The Spy Who Hacked Me(tLife): An Interview with Jack Barsky
WDG Talks Cyber Warfare and Cyber Intelligence with Former KGB Agent Jack Barsky
In the past month, we’ve talked about data security and privacy. What we haven’t talked about is the other side of cybersecurity—the reason for its existence. Cyber warfare. Our latest guest discusses the very things that are keeping cybersecurity wonks up at night. Jack Barsky is cybersecurity expert and was a KGB sleeper agent for ten years in the height of the Cold War.
Episode Transcript
Lisette Alvarez: 00:01 In the past month we talked about data security and privacy. What we haven’t talked about is the other side of cybersecurity, the reason for its existence: cyber warfare. This is WDG’s ‘The Feedback’. I’m your host, Lisette Alvarez. Today, we are going to discuss the very things that are keeping cybersecurity wonks up at night. Jack Barsky is a cybersecurity expert and was a KGB sleeper agent for 10 years at the height of the Cold War. He wasn’t digging into government files though. No. What Jack Barsky represents is the vulnerability of private industry to cyber crimes. Back in the 80s, he had access to sensitive materials at insurance giant MetLife, which could have been catastrophic to U S national security if he wasn’t caught in time. In this episode, we are going to delve into the modern cyber warfare and cyber intelligence. What motivates hackers and who is at risk? Spoiler alert: we all are.
Jack Barsky: 01:04 All right. I’m going to have to give you the short version or else we’re gonna use up the whole hour with my introduction. My claim to fame, so to speak, is that I was recruited and trained by the KGB and I am originally from Germany and I was sent over here in 1978 to spy on the United States and do some damage. I did for a while and then I quit and I just stayed back here. Around seven years later. I was eventually discovered by the FBI, cooperated fully, and became a citizen four years ago. And I spent 35 years of my career in the United States, my official career in information technology, initially hands-on and then in management all the way up to CIO. So in the latter part of my career as a CIO, I clearly had an overall responsibility for how to use the web, cyber security, and so forth.I left my very last job — I started yet another career and became an author. I wrote a book, ‘Deep Undercover’ and I’m now engaged in public speaking, primarily speaking to audiences with a bend towards cyber and cybersecurity. I’m pretty well networked there. And, you know, I talk a little bit about a lot of things that — the technical approach cannot prevent everything, particularly the insider threat — about which I have some experience. And overall, because I’ve been in the public, so to speak — I’ve been interviewed multiple times by cable TV. So I also make it a point to tell the American public to take this cyber stuff very seriously. I call it a Cold War 2.0. — we are overall — the public that is, not really not well aware and not clued into the dangers of cyber war.
Lisette Alvarez: 03:41 Yeah. And that’s something I know we talked about before, specifically the state of cybersecurity. Could you kind of explain the history of it? You know, how, how you seen it from, your beginnings in intelligence, how it’s changed and how you see it going.
Jack Barsky: 03:58 Well, and I really, I don’t want to, give you back book knowledge how this cyber stuff all started, you know, that people can read up on it. So I’m going to give you my, my personal view. When I was trained, that was in, in the late seventies in, in Moscow, cyber played absolutely no role at all. As a matter of fact, the Soviets were pretty late to this game with regard to using the internet for espionage. It was not until sort of the late eighties that somebody approached me and says, well, you know, you maybe take a look at the internet and see what you can do with that. And not really well directed. There wasn’t a, I don’t even know if the KGB had, at least the folks that I worked with had an idea what hacking can yield. Personally, when I, when I first started in information technology was all mainframe. So the, the only security that was important. There was fundamentally physical security and, and preventing people from accessing certain, you know, what we know is called directories, you know, making them inaccessible. I was at the time the absolute 100% insider threat. You know, I, I was an employee of MetLife and I had access to a lot of stuff that could have been really interesting to the Soviet Union, but they didn’t have a clue. They didn’t have a clue as, as to the value of data. To give you, I give you one example. I worked in a group medical insurance. We insured about 15 million families across the United States and this was all based on group by companies. And there were a lot of companies of interest within entire population base that I told my handler in Moscow. It says, this is what I have access to. And they didn’t bite. My goodness. I could have a, I mean there were, there were, you know, like companies like Boeing, companies like that, that made weapons and, out of the military industrial complex. And so forth. So no, they didn’t bite. But, but that wasn’t really, you know, you can call it cyber too. But the way we look at cyber and I was really everything that’s connected to the internet. My first non mainframe adventure was in a late, very late eighties, where