Sleeping with the enemy: The rise of the insider threat in cybercrime

It is not well-known that South Africa as a whole is very vulnerable when it comes to cybercrime attacks and with a cyber-safety score (CSS) of 57.71 for 2023, this country ranks 59 (on a par with Costa Rica and Bangladesh) on the pecking order from most secure to insecure. By comparison, Singapore sits at 24 [CSS of 82.28], Thailand at 39 while Namibia features at an extremely unsafe 91 [CSS of 19.72].

According to the Interpol report identifying top cyberthreats in Africa in 2016, cybercrime cost the South African economy $573 million — more than the $500 million it cost the Nigerian economy.

Perhaps even more shocking is that the so-called insider threat is gaining ascendancy and momentum over external threats, a fact bound to come as a shock to most people in this country.

Accordingly, when a valued friend in the cyber security community sent me the link to a recent successful cyberattack at Coca-Cola in the US, one of the biggest and wealthiest transnational companies (TNCs) in the world, I immediately thought it worth scrutinising the matter for possible lessons to learn.

After all, comparative criminology is nothing if not an exercise in the management of cross-cultural learning. Said in another way, it would almost certainly be to our benefit as a developing country on the periphery of cybersecurity knowledge and skills development to draw on the failures and flaws of companies of the likes of Coke in the US.

Hence, the facts of the case are instructive. Although Shannon Yu, principal chemical engineer at Coke, was only arrested by the FBI in February 2019, by August 2017 she was already engaged in stealing secrets from her employer at Coca-Cola Headquarters in Atlanta, US. Yu was sentenced to 14 years imprisonment in a federal facility after being convicted of intellectual property theft (essentially industrial espionage) in May 2022.

Ostensibly, what led to this scenario, was that Coke began downsizing and laying off its staff component in the second half of 2017 and Yu, a Chinese-born woman, was earmarked as one of those affected.

The Cybersecurity and Infrastructure Security Agency (CISA) defines insider threat as: "The threat that an insider will use their authorised access, intentionally or unintentionally, to do harm to the department's mission, resources, personnel, facilities, information, equipment, networks or systems. Insider threats manifest in various ways — violence, espionage, sabotage, theft and cyber acts."

Clearly the rise in insider threats is seen as a national security risk. Why is this not the case in South Africa?

The same source defines an insider as "any person who has or had authorised access to or knowledge of an organisation's resources, including personnel, facilities, information, equipment, networks and systems".

In the context of the ongoing trade war between China and the US, that Yu is Chinese born is clearly not irrelevant. With the profiling of Chinese scientists in the US suspected of industrial espionage or collusion with China's Communist Party and the general atmosphere of distrust between the two countries, the times are ripe for the theft of trade secrets, such as the coveted liners inside Coke's beverage cans.

The distrust between China and the US is driven in part by the war in the Ukraine and the alleged Chinese spy balloon shot down over US soil. But even more relevant than her country of birth was Coke's negligence, namely failure to immediately revoke Yu's access to sensitive and classified information to reduce the threat of data theft by departing employees.

According to the US Cyber Defense Agency: "Insider threats present a complex and dynamic risk affecting the public and private domains of all critical infrastructure sectors. Defining these threats is a critical step in understanding and establishing an insider threat mitigation programme."

A case could be made for terminating Yu's network access, and employees like her, even before knowledge of her termination is communicated to her. The Cyber Defense Agency defines "intentional threats", such as the one posed and executed by Yu, a malicious insider, as:

actions taken to harm an organisation for personal benefit or to act on a personal grievance. For example, many insiders are motivated to "get even" due to a perceived lack of recognition (e.g., promotion, bonuses, desirable travel) or termination. Their actions can include leaking sensitive information, harassing associates, sabotaging equipment, perpetrating violence, or stealing proprietary data or intellectual property in the false hope of advancing their careers.

Clearly, Yu fell squarely within this category. She began downloading files and photographing material relating to Coke's most closely held secret: "a set of detailed chemical recipes for the 2-micron-thick plastic liners inside the beverage cans Coke filled and sold".

Without the benefit of this liner, the beverage in the container would interact with the material embedded in the actual can and destabilise and change the contents of the drink. Said in another way, the plastic liner was essential to maintain the integrity of the Coca-Cola beverage.

Against this brief background of the case, what lessons can we gain from Yu's case study? These are that even organisations with heavily fortified security stacks, such as Coke, are vulnerable to data theft by hostile insiders and there is a need for more robust internal security controls, including employee awareness training and embedding a strong security culture.

Coke was vulnerable to this vexing problem that is growing in frequency, globally. How much more would this be the case for companies in South Africa who are not even taking the insider threat seriously because of a lack of awareness on this angle to the problem?

Another important lesson which could be derived from a case study of Yu's engagement with Coke, is the seminal observation that she was not an entry-level clerk but part of top management. As principal chemical engineer, her position was essentially akin to that of chief technology officer in the company. As such, her termination by Coke would have entailed a substantial retrenchment package.

Yet this did not stop her from swooping down on Coke and stealing all she could for her future career advancement as Coke's competitor in China, a country for all intents and purposes at war with the US. Imagine an employee stealing proprietary secrets from a public entity such as the Reserve Bank or Eskom (like this company does not have enough to deal with as it is in terms of criminality).

Even though disgruntled employees hardly ever infect networks with this type of malware, it is also worthwhile making reference to the act of terrorism known as "ransomware" in the literature, where "cybercriminals block the computer systems of hospitals and public institutions, then demand money to restore functionality".

Think Eskom. These fellows may also sell their loot on the Dark Web.

Another excellent suggestion is to create a ministry of cyber security — as is the case in Australia, Canada, India and the UK — to protect the integrity of the economy and strengthen the country's critical infrastructure against cyberattacks.

The nub of my argument is that the insider threat is rising and often underappreciated. This is especially the case in countries such as South Africa which is a failed state in many respects, albeit perhaps not in the classical sense of the word. This is the reason for prefacing this piece with the title "sleeping with the enemy".

It is an illusion to imagine cybercriminals as situated in China and Russia only. Cybercriminals are embedded in top management as well.

According to Interpol's Cybercrime Directorate's African Cyberthreat Assessment Report 2021: "More than 90% of African businesses are operating without the necessary cyber security protocols in place."

This needs to change. To this end, the Insider Threat Mitigation Guide is a valuable resource to start addressing the problem.

South Africa, a country racked by corruption and conflict, is prone to cyberattacks and is ripe for exploitation on this most sensitive of accounts. The internet has abolished boundaries and borders.

Let us then not underestimate the enemy we sleep with, however cosy that relationship might be for the moment.

Dr Casper Lӧtter is a conflict criminologist affiliated with North West University's School of Philosophy (Potchefstroom). He has a special interest in cybercrime.

The views expressed are those of the author and do not necessarily reflect the official policy or position of the Mail & Guardian.