Peter Williams, a 39-year-old general manager at L3Harris Trenchant, spent three years stealing eight zero-day exploits worth $35 million. He had security clearance. He oversaw the compartmentalised systems designed specifically to prevent this kind of theft. And he sold those exploits to Russian brokers.
It turns out clearances, compartmentalisation, and periodic audits weren’t enough. Williams walked off with proprietary cyber-weapons developed exclusively for the U.S. government and Five Eyes allies, pocketed $1.3 million in cryptocurrency, and nobody noticed until an internal investigation finally caught him three years later.
If you’re handling sensitive data or intellectual property, you’re facing similar risks. Your developers, engineers, and senior staff all have access to trade secrets, customer data, and the systems that run your business. The Williams case is a reminder that trusted personnel with legitimate access need monitoring just as much as your perimeter defences need hardening.
This article is part of our comprehensive guide on deep tech and defense innovation, where we explore the opportunities, risks, and strategic lessons from 2025’s defense sector developments. While defense technology creates enormous commercial opportunities, the Williams case illustrates the security imperative that comes with handling sensitive innovations.
So let’s examine what happened, how it happened, and what you can implement to detect threats before they cause damage.
What Happened in the Peter Williams L3Harris Case?
Peter Williams pleaded guilty in October 2025 to two counts of theft of trade secrets. Over three years, he stole at least eight sensitive cyber-exploit components from L3Harris Trenchant, the defence contractor subsidiary where he worked as general manager.
He sold these exploits to Operation Zero, a Russian brokerage that calls itself “the only official Russian zero-day purchase platform.” Williams got about $1.3 million in cryptocurrency for materials that cost L3Harris $35 million in losses.
Williams wasn’t some junior developer who got greedy. He was an Australian national who previously worked at the Australian Signals Directorate before joining L3Harris. He had the credentials and the position to access highly sensitive materials.
From 2022 through 2025, Williams conducted his transactions via encrypted communications and bought luxury items with the proceeds. He’s looking at up to 20 years, with sentencing guidelines suggesting 87 to 108 months.
Prosecutors are seeking forfeiture of his residence, luxury watches, jewellery, and the funds sitting in seven bank and cryptocurrency accounts.
How Did Peter Williams Steal Trade Secrets from L3Harris?
Williams exploited his general manager position to access cyber-exploit components across compartmentalised systems. His role granted privileged access to sensitive systems that would normally stay isolated from each other.
He extracted materials over three years using encrypted communications channels that bypassed standard data loss prevention systems. It took three years to detect him, which tells you L3Harris didn’t have continuous behavioural monitoring running during the exfiltration period.
Here’s the problem with compartmentalisation: it assumes people stay within their assigned boundaries. When the insider manages those compartments, your strategy collapses. And without behavioural monitoring to flag unusual access patterns, periodic audits won’t catch ongoing theft before serious damage is done.
There’s another detail that makes this worse. Williams oversaw an internal investigation into suspected leaks while conducting his own theft. His supervisory position let him avoid scrutiny—a scenario that proper separation of duties and independent oversight would prevent.
What Are Zero-Day Exploits and Why Are They Valuable?
Zero-day exploits target software vulnerabilities that vendors don’t know about, making them undetectable by standard defences. Williams wasn’t taking theoretical research—he extracted working attack tools ready for operational deployment.
L3Harris Trenchant developed zero-days exclusively for U.S. government and Five Eyes allies—Australia, Canada, New Zealand, the United Kingdom, and the United States. These exploits provide offensive cyber capabilities for intelligence gathering and targeted attacks.
The Department of Justice valued the eight stolen exploits at $35 million. Williams sold the first for $240,000 and agreed to sell seven more for $4 million total, though he only received $1.3 million before getting caught.
The value comes from exclusivity. Once you use a zero-day, security researchers can identify it, vendors can patch it, and effectiveness drops to zero. Operation Zero offers $200,000 to $20 million for high-value exploits, which gives you an idea of the demand from nation-states.
