HOUSTON—John Bass, who spent 27 years at the CIA’s National Clandestine Service studying the methods and motives of people who would do harm to the U.S., told a tale of how spies work.
You “bump into” a KGB agent, he said at the recent Duff & Phelps/Amegy Bank of Texas Private Capital conference. You find that you have things in common, invite him out for a cup of coffee on the outskirts of Moscow. You tell him how much you admire the contributions of Russian culture to the western world. You mention how our president is interested in making contact with Russian patriots like him so there can be an understanding and the two countries can avoid a future conflict.
A year goes by. Trust is gained. You mention that you just returned to Washington where you spoke to people very close to the president. They were interested in his insight and guidance. So many in Washington and Moscow are looking for conflict, but the president believed that engaging with patriots like him could forge a new kind of relationship between the countries.
But you told those Washington contacts that agreement was not enough. You had to be able to offer this KGB friend something. They agreed. Perhaps a stipend? Or a nice cottage in the woods outside Stockholm? You let him know that you went out on a limb for him. Were we set?
And thus began a relationship with a source inside the KGB that could last three or four decades. The oil and gas executives in the room were enthralled, at least until Bass, now a director in Duff & Phelps’ global data risk practice, ended with the moral of the story.
“That’s not entirely different than how competitors, terrorists and activists might choose to target your personnel in Equitorial Guinea, in Mauritania, in Saudi Arabia,” he said.
Among the adjustments Bass has made in discussions with clients in the private sector is understanding the trend toward specialization in American business. He found that senior corporate executives with broad global roles were largely unaware of the systems in place to protect their companies.
For example, cyber threats were restricted to the IT staff. Physical threats to assets were handled by other personnel. In almost all instances, those responsible for security focused on investigating things that had already occurred.
“There’s not much perspective about the strategic risk to the corporation,” Bass said.
Government intelligence organizations like the CIA take cybersecurity seriously but they view risk holistically—who has a connection to the asset?—and not as a purely technological issue. Bass found that his discussions with IT people always veered back to technology.
“Time and time again, I found that discussions about people made them uncomfortable,” he said. “They sought to return the conversations to discussions of technology and historical issues only.”
And that can be a risk unto itself.
“We court disaster as so much cyber risk exists outside the IT department and with the people of the organization,” Bass said.
At the CIA, a critical component of cybersecurity is the human resources department. Psychological testing and evaluating for maturity and stability is critical to understanding troubles in an employee’s life and ensuring that life crises are handled properly.
“When I tried to engage with corporate HR on issues of cybersecurity, they were surprised that they were involved in the discussion,” he said. “They didn’t see themselves as part of this conversation on cyber.”
What stunned him were cases where a malicious actor caused a breach and HR knew that the employee was a problem beforehand. The department, however, didn’t feel empowered either through policy or legal issues to raise the issue of security to senior management.
Specialization can have repercussions. When Bass was assigned to tackle a threat, he attacked information systems first. If the enemy’s technological defenses were effective then he went after people. He found out who was connected to the network assets, recruited those people and soon had folks with access to an enemy’s information systems on his payroll.
“No company,” he said, “is 100% immune from this sort of cyberattack.”