The Whistleblower Threat

The Whistleblower Threat



This paper will examine the threat profile of a whistleblower by defining it as a distinct threat and examining the motivations and risks behind this threat. The whistleblower poses an internal threat to the information infrastructure of a given entity. This threat shares similarities with other types of internal threats (i.e. consultants, insiders, etc.) due to the level of access the whistleblower possesses. Whistleblowers differ from other internal threats because of the type of information they are interested in and their motivations in compromising it. Understanding the specific threat the whistleblower presents can assist in protecting information infrastructure by allowing entities to prepare policy that focuses on limiting the risk from this profile. It is important to note that the legitimacy of a whistleblower's intentions or claims is not pertinent for the purposes of this paper. This paper seeks only to examine the threat that the whistleblower presents to information infrastructure.

Definition of a Whistleblower

The American Heritage Dictionary defines whistleblower (also whistle blower; whistle-blower) as: "One who reveals wrongdoing within an organization to the public or to those in positions of authority."[1] There is much disagreement surrounding the etymology of the term whistleblower. Some have attributed the term to early police use of whistles as warning signals. Others have theorized the term comes from locomotive trains sounding a warning of their impending arrival.[2] What is certain is that the term hearkens back to a time before digital communication systems were pervasive, when whistles were a more commonly used technique to communicate to others across short distances. In contrast, today's advances in digital communication have changed the way we communicate by giving us unprecedented, instant access to data.

To identify the term whistleblower as a threat to modern information systems we must first understand the term as it relates to those information systems. Dr. Fred Cohen, Principal Member of Technical Staff for Scandia National Laboratories, has defined a whistleblower as "People who believe that crimes are being committed and that they have a duty to report them to the proper authorities." He further adds that "Whistle blowers are often sincere in their beliefs, have insider access, and sometimes have legitimate cases."[3]

Whistleblowers share similarities with many other threat profiles. Many threats to information infrastructure involve gaining access to proprietary information for the purposes of sharing that information with others. For example, an activist can also be a whistleblower, such as when biologist, Samuel LaBudde, filmed dolphins that were dying in fishing nets while he was working undercover aboard a tuna boat.[4] Reporters are also well known for whistleblowing. In 1999, an undercover reporter went public after he obtained a job at London's Heathrow airport by falsifying his name and background. He reportedly gained access to many restricted areas.[5] For the purposes of this paper, what differentiates the whistleblower from the activist or the reporter (et. al.) is the idea that a whistleblower has a legitimate level of access (i.e. via a job or position), which they may later choose to exceed or violate, before they decide to become a threat.

However, insiders and consultants also have a certain legitimate level of access to information. What differentiates a whistleblower from these internal threat profiles is their motivation and, therefore, the type of information compromised. The whistleblower seeks to expose what they perceive is illegal activity on the part of the entity in possession of the information. Therefore, the whistleblower will be primarily concerned with gathering evidence to support their allegations rather than other kinds information.

An Example from the Tobacco Industry

In 1995, Dr. Jeffery Wigand, former Vice President of Research and Development for Brown & Williamson Tobacco Corporation, went public with information alleging that the company knew for decades that smoking caused health problems and that nicotine was addictive. Brown & Williamson had officially denied for years that tobacco use was unhealthy or addictive.

Wigand was hired in January of 1989 by B&W. According to Wigand he was hired to conduct research to develop a safer cigarette.[6] Wigand began to become disillusioned when, he claims, B&W attorneys began censoring meeting minutes and other company documents to excise any company acknowledgments that tobacco use caused health problems. Wigand testified that company attorneys claimed such acknowledgments could be damaging in product liability litigation involving B&W.[7]

Wigand also claims that he became concerned about the company's use of a tobacco additive called coumarin. Coumarin was a flavoring added to enhance the taste of tobacco. Dr. Wigand claimed he was concerned over studies linking coumarin to liver tumors in mice and a variety of other cancers. According to Wigand he expressed his concerns to senior management stating, "I could not in conscience continue with coumarin in a product that we now know, have documentation that is lung-specific carcinogen."(sic)[8] Wigand claims that Thomas Sandefur, then President/CEO for B&W, told him, "...that we would continue working on a substitute and we weren't going to remove it because it would impact sales and that, that was his decision."[9] Wigand objected the decision and claims that he was eventually terminated because of his opposition to the company's continued use of coumarin.[10]

Missed Opportunities for Brown & Williamson

Prior to his termination, Wigand decided to collect B&W internal memoranda and other information. Although he had signed confidentiality agreements, he used the company's information system to collect data to be used against the company. He also began keeping written records chronicling his dealings with B&W. After his termination, Wigand leaked some of this information to the press demonstrating B&W had knowledge of the ill effects of smoking on health, that they manipulated nicotine levels to increase its delivery to the brain, and that they knowingly added unsafe chemicals to tobacco.[11] On October 9, 1995, stories based on this information ran in the Wall Street Journal and The Washington Post. Both publications ran articles quoting B&W internal documents.[12]

The implications of this information leak have had far reaching implications for the entire tobacco industry. Dr. Wigand has since testified against tobacco interests in class action lawsuits. Many B&W trade secrets and technologies have been made public via court documents, providing competitive intelligence to its competitors. The tobacco industry has lost a stunning series of court decisions. Some tobacco companies have acknowledged their products cause health problems. The industry has been forced to make many concessions regarding regulation of their products.[13] While all of these changes in the industry cannot be attributed solely to the whistleblowing activity of Dr. Wigand, he certainly made an important contribution to the political milieu that lead to these changes in the tobacco industry.