What Is Operation Zero and Why Did They Buy Stolen Exploits?
Operation Zero markets itself as “the only official Russian zero-day purchase platform”. The organisation acquires exploits from security researchers and insiders, then resells them to non-NATO buyers including Russian government entities.
Williams signed multiple contracts outlining payments and support fees totalling millions in cryptocurrency. The brokerage provides plausible deniability for Russian intelligence while acquiring restricted Western capabilities.
This is state-sponsored economic espionage with a commercial façade.
What Are the Warning Signs of Insider Threats?
Williams extracted materials over three years without triggering detection systems. That timeline reveals multiple missed opportunities to identify and investigate suspicious behaviour before he caused significant damage.
He used encrypted communications to conduct transactions with Operation Zero. When privileged users access encrypted channels that aren’t approved for work, that should trigger an investigation. Particularly when those channels enable data exfiltration that bypasses standard monitoring.
Williams oversaw an internal investigation into suspected leaks while conducting his own theft—a conflict of interest that proper separation of duties would have prevented. When the people who investigate threats are themselves the threats, your governance structure has failed.
Here’s what effective monitoring would flag:
- Accessing systems outside normal working hours without business justification
- Downloading large volumes of data unrelated to current projects
- Viewing files across multiple compartments without documented need-to-know
- Using personal or encrypted storage for work materials
- Resisting security policy updates or monitoring implementations
- Displaying financial stress followed by unexplained improvement
- Policy violations that get excused due to seniority or trusted status
Traditional security clearance processes assume vetted individuals remain trustworthy indefinitely. The Williams case proves that assumption wrong.
How Do Insider Threat Programs Detect Suspicious Behaviour?
User and Entity Behavior Analytics (UEBA) platforms leverage AI to detect patterns without needing predetermined indicators. UEBA establishes what normal looks like for each employee during a 30-90 day learning period, then flags deviations without requiring predefined rules.
Data Loss Prevention (DLP) monitors data movement across email, USB, cloud, and network channels. While UEBA focuses on user behaviour, DLP focuses on data behaviour—where sensitive information goes and whether movement complies with your policies.
Effective programs integrate both approaches. UEBA establishes baselines and reduces false positives through continuous learning. DLP prevents actual exfiltration when suspicious activity begins. Human analysis provides context to distinguish legitimate business activities from actual threats.
Continuous monitoring observes user actions in real-time rather than through periodic audits. Periodic audits only catch threats after the damage is done. Continuous monitoring lets you intervene before theft is complete.
The Williams case would have triggered multiple UEBA alerts: cross-compartment access, after-hours usage, encrypted communications, and data anomalies. Any one of those might have a legitimate explanation. All of them together demand investigation.
What Should CTOs Include in an Insider Threat Program?
The defense sector risks illustrated by the Williams case apply equally to commercial technology companies handling valuable intellectual property. Effective programs require formalised structure with executive sponsorship, dedicated resources, and integration across departments. Carnegie Mellon’s framework addresses 13 key elements including organisation-wide participation, oversight, confidential reporting, and incident response plans.
Start by identifying your sensitive data, establishing your risk tolerance, and documenting policies. You can’t protect what you don’t know exists.
Access controls form the foundation. Implement least privilege, role-based access, and privileged access management (PAM). Every user gets the minimum access required. When roles change, access changes. Privileged accounts require session recording and approval workflows.
Detection technologies include UEBA for behavioural analytics and DLP for data movement. Commercial UEBA costs $5-15 per user monthly, enterprise DLP ranges $20-40 per user monthly for companies with 50-500 employees.
Your policy frameworks need to cover acceptable use, monitoring transparency, incident response, and employee consent. Monitoring without transparency destroys trust. State clearly what gets monitored, why, and how investigations work.
Audit logging captures privileged activities, data access, and system modifications. Make sure logs retain long enough to detect long-term threats.
Frame programs as protective rather than punitive. If employees perceive monitoring as surveillance, they’ll resist it.
