HOUSTON—John Bass, who spent 27 years at the CIA’s National Clandestine Service studying the methods and motives of people who would do harm to the U.S., told a tale of how spies work.
You “bump into” a KGB agent, he said at the recent Duff & Phelps/Amegy Bank of Texas Private Capital conference. You find that you have things in common, invite him out for a cup of coffee on the outskirts of Moscow. You tell him how much you admire the contributions of Russian culture to the western world. You mention how our president is interested in making contact with Russian patriots like him so there can be an understanding and the two countries can avoid a future conflict.
A year goes by. Trust is gained. You mention that you just returned to Washington where you spoke to people very close to the president. They were interested in his insight and guidance. So many in Washington and Moscow are looking for conflict, but the president believed that engaging with patriots like him could forge a new kind of relationship between the countries.
But you told those Washington contacts that agreement was not enough. You had to be able to offer this KGB friend something. They agreed. Perhaps a stipend? Or a nice cottage in the woods outside Stockholm? You let him know that you went out on a limb for him. Were we set?
And thus began a relationship with a source inside the KGB that could last three or four decades. The oil and gas executives in the room were enthralled, at least until Bass, now a director in Duff & Phelps’ global data risk practice, ended with the moral of the story.
“That’s not entirely different than how competitors, terrorists and activists might choose to target your personnel in Equitorial Guinea, in Mauritania, in Saudi Arabia,” he said.
Among the adjustments Bass has made in discussions with clients in the private sector is understanding the trend toward specialization in American business. He found that senior corporate executives with broad global roles were largely unaware of the systems in place to protect their companies.
For example, cyber threats were restricted to the IT staff. Physical threats to assets were handled by other personnel. In almost all instances, those responsible for security focused on investigating things that had already occurred.
“There’s not much perspective about the strategic risk to the corporation,” Bass said.
Government intelligence organizations like the CIA take cybersecurity seriously but they view risk holistically—who has a connection to the asset?—and not as a purely technological issue. Bass found that his discussions with IT people always veered back to technology.
“Time and time again, I found that discussions about people made them uncomfortable,” he said. “They sought to return the conversations to discussions of technology and historical issues only.”
And that can be a risk unto itself.
“We court disaster as so much cyber risk exists outside the IT department and with the people of the organization,” Bass said.
At the CIA, a critical component of cybersecurity is the human resources department. Psychological testing and evaluating for maturity and stability is critical to understanding troubles in an employee’s life and ensuring that life crises are handled properly.
“When I tried to engage with corporate HR on issues of cybersecurity, they were surprised that they were involved in the discussion,” he said. “They didn’t see themselves as part of this conversation on cyber.”
What stunned him were cases where a malicious actor caused a breach and HR knew that the employee was a problem beforehand. The department, however, didn’t feel empowered either through policy or legal issues to raise the issue of security to senior management.
Specialization can have repercussions. When Bass was assigned to tackle a threat, he attacked information systems first. If the enemy’s technological defenses were effective then he went after people. He found out who was connected to the network assets, recruited those people and soon had folks with access to an enemy’s information systems on his payroll.
“No company,” he said, “is 100% immune from this sort of cyberattack.”
Joseph Markman can be reached at jmarkman@hartenergy.com and @JHMarkman.
Recommended Reading
NOV Announces $1B Repurchase Program, Ups Dividend
2024-04-26 - NOV expects to increase its quarterly cash dividend on its common stock by 50% to $0.075 per share from $0.05 per share.
Repsol to Drop Marcellus Rig in June
2024-04-26 - Spain’s Repsol plans to drop its Marcellus Shale rig in June and reduce capex in the play due to the current U.S. gas price environment, CEO Josu Jon Imaz told analysts during a quarterly webcast.
US Drillers Cut Most Oil Rigs in a Week Since November
2024-04-26 - The number of oil rigs fell by five to 506 this week, while gas rigs fell by one to 105, their lowest since December 2021.
CNX, Appalachia Peers Defer Completions as NatGas Prices Languish
2024-04-25 - Henry Hub blues: CNX Resources and other Appalachia producers are slashing production and deferring well completions as natural gas spot prices hover near record lows.
Chevron’s Tengiz Oil Field Operations Start Up in Kazakhstan
2024-04-25 - The final phase of Chevron’s project will produce about 260,000 bbl/d.