Corporate insiders who sabotage computers so sensitive they risk endangering national security or the economy commonly are motivated by revenge against their bosses, according to a government study released Monday.
The study, paid for by the Department of Homeland Security, examined dozens of computer-sabotage cases over six years to determine what motivates trusted insiders to attack and how their actions damage the country's most sensitive networks and data.
The review described most attackers as disgruntled workers or former employees — typically working in technology departments — who were angry over disciplinary actions, missed promotions or layoffs. The attacks included deleting vital software or data, posting pornography on an employer's Web site or crippling whole networks.
The study said most saboteurs showed troubling signs before the attacks: truancy, tardiness, arguments with co-workers or shoddy performance. Nearly all the employees took some steps to conceal their identities online — sometimes even posing as co-workers — as they plotted their attacks. Attackers ranged from teens to retirees.
In one case highlighted in the study, an unidentified employer said he recognized unusual behavior by one saboteur — who shut down the company's communications for more than two days over a dispute involving a severance payment — but attributed the behavior to the worker being a "weird tech guy."
"These were not impulsive acts that couldn't be prevented," said Matt Doherty, head of the Secret Service National Threat Assessment Center.
The report recommended that managers pay attention to employees facing disciplinary action and that companies provide formal grievance procedures for workers who believe they were treated wrongly.
Most of the attacks cost employers less than $20,000 in damages, but at least two of the sabotage cases cost more than $10 million in damages, according to the report (PDF file), released by the Secret Service and the U.S.-funded CERT Coordination Center at Carnegie Mellon University. Previously known as the Computer Emergency Response Team, CERT was created to study software flaws.
The report acknowledged it is nearly impossible to estimate the frequency of insider attacks against corporate computers because victimized companies often don't report them. It said companies fear bad publicity and prosecutors sometimes fail to uncover enough evidence to file criminal charges.
Its review of 49 such attacks included only those launched against industries deemed vital to national security and the economy, such as banks, utilities and defense contractors. All the attacks studied occurred between 1996 and 2002 and were reported to authorities or otherwise covered by media organizations. The study said it did not examine insider attacks where employees sought to steal information to sell for profit or blackmail.