NOIR The NOIR White Paper Series on Insider Threat, Counterintelligence, and Counterespionage (CE) 3

  • View

  • Download

Embed Size (px)

Text of NOIR The NOIR White Paper Series on Insider Threat, Counterintelligence, and Counterespionage (CE) 3


    Counterintelligence is the Stepchild of the Intelligence Community

    Prevention is the Stepchild of Counterintelligence

    Detection Gets All the Love

    Dr. David L. Charney Psychiatrist


    THE MISSING LINK For Managing Insider Threat in the Intelligence Community

    proposing a National Office for Intelligence Reconciliation

    for more information, go to:

    NOIR WHITE PAPER PART THREE series on insider threat/counterintelligence/counterespionage

  • Dr. Charney is the Founder and Medical Director of Roundhouse Square Counseling Center, in Alexandria, Virginia. He specializes in Anxiety and Mood Disorders, Couples and Family Therapy, as well as Attention Deficit Disorder in adults. In addition to his usual practice, he has also treated personnel from within the Intelligence Community. As a result of unusual circumstances, he had the opportunity to join the defense team of his first spy case, Earl Pitts. Subsequently, Plato Cacheris, the attorney of Robert Hanssen, invited Dr. Charney to join his defense team, which added a further dimension to his experience. With the addition of his third spy case, Brian Regan, Dr. Charney further deepened his knowledge of the psychological nuances of captured spies. As a member of their defense teams, Dr. Charney was perceived by these insider spies as an understanding and supportive figure, which lowered their defensive mindsets, and provided a truer picture of their inner lives. Many common assumptions of spy motivation were brought into question by Dr. Charney’s work. Dr. Charney elaborated his findings in Part One of his White Paper, entitled True Psychology of the Insider Spy. Part Two of his White Paper, entitled NOIR, lays out Dr. Charney’s innovative and perhaps controversial recommen- dations for making use of what he learned to better manage the problem of insider spies. To educate and promote these concepts and ideas, he founded NOIR for USA, a non-profit organization. Its website is:

    ABOUT THE AUTHOR David L. Charney, MD

  • PREVENTION: THE MISSING LINK For Managing Insider Threat in the Intelligence Community

    Counterintelligence Is the Stepchild of The Intelligence Community

    Prevention Is the Stepchild of Counterintelligence

    Detection Gets All the Love

    Dr. David L. Charney Psychiatrist

    ©2018 David L. Charney. Permission is granted to make copies and distribute this White Paper provided acknowledgement is given to the author.



    The Problem: The Insider Threat 1

    Analyzing Failed Links in Security Chains 1

    Missing Links in IC Security Chains: Off-Ramp Exits 1

    Disclaimer 1


    Scope of the Problem 2

    Importance of Prevention Despite Its Neglect 2

    Overly Focusing on Detection at the Expense of Prevention 2

    Great Hopes of the Moment 2

    Dirty Little Secret of Counterintelligence (CI) 2


    The NOIR White Paper Series on Insider Threat, Counterintelligence, and Counterespionage (CE) 3

    CHART: Ten Life Stages of the Insider Spy 3

    NOIR White Paper Part One 3

    NOIR White Paper Part Two 3

    NOIR White Paper Part Three 3

    The Vision: A Full Spectrum Solution for Managing Insider Threat 4


    Rethinking Insider Threat 4

    External Management of Insider Threat (EMIT) vs. Internal Management of Insider Threat (IMIT) 4

    External Management of Insider Threat (EMIT) 4

    Internal Management of Insider Threat (IMIT) 4

    Human Psychology is Central to IMIT-Based Prevention 5

    Situations of Concern 5

    Modern Sales Practices Are Key for Achieving “Left of Boom” Interventions 5


    Not New! IMIT-Based Approaches Already Practiced in Specialized IC Units 6

    Behavioral Change Stairway Model 6

    Full Spectrum Solution for Managing IC Insider Threat Requires EMIT and IMIT 7


    Detection: Strengths and Weaknesses 7

    Detection: Core Mission of Traditional Law Enforcement 7

    Strengths of Detection 7

    Weaknesses of Detection 8

    Factors Contributing to Detection Weakness 8

    Intrinsic Weaknesses 8

    Workplace Barriers That Thwart Detection 8

    Workforce Hiring Paradoxes Within the IC 9

    Net Result of Detection Weaknesses 9

    Detection is Nearly Useless With “Whistleblowers” 9

    Problems in Execution 9

    False Negatives, False Positives, and Other Confusing or Bad Results 9

    Consequences 9

    Proposing a New, Comprehensive Strategy to Prevent, Not Detect, Insider Threat in the US Intelligence Community (IC)

