Contextualizing the Extremist Insider Threat
By TorchStone VP, Scott Stewart
I recently had the opportunity to participate in a webinar on the threat posed by political extremists inside an organization—the extremist insider threat.
Extremism is a growing problem that is of interest to many of TorchStone’s clients and contacts. Since September also happens to be “Insider Threat Awareness Month,” it is a good idea to discuss what it is, the threat it poses, and how to reduce that threat.
In J.M. Berger’s foundational book Extremism, Berger defines extremism as follows:
“Extremism refers to the belief that an in-group’s success of survival can never be separated from the need for hostile action against an out-group. The hostile action must be part of the in-group’s definition of success. Hostile acts can range from verbal attacks and diminishment to discriminatory behavior, violence and even genocide…Violent extremism is the belief that an in-group’s success or survival can never be separated from the need for violent action against an out-group.”
When we are examining the insider extremist threat, we must be careful to recognize that jihadists and white supremacists are not the only threat actors who pose an insider threat to our organizations.
Individuals who hold any extremist ideology can be a threat.
This can include a wide array of ultra-nationalists, religious extremists, environmental extremists, and single-issue extremists such as Incels, and animal rights activists.
In today’s political climate, anti-vaccination extremists and extremists fueled by other conspiracy theorists such as QAnon, have also become increasingly common.
Not a New Problem
However, the extremist insider threat is not new; it has existed pretty much as long as there has been political extremism.
In the 1960s, two men who would become major figures in the American neo-Nazi movement worked for major aerospace companies: Richard Butler, the founder of the Aryan Nations worked for Lockheed Martin, and William Pierce, the founder of the National Alliance worked at Pratt and Whitney.
While this is not a new problem, it is a growing problem due to two main factors.
Factor 1 – The Adoption of Leaderless Resistance
Counterterrorism successes and programs have made it very difficult for hierarchical terrorist organizations to operate in the U.S., and the West in general, and have also made it increasingly difficult for external terrorist actors to send trained operatives to conduct attacks.
This has resulted in terrorist ideologues adopting and promoting the leaderless resistance model.
This move to leaderless resistance began first with the white supremacist movement in the 1980s and has also been adopted by anarchists, animal rights and environmental extremists, and later, jihadists.
As a result, terrorism conducted by what the U.S. government refers to as “homegrown violent extremists,” or what the British call “self-initiated terrorists” has become the most likely sort of attack to be conducted in the U.S. and the rest of the developed world—and it is these individuals that can pose an insider threat.
Factor 2 – The Rise of Social Media
Self-initiated terrorists can and do become radicalized through personal interactions, but in recent years, social media exposure to extremist ideologies has become increasingly common.
There have been many cases (especially in the U.S.) in which people have become radicalized and then decided to conduct an attack without ever having met another extremist face-to-face.
There are also cases in which a combination of in-person contacts and online propaganda leads to a person’s radicalization, but today it is very rare to encounter a radicalized individual who has not had exposure to propaganda via social media.
Social media has allowed extremist movements to become their own media and has thus become a very powerful tool for both recruitment and operationalization.
It is a tool that allows extremist ideologues and operational planners to interact with people all over the world regardless of their geographic location, and increasingly, it has been used to encourage people to conduct operations in the places where they live.
And this is where this problem of radicalization via social media intersects with the insider threat.
The people that have become—or are becoming—radicalized can either be people who already work for an organization, or they can seek employment or association after becoming radicalized.
Extremism Insider Threat ≠ Violence Only
It is natural to think about the threat of violence posed by insiders.
Rizwan Farook, along with his wife, conducted an armed assault against his county office’s Christmas Party in San Bernardino, CA in Dec. 2015. U.S. Coast Guard Lieutenant Christopher Hasson, a white supremacist arrested in 2019, was allegedly planning to conduct targeted assassinations.
However, physical attacks are only one of the threats posed by extremist insiders. Another type of insider threat is the “skill seeker.”
This is a person who joins an organization hoping to acquire skills that they can then use in furtherance of their extremist cause.
In the past, white supremacist leaders such as Tom Metzger encouraged followers to join the military to gain training in weapons handling, small unit tactics, and demolitions.
However, military skills are not the only ones that could be useful to extremists.
Information technology skills such as system administration, coding, OSINT research, and both offensive and defensive cyber operations, can also be useful to extremists.
The notorious Islamic State propagandist, who went by the handle @shamiwitness, was later discovered to be an executive at an IT company in Bangalore, India.
The third type of extremist insider is what I refer to as an “asset seeker,” or someone who wants to use an organization’s assets in furtherance of an extremist cause.
Of course, this could include an IT specialist like @shamiwitness who wants to use an organization’s IT infrastructure for propaganda, hacking, or other purposes, but other assets can also be helpful to extremists.
The 1993 World Trade Center bombing conspirator Nidal Ayyad, a chemical engineer at Allied Signal, used his position at the company, along with company letterhead, to order the chemicals used to construct the truck bomb used in the attack.
Investigators also determined that Ayyad used his company computer to write a letter he sent to the New York Times claiming responsibility for the bombing.
Another type of extremist insider threat is the “information seeker,” or someone who wants to obtain information from an organization for the benefit of their extremist cause.
We have seen members of animal rights extremist groups such as SHAC penetrate companies and academic laboratories that do research on animals to obtain photos and videos of that research for use in propaganda products.
While an attacker poses a one-time threat, the other categories of inside threat actors can be persistent threats who may be able to stay embedded within an organization and cause damage for months, or even years, before being detected.
Mitigating the Insider Extremist Threat
The first step in mitigating any threat is awareness, and this threat is no different.
Effective mitigation necessitates that awareness is present at every level of the organization, including leadership.
If organizational leadership does not support an insider threat prevention program, it is very difficult for lower-level personnel to be effective.
While many insider threat programs lean heavily on technical tools to spot suspicious activity, employees are a critical front-line defense against extremist insiders.
The corporate security team, HR, corporate legal, etc. commonly do not have much daily interaction with most employees in an organization—far less contact than co-workers and direct supervisors have.
Because of this, co-workers and people managers need to be educated about the threat posed by insiders and what to look for.
The pathway to violence does not only apply to physical attackers—insider extremists who are skill seekers, asset seekers, or information seekers will also progress along the same pathway to other extremist behaviors.
Educational programs also need to include to whom and how to report suspicious activity, as the way that suspicious activity is handled will make or break an insider threat program.
Trust is hard to earn and easy to lose, and if reports of suspicious activity are not handled in a confidential and competent manner, employees will quickly become reluctant to report anything.
Vetting is another critical component of an insider threat program.
This applies not only to pre-hire screening, but also periodic re-screening, or even better, ongoing monitoring.
One area of vetting that is often overlooked is contract employees.
It is important to check on the vetting programs of companies that are supplying contract employees to ensure that they meet the standards of your organization rather than just assume that contract employees have been properly vetted.
Countering the threat of violent extremist insiders is not just the responsibility of the police or corporate security.
It is a community responsibility, and every person in your organization plays a critical role in keeping your company and the larger community safe from the threats posed by extremist insiders.