Dr. Wigand compromised the information infrastructure of Brown & Williamson by leakage of confidential information. Brown & Williamson alleges he violated confidentiality agreements and information protection policies in doing so.[14] It appears B&W relied too heavily on enforcing confidentiality agreements (Wigand signed several of these)[15] and not enough on limiting its exposure in other ways.

Alternative Strategies

Much of the significance of the threat Dr. Wigand posed to B&W was due to his high level of access to the company's data. Wigand was a vice president. He had access to all of the company's medical research. At that level there is not much chance to compartmentalize information thus limiting its exposure. For example, a researcher conducting a study of the effects of coumarin on mice possesses data that could be damaging to the company. If that is the limit of the researcher's perspective on the data, then the information is compartmentalized and limited in its scope. Because the researcher lacks the perspective that a broader base of information provides, the scope of the potential damage the information can cause is limited. However, if the researcher has access to a wide body of data concerning a variety of studies, the information becomes more damaging because the level of evidence increases. Moreover, if the researcher has access to senior officials in the company and has first hand knowledge about their decisions to ignore or obfuscate the body of research data, the potential level of damage the information leak presents reaches staggering proportions. This was the case with Dr. Wigand. Due to his position as Vice President of Research and Development, it would have been difficult for him to perform his duties without access to all of the available research data. Therefore, compartmentalizing the information was probably not a practical option.

Another protection option is an effective security alert system. Ira Winkler, an expert regarding corporate espionage, advises that a security alert system can facilitate identification of potential threats:

"People have to know who to tell when they discover potential security problems. The only thing most people think to do is tell their supervisor. If they have a bad relationship with the boss, they might be disinclined to bring up a problem. If they do tell their supervisor, then the supervisor must know what to do with that information."[16]

Company officials eventually identified Dr. Wigand as a threat and terminated his employment, probably falsely believing that they were adequately protected by confidentiality agreements. By the time B&W terminated Dr. Wigand, he had already collected the damaging information. If the company had an effective security alert system designed to help detect threats at the early stages, they may have been able to limit Dr. Wigand's damage.

Once a person has been identified as a potential threat it allows the opportunity to observe the subject's computer use. Digital data can be loaded onto a diskette, hidden on the hard drive of a laptop, or even emailed through the company's firewall. Most companies retain the right to examine employee usage of its computer systems. By being alerted to a potential threat a security team can observe Internet traffic, emails, faxes, and what internal files the subject is accessing. This may help to identify suspicious behavior. Audit logs are an invaluable resource to provide information about computer use and file access.[17]

Other methods of removing documentation include physically removing documents. Documents can be copied and carried out in a briefcase, but this method is a bulky alternative to removing the data in digital form. One method to help detect this threat is to monitor use of copy machines. Simply installing a counter can alert managers to Unusual levels of usage. Many copy machines today can track usage by requiring the input of a departmental number.[18] By examining these records for suspicious activity B&W may have been able to identify the threat earlier.


The Brown & Williamson Tobacco Company was not prepared for the assault on their proprietary information. They appeared to rely solely on confidentiality agreements to protect themselves and control their data. While confidentiality agreements are a good practice, no information security program should rely on only one method of protection. The confidentiality agreements did not work because the allegations of illegal activity exempted Dr. Wigand from adhering to the non-disclosure agreements. This left B&W with little protection.

A balanced and coordinated information security policy would have probably helped them to better control their data. They did not take advantage of other information controls such as security alert response plans, audit logs, and other precautions common to well-rounded information protection programs. By not actively managing their information security program, they were forced to be reactive rather than proactive.

According to Dr. Fred Cohen, "Because the value of information is pervasive in modern life, so must be its protection. Anywhere valuable information goes, protection must also go. That means that everyone who deals with valuable information must also be involved in the information protection function at some level."[19] It is clear that B&W did not maintain a pervasive information security posture in this situation.


1) Source: The American Heritage® Dictionary of the English Language, Third Edition Copyright © 1996, 1992 by Houghton Mifflin Company.


3) Cohen, Fred. Threat Profiles: Whistleblower. The All.Net Security Database. September 2000.

4) U.S. Newswire, "Conservationists Sue Federal Government Over Violations of Dolphin Law," February 8, 2000.

5) The Evening Standard (London), "Heathrow security purge by Minister," January 21, 1999, Pg. 16.

6) State of Mississippi v. Brown & Williamson Tobacco Company, November 29th, 1995. Court Transcript:

7) Ibid.

8) Transcript of 60 minutes interview with Dr. Jeffery Wigand, Part 1. CBS. Aired February 4, 1996.

9) 60 minutes, op. cit.

10) 60 minutes, op. cit.

11) Court Transcript, op. cit.

12) Ibid.

13) McCollam, Douglas "The American Lawyer," June, 1999, Pg. 86, Long Shot.

14) Court Transcript, op. cit.

15) Court Transcript, op. cit.

16) Winkler, Ira Corporate Espionage. Copyright 1997, Prima Publishing, Rocklin, CA. pp. 283.

17) Ibid. pp. 331.

18) Winkler, op. cit. pp. 316.

19) Cohen, Fred. Protection and Security on the Information Superhighway, Copyright, Fred Cohen - 1995-7, pp. 6.