When liaising with those who are responsible for security vetting and background checking prior to the recruitment of personnel who have a special requirement to respect national security, one common thread stands out; much of it relies on subjectivity, human instinct, and, perhaps most worryingly, individual judgement based on nationality, race, or place of birth.
Simultaneously, insider attacks are steadily rising every year, and espionage is no longer the stuff of nightmares, spoof series and crime novels but exists all around us from every corner of the planet. Those that live or work in areas where the core of national intelligence or manufacturing secrets reside have even learnt to turn a blind eye. I was once approached by a Chinese journalist, apparently working in Stockholm on behalf of a Chinese newswire, to do some work for them when I was studying for my Masters in Investigative Journalism at the University of Gothenburg. The telephone number he rang from was certainly a Swedish number, but I found it rather strange that he didn’t speak a word of Swedish, seeing as his job was Swedish reporter. Now I look back, I am almost sure that his job was to scan and collect information and share it with government officials in China. He had managed to poach a few naïve journalism students over the years who were grateful for the little extra money each month.
Academics are notoriously poorly paid, and students, even those on paid doctorates, are often struggling to make ends meet, a rather unsavoury phenomenon considering their level of education and intellect. Simultaneously, academic institutions are the source of knowledge and innovation that dictates the future of engineering, economics, and science for decades to come. They house the very core of truth within their walls, often waiting for the industry to take notice and utilise this intelligence for public good. It’s not surprising that they attract people who wish to benefit from such research and intelligence, perhaps sharing that protected (or unprotected) intellectual property with their own networks, in some cases back on their own home soil, for the benefit of another nation.
It is often assumed that there is a direct link between those that attempt to discover and share trade and academic secrets with their own network and the foreign threat actor who wishes to use it for their own good or perhaps even as a weapon against the nation where the intellectual property belongs. However, the reality can be quite different. Usually there are ‘middle-men’ (or women!) whose role is to strengthen the connectivity of the network while remaining discreet for maximum effect. In this way, one mediator can liaise with several information sources, all of them oblivious to the real end destination of the information they share.
So, if those being recruited to share the information, whether in academic institutions, public or private sector organisations, are oblivious to their role in espionage, fraud, or sabotage, how can one identify those individuals and prevent the spread of confidential national secrets? Technical controls can go some way to monitoring patterns of behaviour to see if anything untoward is happening, but many organisations don’t want to wait until these security breaches develop and engage in security vetting at the recruitment stage to try to recruit only very trustworthy individuals with a squeaky-clean background history.
However, with limited tools available to assess individuals for their susceptibility towards insider threat, they resort to security vetting interviews, based on an individual subjectively interviewing the candidate to gauge integrity. I have been informed by those individuals that often the decision as to what risk category to put them in comes down to where they have lived or whether they are a national of a hostile state or one that has an interest in gaining from secretive information.
What does this mean for the future of recruitment and how is it possible to foster a fair recruitment process that is free from discrimination, while being savvy to recruit trustworthy individuals? In some instances, it is necessary to interview these individuals to get a deeper understanding of their history, current situation, and motivations, but these should not alone serve as the deciding factor when choosing to recruit an individual or apply a risk score or profile. Assessments should be free of factors that could lead to discrimination. Otherwise, what will the future hold for us all if we are constantly judged by our race or nationality? Assessment is necessary, but they must be fair.
Anyway, what good is a security vetting interview if the individual leaking information is completely unaware that they are doing wrong, or, as in most cases, they have been recruited during their engagement. It has been said that university professors recruit current students into their murky web of deceit, usually for financial gain. The same university professor will undoubtedly interview new students and may be more interested in their susceptibility towards fraud or deceit than their education or intellect.
And therein lies the problem: who would know, and if they did, who would tell?