Sir David Pepper, who led Britain's electronic eavesdropping agency, says insider threats from rogue employees must be taken as seriously as cyber-attacks from the outside — part of looking at the "whole picture."
"If you're thinking about risks you've got to think holistically," Pepper said Wednesday following an address to the SecureTech conference in Ottawa, a gathering of security professionals.
"You're looking at external attacks, you also have to think about insiders."
Canadian Sub-Lt. Jeffrey Paul Delisle, who recently pleaded guilty to selling secrets to Russia, used floppy discs and USB drives to smuggle the sensitive data from an intelligence centre in Halifax.
Delisle had access to information shared by the so-called Five Eyes allies — Canada, Britain, the United States, Australia and New Zealand.
The five countries realize that swapping sensitive intelligence increases the chance it will spill into the public sphere, said Pepper.
"I'm sure each of them take measures to make sure they minimize the risks to other parts of the collaborative venture. But you can't have collaboration without introducing a level of risk that you need to think about and manage," he said.
"There are all sorts of combinations of insiders and outsiders in technology which potentially could introduce vulnerabilities."
Pepper served as director of the U.K.'s Government Communications Headquarters — the counterpart of Canada's Communications Security Establishment — from 2003 to 2008.
The sophisticated electronic surveillance agencies share secret information on everything from possible cyber-attacks to military intelligence.
Delisle was arrested in January, five years after offering his services to Moscow. He admitted his betrayal upon being confronted with evidence of his communication with the Russians and the regular payments he received for secrets.
Delisle — who claims he acted out of anguish over a broken marriage — said he handed over Canadian Security Intelligence Service reports, material on organized crime, and contact information for U.S. Defence officials and intelligence officers in Australia and Canada.
Pepper said that if an intelligence official "has gone wrong, then you've clearly got to look at your vetting processes and your security management processes, and how you manage people from day to day and year to year."
Defence Minister Peter MacKay and his department have refused to discuss what may have been done to bolster security, saying it cannot discuss the case before Delisle is sentenced early next year.
Pepper's speech to the cyber-security conference stressed the need to look at not just technology, but why people behave the way they do.
When it comes to securing highly sensitive information within an organization, time-honoured practices still apply, he suggested afterwards.
"From that point of view, an insider attack which involves cyber-issues is no different from an insider attack of somebody who puts papers in his pocket and walks out the door," he said.
"It's the same issue. But the 'system' approach, I think, is what really matters to security."