The ‘insider threat’ is posed by a person – a ‘trusted insider’ – who uses the position of trust they have been granted by an organisation to cause harm to that organisation.
What is an insider threat?
The harm can manifest in many ways including theft of assets including data, materiel goods, intellectual property, or sensitive information.
There are many reasons or drivers for insider threat behaviour.
The person may not intend to cause harm: they are ‘unintentional insiders’. For example they might share a password, they might develop a ‘work-around’ for a cumbersome business process which in turn creates vulnerability, they might be overworked and so make an error, they could click on a phishing email.
Or the person may intend to cause harm: they are ‘intentional insiders’. They might do this because they are disgruntled with their employer, are under financial stress, are being coerced by organised crime, they are recruited by a hostile intelligence service, or maybe they are exacting revenge on their employer or colleagues for some slight or missed promotion.
Insider threat case study – Jareh Sebastian Dalke
Jareh Sebastian Dalke is a former U.S. Army enlisted soldier who worked as a civilian Information Systems Security Designer at the United States’ National Security Agency (NSA).
Dalke held a Top Secret clearance and maintained access to Sensitive Compartmented Information
Dalke began working at the NSA in June 2022, and soon after requested a nine month leave of absence to help a family member with a medical condition. In June 2022, after his extended leave request was denied, Dalke submitted his resignation and finished with NSA in July 2022.
During his stint with NSA , Dalke printed and improperly retained three classified documents. In August 2022, Dalke began using an encrypted email account to communicate with an individual he believed to be a “Russian agent”. However, the “Russian agent” was a Federal Bureau of Investigation (FBI) covert employee.
Dalke told the “Russian agent” that he was in financial need and had a desire to cause change. Dalke transmitted excerpts of three classified documents, all of which contained Top Secret / Sensitive Compartmented NSA information. Dalke noted these were just a “small sample of what is possible.”
After receiving cryptocurrency worth approximately US$16,500, Dalke requested US$85,000 in return for all the information in his possession.
Preparations were made for Dalke to transmit the complete classified documents via a secure digital connection.
On 28 September, the same day he had accepted an offer of re-employment with the NSA, Dalke travelled to the predetermined site to transmit the classified documents. Moments after the files were transmitted, he was arrested by the FBI.
Dalke pleaded guilty on 3 October 2023, to six counts of attempting to transmit classified information to an agent of the Russian Federation. He was sentenced to 262 months in U.S. federal prison.
The FBI investigation identified the following:
- Financial Considerations– Dalke was experiencing significant financial difficulties, including debts exceeding US$237,000. Approximately US$93,000 of this debt was “coming due very soon.” He previously filed for bankruptcy in 2018.
- Health/Medical Stressors– Dalke’s request for extended leave due to “family illness,” if legitimate, would indicate significant personal stress.
- Information Handling– Dalke was employed for only 11 days before he began to print classified material.
- The documents Dalke improperly retained and transmitted to a “Russian agent” were related to foreign military capabilities, updates to a U.S. cryptographic program, and threat assessments related to sensitive U.S. defence capabilities. According to the FBI “If Dalke had been successful, the repercussions would have been severe.”
- Dalke had sworn and oath to defend the United States.
- Dalke told the Russian agent, “I recently learned that my heritage ties back to your country, which is part of why I have come to you as opposed to others.”
- Dalke also stated he originally applied to the NSA because he “questioned our [America’s] role in damage to the world in the past and by mixture of curiosity for secrets and a desire to cause change(sic).”
- Dalke noted he had access beyond what he should “due to a misconfiguration in the system.” He described the information as relating to foreign targeting of U.S. systems and information on cyber operations, as well as other topics.
- Not long after his resignation, Dalke re-applied to the NSA. On September 28, 2022, less than three months after his original termination, Dalke was offered and accepted a new position at the same NSA facility.
Lessons for the Australian critical infrastructure entities
To join NSA, Dalke was subject to the most intrusive and mature vetting and security assessment process in the United States, certainly amongst the most rigorous vetting processes in Western democracies, yet the indicators that should have been visible through the vetting process, and which may have put him in the category of prospective insider threat, were not identified. In Australia, private sector entities do not have access to the vetting information sources available to government or the intelligence agencies so you can see how easy it might be, in the private sector, to recruit an insider threat.
The case highlights why critical infrastructure entities must carefully identify critical workers — individuals whose access, authority, or influence could materially impact the functioning, security, or resilience of essential assets and services.
In critical infrastructure environments, the consequences of insider threat can extend beyond the organisation itself, potentially impacting essential services, public confidence, economic stability, and national resilience.
NSA decided to invest Dalke with the highest level of trust – a TOP SECRET clearance – that can be bestowed.
Dalke had significant financial stress. This should have been identified in the pre-employment screening process.
Dalke’s testimony about his reasons for applying for the NSA would, if he had made those in the pre-employment vetting process, almost certainly disqualify him from employment. His comments are completely at odds with the ethos and function of the NSA. Translated to an Australian critical infrastructure example: a water entity would be ill-advised to recruit a candidate who, in the pre-employment screening process, had been detected or told the recruiters that they protested and published articles opposing fluoridisation of community water supplies.
Dalke’s removal of classified material within 11 days of commencing employment at NSA strongly suggests premeditation and intent to misuse trusted access.
Foreign influence, undeclared associations, coercion vulnerabilities, or conflicting allegiances may, in certain high-risk environments, contribute to insider threat risk. These factors should never be assessed on the basis of ethnicity, religion, or ancestry alone, but can be relevant and so should be considered where applicable. Assessment should always be exercised through lawful, proportionate, role-based, and behaviour-focused personnel security processes.
Personnel security measures should be lawful, proportionate, risk-based, and aligned to the sensitivity of the role, the level of access granted, and the criticality of the asset or function.
Dalke had access to systems and information for which he had no need. Organisations need to ensure they adopt a policy of ‘least privilege’ in terms of physical and data access and enforce it through monitoring as part of an insider threat program.
Effective insider threat mitigation depends not only on screening and monitoring, but also on a strong security culture where personnel understand their responsibilities, report concerns early, and recognise that trusted access carries ongoing obligations.
Insider threat incidents rarely result from a single failure. They often emerge from a combination of personnel vulnerabilities, access control weaknesses, governance gaps, cultural issues, and inadequate monitoring.
Key message?
The pre-employment screening process is the best opportunity an entity has to detect, explore, and decide to accept or decline a candidate who shows signs of any of the known drivers of insider threat behaviour.
Pre-employment screening is only the beginning of personnel security. Trusted worker programs and insider threat frameworks require ongoing suitability assessment throughout the employment lifecycle, particularly where individuals hold privileged access, experience major life stressors, or operate in sensitive environments.
Prevention is better than cure. Had Dalke not been identified and arrested before rejoining NSA, then how much more harm could he have caused over perhaps many years?
