We invite you to either listen to the article or read the below.
Black Market Data Services in China
In November 2024, a U.S. cybersecurity company briefed analysts on their monitoring of a clutch of ‘black market’ services in China offering inexpensive access to Chinese citizens’ data.
Reportedly, the sellers of these services gain access to citizens’ data by recruiting insiders from Chinese surveillance agencies and government contractors, then reselling this access to any online buyer. For as little as a few dollars in cryptocurrency—the preferred or sometimes only method of payment—anyone can query:
- Phone numbers
- Banking details
- Hotel bookings
- Flight records
- Location data.
The Recruitment of Insiders
Researchers have found that some services draw on breached databases and commercially collected data sources, such as those offered by Western data brokers, including location data gathered by many free smartphone apps. Other vendors appear to rely on insiders with legitimate access at:
- Technology and telecommunications firms
- Banks
- China’s state surveillance agencies.
The vendors actively advertise to recruit insiders looking for an extra source of income. One ad reads: “Sincerely looking for public security personnel to establish cooperation.” Another post invites “internal personnel from public security, civil affairs, and banks to cooperate with the service.” “We welcome elites from all industries who have internal search conditions to join us!” reads another post.
One vendor even promises more than 10,000 yuan (AUD$2,100) daily for data access, while others offer up to 70,000 yuan (AUD$15,000). For many insiders, with an average annual salary of around AUD$45,000, this is an extremely tempting offer.
Earlier in 2024, a leaked chat from a Chinese cyberespionage contractor working for the Ministry of Public Security and the Ministry of State Security revealed one employee saying to a colleague (translated and contextualised): “I am just here to sell intelligence.”
Insider Threats in Australia
We, at Pentagram Advisory, understand that insider threat is both ancient and contemporary. In Australia, Defence, intelligence, and federal government agencies have been managing insider threats for decades, often in collaboration with Five Eyes partners and other allies.
More recently, the need to recognise, address, and mitigate insider threats has expanded to academia and the private sector. This shift has been underscored by:
- The Australian Security Intelligence Organisation (ASIO)
- The Security of Critical Infrastructure Act 2018
- The Security of Critical Infrastructure (critical infrastructure risk management program) Rules 2023
In November 2024, the Department of Home Affairs introduced a new requirement under the Protective Security Policy Framework (PSPF):
Requirement 51: “An insider threat program is implemented by entities that manage Baseline to Positive Vetting security clearance subjects to manage the risk of insider threat in the entity.”
This new requirement applies to all entities subject to the PSPF or other arrangements involving security clearances.
Not only is insider threat ubiquitous, but its causes are clearly understood, irrespective of the culture one belongs to or the language one speaks. Insider threat is part of the human condition.
When an organisation fails to address these vulnerabilities, it risks severe damage to its operations and reputation.
How to Balance Focus Between Technology and People?
In recent years, there has been a noticeable shift in Insider Threat Program strategies from human-centric approaches to technologically enabled solutions and behavioural system monitoring. While virtual data streams from diverse sources can offer enhanced insights into risk activities and the profiles of individual employees, this is contingent on an organisation having the data analytics capability and skilled staff to interpret and analyse the information. However, systems and virtual behavioural data monitoring are only one piece of the puzzle.
Insider threat, at its core, is about people. People are complex and often unpredictable—there is no formula for understanding human behaviour. Even the most advanced information systems may struggle to identify when a disgruntled employee needs help or has become a security risk.
Our approach to an insider threat program not only focuses on technology but also prioritises the human element, equipping your organisation to:
- Bolster employee wellbeing, performance, retention, and workforce diversity
- Establish an effective organisational response to incidents, mitigating insider threats
- Enhance loyalty and foster a robust security culture across the organisation.
By balancing technological solutions with a focus on people, your organisation can create a comprehensive and resilient insider threat program that truly addresses the complexities of insider threats.
Is Your Insider Threat Program Fit for Purpose?
At Pentagram Advisory, we specialise in helping organisations to establish or evaluate their insider threat programs. We focus on advising or educating organisations on how to establish a holistic, human-centred insider threat program that strikes a balance between ever-evolving information systems and the need for a strong, healthy, and mission-focused culture.
We tailor solutions to align with the unique operating context of each entity while working within available resources. Talk to us today to ensure your insider threat program is robust, practical, and fit for purpose.