For SMBs, start with logging and basic DLP using tools you already have. Move to UEBA and PAM as your budget matures. Advanced zero trust implementations require significant investment but defend against sophisticated threats.
The Williams case teaches you this: even with compartmentalisation and security clearances, a single insider can inflict massive damage. Continuous behavioural monitoring, strict privileged access governance, and evidence-based investigations aren’t optional.
How Can CTOs Balance Security Monitoring with Employee Trust?
Transparency about monitoring builds trust while enabling security. State clearly what gets monitored, why, and how the organisation uses monitoring data. When there’s clear communication and demonstrated responsibility, 71% of employees trusted their employers to deploy AI ethically.
Focus monitoring on high-risk activities rather than invasive surveillance. Privileged access to sensitive systems warrants monitoring. Normal business communications do not.
Use privacy-preserving techniques: anonymised baselines, threshold-based alerting, and human review before identification. UEBA systems flag anomalous behaviour without immediately identifying users. Individual identification only happens when behaviour crosses investigation thresholds.
Over 140 countries have comprehensive privacy legislation. Your implementation needs to comply with GDPR, CCPA, and other frameworks.
Investigation protocols should establish reasonable suspicion requirements, legal review, HR collaboration, and evidence preservation. Clear protocols protect both your organisation and your employees.
The Williams case shows security clearances alone create false trust. Monitoring becomes necessary even for vetted personnel. But that monitoring needs to be transparent, proportionate, and focused on legitimate security concerns.
Communicate the “why” behind monitoring. You’re protecting company assets, customer data, and employee jobs. When competitors steal trade secrets or ransomware groups exfiltrate data, everyone loses.
Only 21% of consumers trust tech companies to protect their data. Your employees understand breaches happen and know monitoring serves protective purposes. What they won’t accept is surveillance extending into productivity tracking or personal communications.
The balance isn’t between security and trust—it’s between transparent, proportionate security that builds trust and opaque surveillance that destroys it.
The Williams case demonstrates that innovation security is just as critical as technological innovation itself. For a complete overview of how security considerations fit within the broader landscape of deep tech opportunities and strategic lessons from 2025’s defense sector, see our comprehensive deep tech and defense innovation guide.
FAQ
What is an insider threat and how does it differ from external attacks?
An insider threat is when someone with authorised access uses it maliciously or negligently to cause harm. Unlike external attackers who need to breach perimeter defences, insiders already have legitimate credentials, making detection more challenging. The Williams case shows this perfectly—a trusted employee who exploited privileged access for financial gain. Most insider incidents are unintentional, but malicious cases cause disproportionate damage because insiders know where valuable assets live and understand the security controls they need to circumvent.
What legal consequences did Peter Williams face for stealing trade secrets?
Williams was charged with two counts of theft of trade secrets under 18 U.S.C. § 1832, each carrying a maximum 10-year prison sentence. Federal sentencing guidelines suggest 87 to 108 months, meaning roughly 7-9 years imprisonment. He faces restitution of $1.3 million plus asset forfeiture including his residence, luxury watches, jewellery, and cryptocurrency accounts.
How expensive is it to build an insider threat program for SMB tech companies?
Start with tools you already have. Native cloud audit logging comes included with platforms you’re already paying for. Open-source DLP and basic access controls cost minimal additional investment. Intermediate implementations adding commercial UEBA ($5-15 per user monthly) and enterprise DLP ($20-40 per user monthly) will run you $15,000-50,000 annually for companies with 50-500 employees. Advanced programs with zero trust and PAM reach $75,000-150,000 annually. The Williams case’s $35 million loss shows even modest programs deliver strong ROI.
Can employee monitoring be implemented legally without violating privacy?
Yes, through transparency, consent, and compliance. Employers can monitor work systems if employees are informed through clear policies and provide consent. GDPR Article 25 requires appropriate technical and organisational measures during system design. The key requirements: disclose what gets monitored, focus on work-related activities not personal communications, and comply with regional privacy laws. You’ll need legal review because requirements vary by location and industry.
What mistakes did L3Harris make that allowed the Williams theft?
