was written by Caroline Gustavson,
an intern with NTI’s Science and Technical Affairs Program. Gustavson graduated
from the University of Georgia and will join Deloitte’s Government Consulting branch
On September 18th, 2001, just seven days after
the attacks on 9/11, anonymous letters covered in anthrax spores were sent to news
media companies and congressional offices. Five people were killed and 17
others infected in what was commonly referred to as the Amerithrax attack. The
attacks would lead to an investigation lasting more than 10 years that focused
on a central question: Who would do such a thing? On June 25th, Dr. Ronald
Schouten came to NTI to answer this very question.
Schouten, director of the Law & Psychiatry Service of
Massachusetts General Hospital and Associate Professor of Psychiatry at Harvard
Medical School, began his NTI Seminar lecture explaining that insider
threats come from individuals with “authorized access to an organization’s
resources” who will use this access to “wittingly or unwittingly” harm their
Of course, NTI’s audience was interested in how insider
threats could apply to the weapons of mass destruction (WMD) realm. Schouten
explained that there’s a lack of literature examining WMDs and insider threats.
In two relevant reports—a 1990 report by terrorism expert Bruce Hoffman and a 2008
report from the International Atomic Energy Agency—no specific examples
of insider threats in the nuclear world were cited.
At the same time, there are relevant examples—and Amerithrax
is one—that illustrate the vulnerabilities and make clear how industries might
better protect themselves.
Schouten noted that insiders typically commit various
forms of financial, cyber, and scientific fraud. A report from Carnegie Melon
found that approximately 43 percent of data breaches were carried out by
insiders. Why would they do that? Schouten described these insiders as
“grievance collectors” who pose an even greater threat to industries and
organizations than outsiders. Circling back to the Amerithrax attack, it seemed
at first impossible that it was the work of an insider. Wouldn’t a high-level
government security clearance review have uncovered the threat?
Dr. Bruce Ivins, the leading suspect who killed himself in
2008 as the FBI was closing in, was not only a respected scientist and Department
of Defense (DOD) employee, but a beloved friend, husband, and father who would
write witty poems for his colleagues upon their retirement. On the surface, Ivins
was a bright, ordinary guy doing his job as a senior biodefense researcher. It
wasn’t until years into the FBI investigation of the Anthrax attacks that the
FBI began to home in on Ivins. A DOD co-worker of Ivins told an investigator
that “there’s no way Bruce Ivins did it.” The therapists Bruce Ivins had seen
in the past would argue otherwise.
According to these therapists, Schouten said, Bruce Ivins
was one of the “creepiest” patients they’d seen, and they believed him to be capable
of committing the anthrax attacks, noting that he even had a hit list. He also
had a long-simmering grievance against the Kappa Kappa Gamma sorority after
being rejected by a woman at his college chapter. On multiple occasions, Schouten
said, Ivins would drive over 500 miles round trip to KKG sorority houses and confiscate
insignia. How did the government miss such disturbing information? As the
investigation continued, it was clear Ivins had been struggling with mental illness
and that he did pose a clear insider threat.
On clearance forms, Ivins had written question marks next to
inquiries about multiple personality disorders and depression. No one ever
followed up on this. His therapists had submitted by letters that should have
raised flags, but they were never read because of their “length and
What does all of this mean for the nuclear security community?
Schouten outlined existing and emerging vulnerabilities that should be taken
into consideration. As a result of a shrinking skilled-labor pool, insider
threats are exacerbated by an increase in uncertified and inadequate staff,
declining morale, and a rise in domestic and international extremism that may
increase motivations for insider threats. Schouten suggested organizations focus on vulnerabilities, increase awareness of blind spots, ensure
adequate pre-screening mechanisms, and enforce monitoring to mitigate insider
threats and prevent deadly attacks like Amerithrax.