ivins also stalked women and plotted to murder various people. He wanted to punish those who had wronged him in the past. A year before the attacks, Ivins said that he started experiencing paranoia and delusional thoughts. He also confessed to his therapist that he wanted to kill two women who had rejected him in the past. He was put on antidepressants and other antipsychotic medications. People knew that he was receiving psychiatric treatment, but no one bothered to do anything about it. If he was working in the chemical or nuclear weapons department in the army, the authorities could have done something about his psychiatric medication, for instance, suspension or leave. Surprisingly, Ivins never came across as a security risk. This is because he was never caught in any of the crimes he committed, so he was never charged with anything, and therefore he did not have any record on him. He had also never been to any mental institution. Ivins passed his security assessment test. There was no reason to doubt that Ivins was in the correct state of mind. He craved attention and recognition for his work. He started getting this after the attacks. When the attacks happened, Ivins’ work became a priority for the government. 

As the FBI was conducting the investigation in 2002, they received a tip from a woman who had worked with Ivins. The woman said that Ivins had a history of mental illness and that he had the capacity to carry out the anthrax attacks. The FBI did not take the tip seriously. If they had, they could have known that Ivins was the culprit earlier enough. Days prior to the attacks, Ivins spent nights and weekends at the lab working on something. The FBI did not find that probable cause to investigate Ivins for the attack. Instead, they focused their attention on Steven Hatfill, a virologist who could not have had any access to anthrax. His name was dragged through the mud by the media. When he was absolved of any wrongdoing, he sued the government. He was awarded $5.8 million.

Dr. Ronald Schouten, one of the panelists appointed by Chief Judge Royce C. Lamberth of the United States District Court for the District of Columbia, placed blame on the army. Anyone who works with nuclear and chemical weapons departments in the army is thoroughly screened and monitored. Dr. Ronald stated that it was not the case for those who handled biological weapons. He said that it was the army’s fault that they did not detect Ivins’ mental illness and criminal history.

Earlier on, the National Science Advisory Board for Biosecurity had rejected a recommendation to have a requirement that two researchers be present in a lab when dealing with dangerous pathogens such as anthrax. If this recommendation had been adopted, the 2001 anthrax attacks could have been thwarted. This is because Ivins’ colleague would have questioned why he spent long hours, including nights and weekends, in the lab. The colleague could have raised the alarm if Ivins did not have a convincing reason. The National Science Advisory Board for Biosecurity also dismissed a recommendation to carry out psychological evaluations for researchers at the biological weapons department. Had the recommendation be adopted, Ivins’ mental illness would have been detected, and the subsequent attacks thwarted (Cieplak, 2013). 

Figure 1Anthrax-laced letter addressed to Senator Patrick Joseph Leahy.

 

Measures That Could Have Been Taken to Detect and Prevent the 2001 Anthrax Attacks

The National Science Advisory Board for Biosecurity could have adopted recommendations to have a minimum of two researchers present in a lab when working on dangerous pathogens and to carry out psychological evaluations on lab personnel at the biological weapons unit at USAMRIID.  Ivins used to work alone. No one could have suspected that he was working on something dangerous with the aim of killing as many people as possible. A colleague would have raised the alarm about what Ivins was planning. The psychological evaluations would have flagged him as a mentally disturbed person, therefore not mentally fit to carry out biological weapons research. It was not a secret that Ivins was on psychiatric medication. The authorities should have denied him access to the research facility in light of his psychiatric condition.

The FBI could have acted on the anonymous tip by a woman claiming that Ivins was a mentally disturbed person who had the capacity to carry out the anthrax attacks. They could have arrested him and had him charged in a court of law. Families of casualties of the 2001 anthrax attacks would have found justice (Cieplak, 2013).