L3Harris relied on clearances and compartmentalisation without implementing continuous behavioural monitoring. The key failures: no UEBA system to flag unusual access patterns, insufficient audit logging of privileged activities, periodic rather than continuous monitoring (which allowed three years of undetected theft), and over-reliance on security clearances creating false trust. Williams’s supervisory position during an internal investigation he oversaw was a conflict of interest that proper separation of duties would have prevented.
How do UEBA and DLP technologies differ in detecting insider threats?
UEBA focuses on behavioural anomalies, using machine learning to establish baselines and flag suspicious actions. UEBA platforms detect patterns without predetermined indicators. DLP monitors data movement—emails, uploads, USB transfers—blocking or alerting on policy violations based on content inspection. UEBA provides early warning by detecting behavioural changes before data loss happens. DLP prevents the actual theft during exfiltration. You need both working together.
What should I do if I suspect an employee is stealing trade secrets?
Consult legal counsel immediately to ensure you comply with employment law and preserve evidence properly. Document specific suspicious behaviours without confronting the employee prematurely. Engage HR to review personnel records and behavioural changes. Preserve digital evidence through forensic copies of systems and audit logs. Legal counsel must review decisions to ensure privacy compliance. Consider temporary access restrictions if theft is ongoing, balancing security with legal risks. Only after legal and HR review should you move to confrontation or termination.
How long does it take to implement a basic insider threat program?
A starter program—audit logging, basic DLP, access control review—launches in 4-8 weeks: 1-2 weeks for policy and legal review, 2-3 weeks for deployment, 1-2 weeks for training. Intermediate programs adding UEBA and PAM need 3-6 months. UEBA requires 30-90 days to establish baselines, while access restructuring introduces complexity. Advanced programs with zero trust span 6-12 months and involve architectural changes. Start with quick wins while you plan longer-term capabilities.
Are insider threats more dangerous than external hackers?
Statistically, insider threats cause greater average damage. Verizon’s Data Breach Investigations Report shows insiders are involved in 20-30% of breaches but cause disproportionate impact. Insiders have legitimate access, know where assets live, understand the controls they need to circumvent, and stay undetected longer. Williams operated for three years before detection. External attacks happen more frequently overall. Your optimal security strategy addresses both: perimeter defences for external threats, behavioural monitoring for insiders.
What is zero trust architecture and how does it prevent insider threats?
Zero trust assumes no user is inherently trusted. Every access request gets verified based on identity, device health, context, and least privilege. Unlike perimeter security, zero trust continuously validates through multi-factor authentication, micro-segmentation limiting lateral movement, real-time risk assessment, and comprehensive logging. This restricts access even for authenticated users. Williams couldn’t have accessed all those compartments under a zero trust model. However, implementation requires significant architectural changes, making it a longer-term goal for most SMBs.
How can small companies protect against insider threats without large security teams?
Leverage cloud-native tools. Microsoft 365 and Google Workspace offer native DLP and audit logging. Cloud access security brokers monitor SaaS usage. Endpoint detection tracks device activities. Managed security providers offer outsourced monitoring at $2,000-5,000 monthly, which is cheaper than hiring full-time staff. Effective SOCs can be built using automation to reduce workload. Prioritise high-impact controls: strict access management, mandatory multi-factor authentication, automated audit logging, and basic DLP. The goal is risk reduction, not perfection.
What technologies can detect employees stealing company secrets?
Core technologies include UEBA platforms (Exabeam, Securonix, Microsoft Sentinel) for detecting behavioural anomalies. DLP systems (Forcepoint, Symantec, Microsoft Purview) monitor data movement. Privileged access management tools (CyberArk, BeyondTrust) record admin activities. Endpoint detection tools (CrowdStrike, SentinelOne) track file access. SIEM platforms (Splunk, Elastic) aggregate logs for investigation. Next-generation data detection leverages data lineage to understand how user actions impact sensitive information. These technologies work together: UEBA flags unusual patterns, DLP blocks unauthorised transfers, and PAM records privileged activities for forensics.
