This post was written by Caroline Gustavson, an intern with NTI’s Science and Technical Affairs Program. Gustavson graduated from the University of Georgia and will join Deloitte’s Government Consulting branch in July.
On September 18th, 2001, just seven days after the attacks on 9/11, anonymous letters covered in anthrax spores were sent to news media companies and congressional offices. Five people were killed and 17 others infected in what was commonly referred to as the Amerithrax attack. The attacks would lead to an investigation lasting more than 10 years that focused on a central question: Who would do such a thing? On June 25th, Dr. Ronald Schouten came to NTI to answer this very question.
Schouten, director of the Law & Psychiatry Service of Massachusetts General Hospital and Associate Professor of Psychiatry at Harvard Medical School, began his NTI Seminar lecture explaining that insider threats come from individuals with “authorized access to an organization’s resources” who will use this access to “wittingly or unwittingly” harm their own organization.
Of course, NTI’s audience was interested in how insider threats could apply to the weapons of mass destruction (WMD) realm. Schouten explained that there’s a lack of literature examining WMDs and insider threats. In two relevant reports—a 1990 report by terrorism expert Bruce Hoffman and afrom the International Atomic Energy Agency—no specific examples of insider threats in the nuclear world were cited.
At the same time, there are relevant examples—and Amerithrax is one—that illustrate the vulnerabilities and make clear how industries might better protect themselves.
Schouten noted that insiders typically commit various forms of financial, cyber, and scientific fraud. A report from Carnegie Melon found that approximately 43 percent of data breaches were carried out by insiders. Why would they do that? Schouten described these insiders as “grievance collectors” who pose an even greater threat to industries and organizations than outsiders. Circling back to the Amerithrax attack, it seemed at first impossible that it was the work of an insider. Wouldn’t a high-level government security clearance review have uncovered the threat?
Dr. Bruce Ivins, the leading suspect who killed himself in 2008 as the FBI was closing in, was not only a respected scientist and Department of Defense (DOD) employee, but a beloved friend, husband, and father who would write witty poems for his colleagues upon their retirement. On the surface, Ivins was a bright, ordinary guy doing his job as a senior biodefense researcher. It wasn’t until years into the FBI investigation of the Anthrax attacks that the FBI began to home in on Ivins. A DOD co-worker of Ivins told an investigator that “there’s no way Bruce Ivins did it.” The therapists Bruce Ivins had seen in the past would argue otherwise.
According to these therapists, Schouten said, Bruce Ivins was one of the “creepiest” patients they’d seen, and they believed him to be capable of committing the anthrax attacks, noting that he even had a hit list. He also had a long-simmering grievance against the Kappa Kappa Gamma sorority after being rejected by a woman at his college chapter. On multiple occasions, Schouten said, Ivins would drive over 500 miles round trip to KKG sorority houses and confiscate insignia. How did the government miss such disturbing information? As the investigation continued, it was clear Ivins had been struggling with mental illness and that he did pose a clear insider threat.
On clearance forms, Ivins had written question marks next to inquiries about multiple personality disorders and depression. No one ever followed up on this. His therapists had submitted by letters that should have raised flags, but they were never read because of their “length and illegibility.”
What does all of this mean for the nuclear security community? Schouten outlined existing and emerging vulnerabilities that should be taken into consideration. As a result of a shrinking skilled-labor pool, insider threats are exacerbated by an increase in uncertified and inadequate staff, declining morale, and a rise in domestic and international extremism that may increase motivations for insider threats. Schouten suggested organizations focus on vulnerabilities, increase awareness of blind spots, ensure adequate pre-screening mechanisms, and enforce monitoring to mitigate insider threats and prevent deadly attacks like Amerithrax.