 

Barakah Nuclear Power Plant

Barakah Nuclear Power Plant Environment

Barakah Nuclear Power Plant is located in Abu Dhabi, United Arab Emirates. The 5.6GW plant is the first nuclear power plant in the Arabian Peninsula. The assessment by the Federal Authority for Nuclear Regulation (FANR) of all these documents was performed following the review instruction on the Physical Protection of Nuclear Power Plant. It could be noted that another document was provided by Emirates Nuclear Energy Corporation (ENEC), but FANR decided not to review and approve this document before the operation of Unit 1 of Barakah Nuclear Power Plant. During the construction of the units, the identification of the target sets has been started following the U.S. Nuclear Regulatory Commission Guide 5.81, Target Set Identification and Development for Nuclear Power Reactors. The first document on Target Set was submitted in April 2013 and contained a deterministic identification of target sets on the full power of the reactor. The assessment in conformance with the regulatory guide FANR-RG-010 of this document and the following other document was realized by an integrated team of FANR staff from safety and nuclear security. The next document on the identification of target sets answered to additional information by FANR (RAIs) and submitted a schedule to take into account the site-specific Probabilistic Risk Assessment (PRA) and other modes of operation as well as maintenance activities. After several discussions and reviews on the target sets, in November 2016, the licensee submitted the Target Set Analysis using the probabilistic results from the Barakah Nuclear Power Plant PRA without any comment by FANR. Also, during the construction of the units, the Cyber Security Plan has to be submitted to FANR. In June 2013, the Cyber Security Program Manual was provided to FANR. FANR has also recommended using Nuclear Energy Institute (NEI) 08-09, Cyber Security Plan for Nuclear Power Reactors, Revision 6, and ENEC stated that they would follow the 8 Milestones defined by U.S. NRC. After reviews, requests for additional information by FANR integrated team (safety and security), and answers by ENEC, the Cyber Security Program Manual was revised 6 times and accepted by FANR. The implementation of the Cyber Security Program Manual was then checked during inspections at Westinghouse headquarter in Pittsburgh (USA) as well as at Barakah Nuclear Power Plant (November 2017, March 2019, and June 2019). It appears that Milestones 1 to 6 have been implemented before the loading of the fuel of Unit 1 of the Barakah Nuclear Power Plant. For Milestones 7 and 8, the implementation will be respectively done in 2020 and 2022. The Physical Protection Plan for Operation (PPP-O) of Unit 1 of Barakah Nuclear Power Plant was submitted by ENEC in support of their application for the license for operation (26 March 2015). The schedule of the plan contained those mentioned in the regulatory guide FANR-RG-032. Especially, the following items were developed: — Security Organization, — Physical Protection System (PPS), and — Reporting and Records of Events. The description of the security organization, which includes security personnel training and qualification and trustworthiness of personnel, was reviewed by FANR. For the time being, the security organization is managed by ENEC with a service provider United Security Group for the guards and the Critical Infrastructure and Coastal Protection Authority (CICPA) as an armed response force. The training and qualification of personnel were reviewed by FANR in accordance with the U.S. NRC Regulatory Guide on Training and Qualification of Security Personnel. Article (16) of FANR-REG-08 described the requirements for Protection against the Potential for Insider Threats, and FANR assesses the detail provided by the PPP-O. This review was done in accordance with the best practice documents, including the U.S. NRC NUREG/CR-7183, Best Practices for Behavioral Observation Programs at Operating Power Reactors and Power Reactor Construction Sites, and concluded positively. The physical protection system was designed for the first time in the UAE; KEPCO (South Korea), the supplier with the four Units of Barakah Nuclear Power Plant, was not involved in its definition. The design of the PPS was defined in 2014 and has been reviewed by FANR from this date. Then, the implementation of the modified design of the PPS at the site was launched in 2015. In the last update of the PPP-O (Revision 4), a complete description of the implemented PPS, comprising detection, assessment, access to the area, physical barrier, etc., was provided. FANR reviewed the implemented PPS based on the recommendations of IAEA Nuclear Security Series No. 13 (INFCIRC/225/Rev. 5) without any final remarks. The notification of nuclear security events to FANR or their recording has been defined in a procedure and described in the PPP-O as requested by Article (25) of FANR-REG-08. FANR reviewed the events mentioned in the procedure and verified that the notification of nuclear security events was in accordance with regulatory guide FANR-RG-026. The last version of the PPP-O (Revision 4) mentioned the related procedure. When the design of the PPS is about to be completed, and the identification of target sets is more or less achieved, the licensee may develop a vulnerability assessment based on the Design Basis Threat (DBT). In May 2017, the first established vulnerability assessment proposed to FANR was rejected due to the fact that it does not contain the necessary information to allow FANR to begin its review. In August 2017, a revised vulnerability assessment was submitted by ENEC to FANR, and in December 2018, revision 1 of the vulnerability assessment was provided to FANR to take into account the fact that both Unit 1 & 2 was included in the protected area. The vulnerability assessment ensures the effectiveness of the physical protection plan against the DBT. The Contingency Plan, established to respond to nuclear security events up to the DBT, in accordance with Article (4) of regulation FANR-REG-08, was first established based on a certain concept of the security organization. While the security organization on the site has evolved and is still changing, the contingency plans were revised and finalized in December 2018. FANR reviewed these plans following the regulatory guide FANRRG-026 without any remarks. FANR requested to review the management of the interface between safety and nuclear security. It was required by Article (9) of regulation FANR-REG-08. The licensee provided a procedure for managing the interface and included this in its management system. At the end of the process, a common inspection (safety and security staff – October 2019) by FANR was performed to check if the plant is ready to operate in safety and secure manner. Following the assessment of all these documents, FANR has written a Security Evaluation Report (SER) for Chapter 20 of the FSAR in support of the license of operation of Unit 1 of Barakah Nuclear Power Plant as well as a summary of the SER for the Board of Management, which stated that there reasonable assurance that the Unit 1 of Barakah Nuclear Power Plant will be operated in accordance with the Law and regulation FANR-REG-08 (Mohamed, 2018). 

