search menu icon-carat-right cmu-wordmark

Insider Threats in State and Local Government (Part 5 of 9: Insider Threats Across Industry Sectors)

Carrie Gardner
• Insider Threat Blog
Carrie Gardner

This post was co-authored by Drew Walsh.

Continuing our industry sector series, this blog post highlights insider threat trends in the State and Local Government subsector and explores distinct characteristics of fraud, the most common insider case type in the CERT Insider Threat Corpus for this subsector.

State and local governments, including emergency services, make up nearly half of the collected public administration insider incidents. Unlike the Federal Government subsector, there is no national requirement for state and local government organizations to have an insider threat mitigation capability.

Only 19 states require by statute that their state-run institutions maintain some level of cybersecurity readiness to protect their sensitive data. These statutes generally prescribe that state institutions implement and maintain security practices and procedures for data protection. Some of these state measures additionally mandate periodic security audits or employee awareness training. While these measures seem to be a good-faith effort to support information assurance, none of the statutes specifically acknowledge or address threats from authorized users--insider threats.

Some of the state and local government organizations that are victims of insider incidents include state departments of motor vehicles, courts, police departments, and health care programs. The graph below lists the breakdown of the 87 cases in the State and Local Government subsector in which organizations were direct victims of an insider threat attack.

Bar graph of the number of insider incidents impacting state and local departments and agencies of different types from 1996-present. State: 46. Local: 22. Emergency Services: 19.

In addition to the 87 incidents where the organizations involved directly employed the insider, we identified 16 cases where there was an incident in the State and Local Government subsector involving a Trusted Business Parter (e.g., contractors or temporary employees).

State and Local Government Victim Organization Relationship to Insiders. The pie chart shows 87 cases, or 84%, where the victim organization employed the insider and 16 cases, or 16% where the victim organization did not directly employ the insider.

Sector Overview

The most frequent insider incident case type in the State and Local Government subsector is fraud, occurring in 77% of incidents. These findings are consistent with findings in the Federal Government subsector of public administration. In these fraud incidents, we see insiders with access to sensitive data, such as personally identifiable information (PII), attempting to illegally profit by selling the data or their authorization to handle sensitive data or systems.

For example, a Department of Motor Vehicles (DMV) clerk misused their access to create a fraudulent ID card and sell their access to sensitive systems. Similiarly, we have instances in the corpus where DMV clerks have misused their access to scrape PII data about individuals without the need to know, and then turn around and sell that information for profit.

In both scenarios, the insider abused their authorization to impact the confidentiality or integrity of sensitive data or systems.

State and Local Insider Incidents by Case Type (2003-present). The bar chart shows the number of insider incidents by case type. Fraud: 67. Sabotage: 9. Miscellaneous: 8. Theft of IP: 2. Sabotage and Fraud: 1.

Sector Characteristics

We summarize the findings from these fraud incidents below. These statistics consider only incidents where the case type is exclusively fraud and the industry subsector is either State Government, Local Government, or Emergency Services.

Insider Fraud Incidents in State and Local Government. Who? More than half (63.4%) of insiders were with the victim organization for five years or more. A majority (86.79%) of insiders misused their account or data access. A small fraction (13.21%) did not use their authorized privileges but compromised or created another account. Insiders were evenly distributed in age: twenties (25.0%), thirties (16.1%), forties (26.7%), and fifties (32.2%). An overwhelming majority (92.7%) of the insiders were full-time employees. All (100.0%) were current employees. Several insiders occupied law enforcement (22.4%), management (16.4%), or other non-technical (44.8%) positions. Some insiders occupied more than one of the aforementioned roles. What? Over half (53.5%) of the targets in fraud incidents were related to personally identifiable information (PII), including the theft of non-employee data (32 targets), employee data (4 targets), or law enforcement sensitive databases (2 targets). Other common targets were related to financial assets (17 targets) or physical property (2 targets). When? For the incidents where the attack time was known (50 total), nearly all (98.0%) involved insider activity during work hours. Almost a quarter of the incidents (24.0%) also involved activity outside of work hours. Only one fraud incident took place solely outside of work hours. Where? In fraud incidents where attack location was known (57 total), most (98.2%) involved activity on-site. However, some (19.3%) of the incidents also involved remote access. Only one incident appeared to involve remote access only. How? Some technical methods used include sabotaging backup tapes (1 incident), planting a logic bomb (1 incident), or installing a keylogger (1 incident). Most technical methods were rudimentary. Almost half of insiders abused their privileged access (46.2%) and/or received or transferred fraudulent funds (28.2%). Why? As with the Federal Government subsector, the primary motive for the fraud cases was financial gain (89.6%). Other motives included recognition (1 incident) or benefiting a foreign entity (1 incident).


Incidents in the State and Local Government subsector appear to share many similarities with Federal Government incidents, such as attack patterns and insider objectives (i.e., fraud). When we look at the overall impact and the targeted assets, we notice some differences. Federal Government insiders target non-employee data (31.6%), passports and immigration databases (21.3%), or financial assets (9.6%). State and local government insiders target non-employee data (49.6%) and financial assets (15.0%) at much higher rates, with an additional focus on employee data (7.1%).

Final Thoughts

The majority of insider incidents in the State and Local Government subsector of public administration occur due to the insider's authorized access to sensitive data. The unauthorized use of access can make it difficult for employers to differentiate activity that is potentially malicious from activity that is characteristic of typical job functions. Some specific best practices that organizations can use to mitigate insider threats include auditing employee activity such as database searches, monitoring the movement of monetary funds, and auditing the creation and modification of user accounts.

Stay tuned for the next post, in which we spotlight the Information Technology sector. Or subscribe to a feed of the Insider Threat blog to be alerted when any new post is available. For more information about the CERT National Insider Threat Center, or to provide feedback, please contact

Entries in the "Insider Threats Across Industry Sectors" series:

About the Author