If you have people, you have an Insider Risk: A David Smith case study
You probably will have heard in the media about the recent case of David Smith, a former Security Guard at the British Embassy in Berlin, sentenced to over 13 years in prison for spying on behalf of a foreign intelligence agency. In this blog we will discuss how Smith was able to conduct insider activity on behalf of Russian State Actors and outline key actions that your business can take to reduce insider risk.
The facts of Smith’s insider activity are outlined in Figure 1. However, the timeline in isolation only provides part of the story. As is often the case, there were numerous moving parts that collided to culminate in a significant, damaging insider act.
Figure 1: Timeline of Smith’s Insider Activity
Smith worked in various roles in the military and aviation sector prior to his role as a Security Guard at the British Embassy in Berlin in 2016. Smith’s move to Germany circa 2002 was reported to have been prompted by financial struggles, but finance does not appear to be the primary motivation for his act, although did later feature as a secondary motivation.
The Build Up to Becoming a Spy
Smith experienced significant stressors in his life in the period leading up to, and during, 2018. His Ukrainian wife moved back to her country of birth, which may have contributed to his self-reported depression and excessive drinking. Previous research into insider risk by NPSA (formerly CPNI) shows these to be issues of concern when they have an impact in the workplace.
The Perfect Storm
Motivations are often complex and intertwined, and indeed, this appears to be the case here. We cannot say for certain when Smith’s hostility towards the UK began but it was referenced in the Judge’s sentencing remarks as a motivating factor. His self-reported depression and excessive drinking may have been exacerbated by the COVID-19 pandemic, when Smith was not only living alone but also working at the Embassy when onsite staff numbers were greatly reduced. Smith declared interest in conspiracy theories, his sympathies towards the Russian State and his feelings of ill will towards his employers and the British Government, all of which are also concerning factors. The culmination of these factors, according to the Judge’s sentencing remarks, influenced Smith’s decision to progress down the pathway of undertaking an insider act.
Motivations are, in part, influenced by the difficulty of the task – the more difficult something is, the greater the motivation required to act. So, the responses to the pandemic meant that Smith could access sensitive materials with much greater ease, due to fewer Embassy employees being onsite and significant changes to his operating environment. If we view motivational factors alone, we fail to see the whole picture. But, by viewing motivations alongside the contextual factors, we can begin to understand how Smith’s behaviour manifested and concluded in an insider act.
Smith also appears to have been paid by Russian State Actors for his actions. In cases of espionage, financial motivation is often not an initial factor, but it can become a significant motivator to continue to act. This is because, while the individual might not initially need money, they become accustomed to the additional income and those benefits, and this can motivate them to continue to act after the initial motivational factors (such as disgruntlement or ideology) have waned. If Smith was indeed receiving enough money to sustain his daily living costs, this may have made it more difficult for Smith to stop his actions had his disgruntlement reduced.
A key element of this case study is that Smith had some legitimate access, albeit low level. Crucially, he exploited this low-level clearance to obtain sensitive information that he had no justifiable reason to access and caused significant damage by sharing this information with Russian State Actors. Smith’s actions highlight that insider risk does not only apply to vetted personnel. Individuals with low level clearance, who identify methods to exploit this access, can also cause harm. This case highlights that those with perceived low level access can also be of interest to State Actors.
Figure 2: Smith Photographing the Embassy’s CCTV System
Smith is currently serving 13 years 2 months in prison after being convicted of spying for Russian State Actors. Although we cannot go into detail about the extent of the damage caused by Smith, it was certainly significant. Though the exact financial impact cannot be determined, the British Embassy in Berlin spent in excess of £800,000 updating their security protocols. The Judge’s sentencing remarks also highlighted the impact his actions could have had on our relationships with our allies. Finally, and critically, Smith put his ex-colleagues at risk by sharing their identities, including names, dates of birth and home addresses, with Russian State Actors. His actions caused irreversible hurt and damaged trust across the Embassy community.
As well as being a fascinating example of modern-day espionage, there are some clear messages for any organisation to consider when assessing and seeking to reduce insider risk across your business.
If you have people, you have insider risk.
Insider Risk Mitigation needs to be an ongoing programme for it to be effective. Your programme must start with well understood Leadership and Governance structures which feed into your organisation’s wider protective security risk management.
Your business must have in place effective welfare mechanisms enabling staff to share and address issues before they escalate; this may include access to professional support channels for changes in life circumstances or regular communications through periods of significant disruption to help reduce the risk of potential staff disaffection.
Consider how your business prepares for insider acts. Are you prepared to deal with such an incident occurring?
NPSA provide a range of information and guidance on assessing and mitigating insider risk. See the NPSA Insider Risk Mitigation Framework for more information.
Shaw, E., & Sellers, L. (2015). Application of the critical-path method to evaluate insider risks. Studies in Intelligence, 59(2), 1-8.
Insider, C. (2014). CPNI Insider Data Collection Study Report of Main Findings Introduction.