  • Looking Ahead: Excessively Optimistic Claims for New High-Tech Advances 10

    Artificial Intelligence (AI), Big Data, Algorithms, and Machine Learning (ML) 10

    Algorithm Bias: A Newly Named Concept 11

    Paradigm of Home Security Systems 11

    Thresholds in the Context of the IC 11

    Defining Suspects Based on an Algorithm 11

    An Insider Threat Score? 11

    Arbitrary Thresholds Tend to Get Turned into Concrete Categories 11

    Congratulations! You Identified a Suspect. Now What? 11

    High-Tech Indicators: Helpful or Problematic? 11

    Parallels the Problem of What to Do with Weather Forecasts 11

    Bring in the Big Guns: The FBI Will Solve It! 11

    Hassles Managing Suspects 12

    Despite the Hype, High Tech Offers Little Relief for Decision Makers 13

    Defeating the Newest Detection Technology? “Zero Days” Are Every Day 13

    Big Picture Considerations: IMIT Advantages Over EMIT 14

    Easier Decisions 14

    Cheaper 14

    Faster 15

    Easier to Manage 15

    Rescue vs. Catch 15

    SECTION F 15

    Prevention: Strengths and Weaknesses 15

    Strengths of Current Practices 15

    Weaknesses of Current Practices 15

    Cultural: Prevention is the Stepchild of Counterintelligence 15

    Measuring Success: Prevention’s Biggest Problem 16

    Prevention Resources Today Need Strengthening 16

    SECTION G 17

    Building a New Comprehensive Prevention Program 17

    General Considerations 17

    IMIT Concepts Will Be Its Guiding Principles 17

    Useful Starting Fact: About 90% of Insider Threat Actors Are Male 18

    Intervention Windows: When Open and When Closed? 18

    Introduction 18

    First Open Window: Stage 2 (Stress/Spiral Stage): Before Someone Crosses the Line 19

    Intervening During Early and Mid-Stage 2 19

    Closed Windows: Stages 3 and 4: The Blackout Periods 19

    Open Windows: Stage 5 (Remorse, Morning After Stage); Stage 6 (Active Spy Career Stage); and Stage 7 (Dormancy Stage): The Stages After Someone Crosses the Line 19

    Two-Tier Structure Advocated for EAPs 19

    First Tier: Existing EAPs Internal to Each IC Agency 19

    Second Tier: A Second Level EAP — External to the Home Agency 20

  • Resources Must Be Real 20

    An External EAP Has the Advantages of a Third Party 20

    Resources 20

    Making the New Prevention Program Work 21

    Targeting the Correct Audience 21

    Communicating the Right Way with the Target Audience 22

    Packaging Offers 22

    New Prevention Program Should Be Rolled Out in Phases 22

    Phase One: Redefining the Meaning of Spying 22

    Phase Two: Proving the Redefined Meaning of Spying 24

    Phase Three: Getting the Messages Out 24

    Locate Second-Tier Prevention Resources Under the ODNI 26

    Best Practices 26

    Employees Temporarily Immune to Prevention Messages 27

    No Claim This New Prevention Program is a Perfect Solution 28

    Legal Hurdles to Be Overcome 28

    SECTION H 29

    Conclusions 29

    Detection is Necessary But Not Sufficient 29

    Missing Links: Two Off-Ramp Exits 29

    To Move “Left of Boom,” a Full Spectrum Solution is Needed 29

    Final Message 29


  • PAGE 1NOIR White Paper#3: Prevention: The Missing Link

    S E C T I O N A :


    Recent dramatic security breaches have drawn in- creasing attention to the insider threat problem. These breaches have captured headlines and have featured perpetrators such as classic state-sponsored insider spies like the recent Chinese moles as well as so-called whis- tleblowers like Chelsea Manning and Edward Snowden. My previous white paper, NOIR, proposed an off- ramp exit solution, which does not yet exist, for those who have crossed the line. Quoting Sun Tzu: “Always leave your enemy an exit.”1 Extending the logic, why not off-ramp exits, meaning robust prevention mechanisms, for before they cross the line?