Richard Garcia, senior consultant with Delta Risk LLC, is accustomed to skeptical if not dismissive responses to a particular piece of advice that he offers: Companies concerned about cyber-security should invite federal agents to check out their systems.
“Now, people say, ‘I don’t want the government coming in looking at my stuff,’” he told the crowd at API’s recent “Ninth Cybersecurity Conference” in Houston. “Well hell, you got the Chinese in there. Why not let the FBI?”
Garcia, former assistant director of the FBI and global security manager for Shell, was once tasked with keeping tabs on Robert Hanssen, the former agent who spied for Soviet and Russian intelligence for 22 years. He is professionally conditioned to be suspicious, but that does not equate to paranoia over the threat from criminals working on the inside.
“If somebody is someplace doing something and they shouldn’t be there, then why?” he asked. “Don’t be naïve, just don’t assume anything. You’ve got to be able to protect what’s going on in your company.”
That means that companies cannot afford to ignore the threat to their systems simply because they are not engaged in the development of technology. Strategy is a valuable target as well, and not just for domestic competitors.
“Every nation on earth has an urgent need to secure oil and gas, every nation on earth,” said John Hultquist, Washington-based senior manager for cyber espionage threat intelligence at iSight Partners. “It is a strategic problem for almost every nation on earth, including several of our major adversaries, like the Iranians. They want to know what the market is like. They want to know how to move their oil. Everybody has an interest in understanding that marketplace and the commercial sector, even more than the government sector, is where that knowledge exists.”
For example, China’s recent five-year plan lists six top priorities. Two of them are energy-related.
“The landscape is constantly shifting,” he said. “Right now, what’s going on? The price of oil is dropping. America is becoming an incredible producer of oil and gas. All those changes create questions, questions that have to be answered by policymakers who can task intelligence resources.”
Blind-sided
Companies initiating operations in a new global region need to be aware of the players and the playing field, Hultquist said. For example, one of his financial clients recently set up shop in India, a part of the world in which Indian and Pakistani teams constantly target each other. That client instantly became a target of both groups, both of which were seeking information from a third party to gain an edge.
Another third-party risk involves the area seeing the most significant increase in cyber espionage: climate change. Hultquist stressed that while it involves government-to-government negotiations, it is not an exclusively governmental problem.
“Obviously if your organization has some say in the problem, if you’ve got people in Washington, DC, on K Street and you’re talking to them, the adversary wants to know what they’re thinking,” he said.
Art of the steal
Closer to home, it has become more difficult to back up that poker face in during project talks when your partner knows the cards in your hand.
“One of the big things we see for oil and gas, and we had actually seen targeted activity around them, is joint ventures,” Hultquist said. “We see parties of joint ventures constantly targeted by these guys. They want to know what the other guys are thinking. They want to know your negotiating points. We’ve heard stories of people walking into negotiations and the other side knows precisely their number, and they’re able to take them right to the edge in negotiations. That’s the efficiency of this capability.”
Fighting back
Your enemy might be sitting in Pyongyang, North Korea, or in your rival’s headquarters down the street or in a cubicle 50 feet from your office. What can you do about it?
- Know the location of your company’s crown jewels. Find out who has access and the methods of protecting them, Garcia advises. Then question those responsible to find out how to better protect them. That’s right—trust but verify.
- Develop a long-term plan: Jay McGowan, Washington-based cyber-security expert who served in the Department of Homeland Security and Department of Defense, supports a holistic approach to getting a handle on data across the entire enterprise. It includes knowing how to protect trade secrets and sensitive data; auditing and monitoring networks and maintaining records; and policies for mobile devices and access, as well as social media.
- Create a contingency plan: McGowan suggested conducting penetration tests on your infrastructure and asking vendors to do the same. He said it was important to establish document creation, retention and destruction policies.
Recommended Reading
TPG Adds Lebovitz as Head of Infrastructure for Climate Investing Platform
2024-02-07 - TPG Rise Climate was launched in 2021 to make investments across asset classes in climate solutions globally.
Air Products Sees $15B Hydrogen, Energy Transition Project Backlog
2024-02-07 - Pennsylvania-headquartered Air Products has eight hydrogen projects underway and is targeting an IRR of more than 10%.
NGL Growth Leads Enterprise Product Partners to Strong Fourth Quarter
2024-02-02 - Enterprise Product Partners executives are still waiting to receive final federal approval to go ahead with the company’s Sea Port Terminal Project.
Sherrill to Lead HEP’s Low Carbon Solutions Division
2024-02-06 - Richard Sherill will serve as president of Howard Energy Partners’ low carbon solutions division, while also serving on Talos Energy’s board.
Magnolia Appoints David Khani to Board
2024-02-08 - David Khani’s appointment to Magnolia Oil & Gas’ board as an independent director brings the board’s size to eight members.