2020-08-31 - Paying insiders to expose the bad guys

A recent news story about a Russian gang trying to pay a Tesla employee to install malware raises an interesting question about financial incentives.

Bad actors try to identify and target insiders who (1) have sensitive access to systems, documents or other material and (2) are vulnerable to financial persuasion. While the former is mundane -- lots of insiders have such access -- the latter is interesting: who would risk jail time to assist an obviously bad actor? In most cases, only someone whose personal circumstances are dire -- perhaps due to a costly divorce settlement, high healthcare expenses (in the US anyways), gambling debt, or some other financial calamity.

Most people would just report being approached to do something like this to the police, but some people may be desperate enough to entertain going through with the requested activity, be it theft of sensitive documents or insertion of malware as was the case at Tesla.

What if employers had a standing policy of not only protecting whistleblowers, but also paying them? Someone in financial distress, approached by a malicious actor, could not only feel secure in exposing them and assisting in an investigation, but could also have some of the financial pressures which presumably make them vulnerable relieved.

Employers could institute a policy of paying a (possibly substantial) reward to employees or contractors who help catch would-be attackers. This is relatively inexpensive, when compared to the cost of a successful compromise of their security. I've never heard of an insider being offered more than a million dollars to do something illicit. Presumably, such a policy would significantly reduce the risk to employers.

There is an obvious question of abuse, but it can be easily resolved. Rewards should only be payable when some legal milestone is reached, such as the bad guys being indicted, arrested or convicted. Perhaps even different payouts at each of these stages of the legal process.

This of course is in addition to the already present risk of jail time in the event that an insider cooperates with a bad actor and is caught.

Such a policy could close a major avenue by which bad actors manipulate insiders into collaboration (payouts). It does leave other avenues open, such as blackmail, patriotism or bad feelings about the organization or key figures within it.

UPDATE: Adam Shostack writes an interesting piece about threat modeling, including threats posed by insiders, here.

Blog home