Ex-DIA officer Shawnee Delaney found herself mixed up in a case involving China and cyber espionage.
Insider threats come in many disguises, including one incredible case where Shawnee Delaney’s US company discovered a suspected Chinese spy curled up asleep under his desk early in the morning. The employee hadn’t been himself lately.
“His demeanor changed. He seemed kind of squirrely,” Shawnee told SPYSCAPE. “People described him as distracted.”
While Shawnee can’t reveal the name or location of the company for security reasons - nor the sensitive trade secrets he may have stolen - the circumstantial evidence was significant enough that Shawnee decided to do a digital forensic ’deep dive’.
Before getting too far into the details of the Spy vs Spy showdown, however, it may be helpful to know a bit more about Shawnee, the laser-focused US Defence Intelligence Agency (DIA) officer who honed her tradecraft during tours of Iraq, Afghanistan, and Europe. She was also part of the team hunting 9/11 mastermind Osama bin Laden.
The making of a US spy
Back in the early 1980s, when young American girls were crushing on John Travolta and Michael Jackson, Shawnee held a torch for CBS News anchor Dan Rather. When Rather announced that the US Marine barracks had been blown up in Beirut, Shawnee wanted to find out more about what motivated the terrorists.
Shawnee decided to become a superspy while learning how to raise livestock with the 4-H Club near her family home in California’s Santa Cruz mountains. Getting a tap on the shoulder from a CIA recruiter would be a challenge, however: “How do you get into espionage as a kid from the mountains in California?”
Shawnee studied Arabic and took a Master’s degree in international policy. Her thesis was on Hezbollah, the Lebanese group designated as a terrorist organization by the US. If that wasn’t enough to catch the attention of US intelligence recruiters, she burnished her credentials with three months of travel around Egypt, Syria, Jordan, and Lebanon where the US military barracks had been bombed in 1983, killing more than 240 US Marines, Navy sailors, and Army soldiers.
The CIA did offer Shawnee a job but the training program was suspended that year. Instead, she pinned her hopes on the DIA which gathers intel for the US Department of Defense. She convinced a DIA recruiter that the Agency needed her. After a chat over beer, quite a few more interviews, and a long vetting process, Shawnee was cleared.
The training involved six months at ‘the Farm’, the boot camp for budding US spies, where she learned how to conduct high-threat tactical meetings and recruit ‘assets’ at faux embassy parties. On weekends off, Shawnee practiced her surveillance techniques.
By the time US SEAL Team Six descended on Osama bin Laden’s compound in Abbottabad, Pakistan in 2011, Shawnee had spent almost six years at the DIA recruiting and running foreign assets, tracking down crucial al-Qaeda intelligence, and staring down death.
“I served four war zone tours in Iraq and Afghanistan, and on each tour I had one, or two - or even three - near-death experiences. And I decided: ‘You know what? I don’t get paid enough for this.’”
If Shawnee wanted to be successful at her next goal - motherhood - she’d need to spend more than one or two days a month at home. So Shawnee quit, had twin girls and a son, then decided the future of terrorism was in cyberspace so she reinvented herself.
By the time Shawnee graduated with her second Master’s degree - with straight ‘A’s’, of course - she was an expert on cyber espionage, insider threats, and corporate security.
The ex-DIA officer was working for a US company when Shawnee came face-to-face with a man she suspected of being a Chinese military spy.
To catch a spy
Remember the employee asleep under his desk? Another co-worker saw him having a sponge bath in the office washroom after an apparent sleepover and reported his behavior. Other colleagues noticed he wasn’t as focused as usual.
That’s when Shawnee began her ‘deep dive’ forensic investigation. She checked security badge logs to find out when the employee was swiping in and out of the building, imaged his hard drive, checked to see if he’d used USB drives to exfiltrate data, and examined email and internet traffic among other techniques. She spoke to colleagues who’d reported suspicious behavior to get more details.
Shawnee put the whole picture together and arranged to interview the suspect before he was even aware an investigation was underway.
“I always keep my evidence close-hold and offer that person sitting across from me the opportunity to admit it, or deny it, or tell me what their reasoning was,” she said. “There is certain evidence I have prepared that I can slide across the table and say: ‘Okay, can you explain this?’”
In this case, Shawnee wasn’t convinced by the employee’s explanations and there were red flags in his email correspondence such as suspicious IP addresses. She was also concerned about his previous military service in The People's Liberation Army, China’s armed forces.
“It could have been corporate espionage or industrial espionage, and in big cases like this it really is the best idea to get law enforcement involved,” Shawnee added.
The FBI had already been alerted to possible espionage by a state actor and took over the file so Shawnee wasn’t part of the follow-up investigation.
Shawnee didn’t have time, really. She was too busy dealing with other insider threats, including an employee at an unrelated company who leaked sensitive corporate information to the media after being turned down for a small bonus. In that case, the man began arriving at work unshaven, with stains on his clothes, and appeared to be mentally unraveling.
“He morphed into a different person,” Shawnee said. She feared the problem might escalate into an active shooter case if she wasn’t on top of the situation.
It was just another one of the thousands of cases Shawnee’s handled in the corporate world. She still works for a large US tech company overseeing their insider threat program, but she’s also a SPYEX corporate consultant and, in 2019, started her own company, Washington, D.C.-based Vaillance Group, to advise Fortune 500 companies on insider threats.
“Every company, every person, everyone thinks it can’t happen to them - until it does.”
Insider Threats: Four Tips to Help Companies Fight Back
Shawnee Delaney is an insider threat subject matter expert who advises companies on issues ranging from ransomware threats to corporate espionage. Here are four of her top tips for organizations.
1. Have a training and awareness program so everyone understands what ‘insider threat’ means.
2. Ensure the program is transparent so staff know it is there to protect people, assets, data, and facilities - and explain why it is in place. “You can’t tell people to do something but not tell them why.”
3. Teach employees the best practices for ‘cyber hygiene’, so they are less likely to click on a malicious link that makes a company susceptible to ransomware, or open an email from a suspicious sender.
4. Encourage staff to report changes in the patterns or behavior of coworkers, and ensure they have the option of making their reports within a confidential system.