HOUSTON—John Bass, who spent 27 years at the CIA’s National Clandestine Service studying the methods and motives of people who would do harm to the U.S., told a tale of how spies work.
You “bump into” a KGB agent, he said at the recent Duff & Phelps/Amegy Bank of Texas Private Capital conference. You find that you have things in common, invite him out for a cup of coffee on the outskirts of Moscow. You tell him how much you admire the contributions of Russian culture to the western world. You mention how our president is interested in making contact with Russian patriots like him so there can be an understanding and the two countries can avoid a future conflict.
A year goes by. Trust is gained. You mention that you just returned to Washington where you spoke to people very close to the president. They were interested in his insight and guidance. So many in Washington and Moscow are looking for conflict, but the president believed that engaging with patriots like him could forge a new kind of relationship between the countries.
But you told those Washington contacts that agreement was not enough. You had to be able to offer this KGB friend something. They agreed. Perhaps a stipend? Or a nice cottage in the woods outside Stockholm? You let him know that you went out on a limb for him. Were we set?
And thus began a relationship with a source inside the KGB that could last three or four decades. The oil and gas executives in the room were enthralled, at least until Bass, now a director in Duff & Phelps’ global data risk practice, ended with the moral of the story.
“That’s not entirely different than how competitors, terrorists and activists might choose to target your personnel in Equitorial Guinea, in Mauritania, in Saudi Arabia,” he said.
Among the adjustments Bass has made in discussions with clients in the private sector is understanding the trend toward specialization in American business. He found that senior corporate executives with broad global roles were largely unaware of the systems in place to protect their companies.
For example, cyber threats were restricted to the IT staff. Physical threats to assets were handled by other personnel. In almost all instances, those responsible for security focused on investigating things that had already occurred.
“There’s not much perspective about the strategic risk to the corporation,” Bass said.
Government intelligence organizations like the CIA take cybersecurity seriously but they view risk holistically—who has a connection to the asset?—and not as a purely technological issue. Bass found that his discussions with IT people always veered back to technology.
“Time and time again, I found that discussions about people made them uncomfortable,” he said. “They sought to return the conversations to discussions of technology and historical issues only.”
And that can be a risk unto itself.
“We court disaster as so much cyber risk exists outside the IT department and with the people of the organization,” Bass said.
At the CIA, a critical component of cybersecurity is the human resources department. Psychological testing and evaluating for maturity and stability is critical to understanding troubles in an employee’s life and ensuring that life crises are handled properly.
“When I tried to engage with corporate HR on issues of cybersecurity, they were surprised that they were involved in the discussion,” he said. “They didn’t see themselves as part of this conversation on cyber.”
What stunned him were cases where a malicious actor caused a breach and HR knew that the employee was a problem beforehand. The department, however, didn’t feel empowered either through policy or legal issues to raise the issue of security to senior management.
Specialization can have repercussions. When Bass was assigned to tackle a threat, he attacked information systems first. If the enemy’s technological defenses were effective then he went after people. He found out who was connected to the network assets, recruited those people and soon had folks with access to an enemy’s information systems on his payroll.
“No company,” he said, “is 100% immune from this sort of cyberattack.”
Joseph Markman can be reached at jmarkman@hartenergy.com and @JHMarkman.
Recommended Reading
TGS, SLB to Conduct Engagement Phase 5 in GoM
2024-02-05 - TGS and SLB’s seventh program within the joint venture involves the acquisition of 157 Outer Continental Shelf blocks.
2023-2025 Subsea Tieback Round-Up
2024-02-06 - Here's a look at subsea tieback projects across the globe. The first in a two-part series, this report highlights some of the subsea tiebacks scheduled to be online by 2025.
StimStixx, Hunting Titan Partner on Well Perforation, Acidizing
2024-02-07 - The strategic partnership between StimStixx Technologies and Hunting Titan will increase well treatments and reduce costs, the companies said.
Tech Trends: QYSEA’s Artificially Intelligent Underwater Additions
2024-02-13 - Using their AI underwater image filtering algorithm, the QYSEA AI Diver Tracking allows the FIFISH ROV to identify a diver's movements and conducts real-time automatic analysis.
Subsea Tieback Round-Up, 2026 and Beyond
2024-02-13 - The second in a two-part series, this report on subsea tiebacks looks at some of the projects around the world scheduled to come online in 2026 or later.