Appropriate Measures to Prevent, Detect, and Respond to Insider Threats

Authorities at the Barakah Nuclear Plant should never assume that there are no insider threats. They should always be on the lookout. Employees change ideologies, shifting allegiances, and get coerced. Assuming that there is no risk of insider threats is a recipe for disaster. This is despite background checks that may be carried out on Barakah employees. Background checks do not show the potential of an employee being an insider. Authorities at Barakah should not rely on their security system alone. That system is operated by employees who may also be insiders. It is a huge risk to entirely place trust in them. The system should be designed in a way that offers in-depth security such that an employee will not be able to tamper with the whole system. Authorities at Barakah should frequently conduct psychological examinations on employees. This will help them identify employees with psychiatric issues. Such employees are a risk. As much as preventing the threat is important, it is important to put in place measures in place to mitigate insider threats when they happen. Insider threats still happen even after the strictest security measures are put in place. Mitigation measures will help to contain insider threats if they happen (Zou, et al., 2018).

 

Conclusion

Insider threats are usually costly to an organization in terms of resources. The effects are dangerous and can affect the general population. It is important to prevent them. Organizations should put in place measures to prevent and detect insider threats. More importantly, they should put in place mitigation measures to deal with insider threats in case they occur.

References

Cieplak, M. V. (2013). Bioterrorism Policy Reform and Implementation in the United States: The Impact of the 2001 Anthrax Attacks. Birmingham: University of Birmingham.

Federal Bureau of Investigation. (n.d.). Amerithrax or Anthrax Investigation. Retrieved from FBI: https://www.fbi.gov/history/famous-cases/amerithrax-or-anthrax-investigation

Mohamed, M. R. (2018). Geochemical and Radiological Baseline Studies and Environmental Impact of the Area Surrounding Barakah Nuclear Power Plant, UAE. Al Ain: United Arab Emirates University.

Zou, B., Yang, M., Guo, J., Wang, J., Benjamin, E.-R., Liu, H., & Li, W. (2018). Insider Threats of Physical Protection Systems in Nuclear Power Plants: Prevention and Evaluation. Progress in Nuclear Energy, 8-15.

 

Table of Figures

Figure 1Anthrax-laced letter addressed to Senator Patrick Joseph Leahy 7

 

Appendix

Target Sets

This is the minimum combination of target elements, which, if all are prevented from performing their intended function or prevented from being accomplished, would likely result in core damage and Spent Nuclear Fuel damage.

 

At Legal writing experts, we would be happy to assist in preparing any legal document you need. We are international lawyers and attorneys with significant experience in legal drafting, Commercial-Corporate practice and consulting. In the last few years, we have successfully undertaken similar assignments for clients from different jurisdictions. If given this opportunity, we will be able to prepare the legal document within the shortest time possible.