Workplace sabotage as an insider threat
My post ‘Product Tampering: A form of Workplace Sabotage’ defines sabotage as “to damage or destroy equipment, weapons, or buildings in order to prevent the success of an enemy or competitor” (Cambridge Dictionary).
When I think about how sabotage can occur in the workplace I find it easier to decompose it into three categories (which align to targets) for the purposes of prevention, detection and response:
- Physical sabotage – intentional damage to a physical thing, such as critical, infrastructure, or device
- IT sabotage – involving international damage to IT equipment or networks, software etc
- Data sabotage – intentional destruction or compromise of valuable information or data, such as Intellectual Property or research data
Sabotage is typically discussed in a wartime context where either enemy agents or special forces, or alternately sympathetic or compromised insiders, do something to benefit a foreign power (for further discussion on threat actors see my previous post). However, we are increasingly seeing acts of sabotage being performed in the workplace.
Acts of workplace sabotage can be perpetrated in person (on-site) or virtually (online). From an insider threat context, we are likely to see cases of workplace sabotage involving disaffected employees, such as:
Does this article resonate with you? Please vote below or subscribe to get updates on my future articles
Interestingly, in its 2006 study CERT refers to workplace IT sabotage as ‘trust betrayal’ and also places espionage in this category, however the paper is silent on including fraud. Fraud is probably the most common form of breach of trust in the workplace.
Don’t forget that workplace sabotage can also be perpetrated by staff members of your suppliers (see here)
To understand sabotage in more detail, we need to examine the elements of this offence.
Sabotage offences in Australia
Sabotage is a criminal offence in Australia at both the federal and state / territory levels. Under Section 82 of the Criminal Code 1995 (Cth), the main elements (abbreviated) of sabotage offences include:
- Intentional damage, destruction or impairment of any thing, substance or material (‘article’) used in connection with Australia’s defence
- Intentional or reckless conduct which results in damage to critical infrastructure with a nexus to a foreign government or its principal
- Intentionally or recklessly introducing a vulnerability into an article, thing or piece of software that has a critical infrastructure or national security purpose which makes it (a) vulnerable to misuse or impairment or (b) capable of being accessed or modified by someone not entitled to do so
- Preparing for, or planning, a sabotage offence
- Any instances of the above with a foreign nexus, including financing, support, oversight or participation
Under Commonwealth legislation, damage to public infrastructure includes anything that: destroys, interferes, results in loss of function or becomes unsafe / unfit for purpose, becomes unserviceable, is lost, limits or prevents access, becomes defective or contaminated, results in a degradation in quality, or causes serious disruption of an electronic system. This definition is quite broad and all-encompassing.
Some offences involving specialist products, such as food, pharmaceuticals or medical devices, may be considered acts of sabotage to the layperson, however these are actually criminalised under various product tampering offences. You can read more about this in my previous post.
How to investigate alleged sabotage in the workplace?
Whilst there is increasingly more research into workplace sabotage, there is very little in the literature on how to actually investigate such offences. This is likely because the majority of similar cases have a nexus to national security and would not be publicly available. However, there is some publicly available US Government guidance which I have adapted below in the following investigative strategy:
- Preserve all evidence as quickly as possible in accordance with local laws and regulations
- Who – determine the person(s) of interest (POI), including those with means, motive and opportunity and any facilators. Was the perpetrator an individual or part of a group? Background investigations should be performed as required
- What – identify the actual target and qualify the extent of damage, noting the affected asset may not actually have been the intended target
- When – confirm the exact time and date of the incident (or as close as possible) and begin building a time-event chart to document developments
- Where – be clear on the precise location and understand any surrounding activities which may have influenced choice of target
- Why – try to understand the reasons or rationale for the incident and the intended target, including consideration of motive and opportunity
- How – understand the type of sabotage involved and methods used. This will likely involve a combination of investigation, analysis and technical examination
- Was there any communication with the media, social media or internal office communications (a) indicating the POI(s) planned or was planning the act of sabotage, or (b) claiming responsibility?
- Is there a foreign nexus such as direction, oversight, funding, communication or logistics?
The investigative steps above need to prove or disprove each element of the offence (previous section), meaning investigators need to prove the POI(s) did, tried, or intended to cause harm or damage or were reckless their actions.
Can insider threat detection systems identify workplace sabotage before or during an event?
Having an understanding of what workplace sabotage is and how it typically occurs, we can turn our minds to how to detect it. There are quite a number of insider threat detection vendors on the market who claim their systems can do this, and there has been a number of academic studies performed in this area, primarily by Carnegie Mellon University (SEI CERT). In a follow up to this post, I will explore these concepts in more detail.
- Commonwealth of Australia. Criminal Code Act 1995 (as amended), Division 82 – Sabotage, https://www.legislation.gov.au/Details/C2022C00324
- Curwell, P. (2021). Product Tampering: A form of workplace sabotage
- Curwell, P. (2021). Defining your ‘Threat Universe’ as a building block of your intelligence capability
- Curwell, P. (2021). HUMINT cycle and the recruitment of insiders
- Curwell, P. (2022). Alert management and insider risk continuous monitoring systems
- Curwell, P. (2022). How can Insider Threats manifest in the Supply Chain?
- Curwell, P. (2022). Applying the critical-path approach to insider risk management
- Miller, S. (2016). Insider Threat Deep Dive on IT Sabotage: Lessons for Organizations (Part 2 of 2), SEI Blog, https://insights.sei.cmu.edu/blog/insider-threat-deep-dive-on-it-sabotage-lessons-for-organizations-part-2-of-2/
DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.