I'm catching up on the news from this past week, and I ran across a story from March 1 on the Department of Justice site of a systems auditor who was given access to place software on the computer he was auditing, and he "used that access on numerous occasions to view his supervisor’s email and Internet activity as well as other communications, and to share those communications with others in his office. Kwak carried out his crime and invaded his supervisor’s privacy for personal entertainment; there is no indication he profited financially from his actions." 

The auditor pleaded guilty and "faces a maximum penalty of five years in prison and a fine of $250,000 for the crimes to which he pled guilty."  The crimes included "unauthorized access to a protected computer in furtherance of a criminal or tortious act."

"The prosecution was part of the “zero-tolerance policy” recently adopted by the U.S. Attorney’s Office regarding intrusions into U.S. government computer systems."

I think this type of activity probably occurs quite often.  As just one example, I know of a situation in one company where the documents within the print queue were viewable, and one middle-manager who discovered this made it a daily practice of constantly monitoring the documents printed...and he was quite proud of always having the inside scoop after reading all the emails and confidential memos.  He was very disappointed when the print queue documents became unviewable, along with the document names and those printing them.  He had been using the information he got on the sly to make proposals using others' ideas, joke about others in the organization, and worse.  Too bad the company did not have a policy at the time covering this and his activity.

Many people often only think of criminal activity or fraud when considering the insider threat.  An additional insider threat is clear violation of confidentiality and privacy of others in the workplace.

Notice the actions and the resulting crime to which he pleaded guilty.  Let's see...what types of activities are defined as "unauthorized access to a protected computer in furtherance of a criminal or tortious act"?  Let's look at US Code Title 18, 1030, Fraud and related activity in connection with computers.   Likely this clause:

 
"(3) intentionally, without authorization to access any nonpublic computer of a department or agency of the United States, accesses such a computer of that department or agency that is exclusively for the use of the Government of the United States or, in the case of a computer not exclusively for such use, is used by or for the Government of the United States and such conduct affects that use by or for the Government of the United States;"

But, wait...he had authorization...to the computer system...but was he also given authorization to the email and Internet logs to perform that work?

I wonder how the situation impacted that office? 

Yes, this news story is a few weeks old...but it is still a good example of one of the many types of insider threats that exist, and the consequences.

It is also an example of computer ethics...or the lack thereof.  Just because you have the ability to exploit the information to which you have access does not mean you should...ethics must be promoted and enforced in the workplace. 

Also something good for your awareness files, perhaps.

Technorati Tags
information security
insider threat
government
computer ethics
privacy