we built a sort of a, an application that ran on a local area network was not connected to the, to, to the internet. I got exposure to the internet when we were acquired by a company that was a little more forward looking. And this was the first time that I heard the word firewall. You know, I had no idea what that was, but in those days and early nineties, almost all the security that was put up was to just prevent people from coming in uninvited, from the outside. Now, as time went on, and, in information technology was going more and more towards the internet, the security aspect of the internet became a focal point. It was maybe 15 years ago when I first heard the title chief information security officer. Now that no one was, everybody has one. And this was a, this wasn’t a company that had a lot of Unix based computing and, and it was also a healthcare company that the protected itself a whole lot better than the traditional ones when it, when I was really, really, when I got in, intimately involved in cyber securities when I joined the energy industry, because, you know, energy is of strategic importance and, the, you know, protecting the grid, the grid, protecting the, the, the, the infrastructure as well as the, the control centers that control the grid, you know, if you, if they are physical are eh, one physical location and there are highly secure. So we had doubled triple security. , but ultimately, and I don’t know if I’m going to get there, nowadays, there is fundamentally very few companies that pay that don’t pay attention to cyber security. And they’re usually in, if they’re still there, they’re usually in a, what I would call, soft industry, like entertainment and, and, you know, who knows. But, but anything that could be severely damaged is well protected with some exceptions, see experience.
Lisette Alvarez: 09:07 Yeah, no, that’s actually really helpful to kind of understand the history, where the trajectory has been. And similarly, I’m interested in your take in, I know this is a, you know, as, as I’ve kind of foreign policy junkie myself, I’m interested in the concept of who is it that really is a threat. You know, we, we, you know, we, we talk a little bit about this stages of like in the Soviet Union, it was this, you know, a large state in PR enterprise. And in the past 10 years or so, people talked about rogue agents or rogue actors. What are we looking at now when it comes to insider threats?
Jack Barsky: 09:53 That’s a really good question and I’m going to give you a short answer. When you ask who is a threat, I say everybody, everybody who does not wish us well, now there are some, and that includes countries, not that you wouldn’t come up with right away at like Iran, even our named partners like Turkey. But primarily it’s the Russians and the Chinese, you have to worry about, and, and the Russians you know, when they discovered what can be done in cyberspace at a significantly lower cost than what they used to be doing in the, in the human intelligence world. They jumped into this with both feet. And then they, there are layers of, of participation in this cyber war. In other words, not everybody who, who hacks into our systems or who spreads this information is employed by, by a secret service. These are, these will loosely associated groups. So, you know, you can give them orders and they may, they probably just verbal. And so you have plausible deniability, there. And you know, the, the sad thing is, no matter where you are, what society you live in, there’s always a certain percentage of information technology, people who love hacking, whether they be ethical hackers or the ones that cause damage, or the ones that want to enrich themselves. Because we, and I, I count myself sort of as part of, part of that group. We in information technology are primarily introverted. The ability to get into somebody else’s system take over machines gives you a sense of power. And this is what, this is what the, you know, the Russian intelligence services, Chinese, exploit. They, they hire these people and they, they pretty much work for free because it’s so much fun. You know, maybe they get a little incentive here and there, but I remember when I, when, when PCs first came out, I got a great kick out of the ability to simulate, keyboard strokes without, without touching the keyboard. You know, this is like great stuff. I mean, you know, you control the whole machine and you can control the whole network or you can bring a whole network down. My goodness, isn’t that great?
Lisette Alvarez: 12:27 Yeah, no. This talk of power with, with regards to insider threats and malicious threats, things that, you know, really most industries if they want to, you know, stay in business or, protect their users’ data or protect their own data. This is something that I, I’m sure that they should be considering is, you know, the, the, the motivations behind, this type of threat because I’m sure that, because if the motivation is power, then there’s probably not going to be much disincentives that can be done from, you know, from like Target or any of these other, you know, people who are organizations that have credit card data, they’re not gonna be able to, systematically disincentivize people from hacking into their system. So, you know, what is it then that actually is successful? And I think you talked about this a little bit on our pre-interview call, which is what is the, you know, capabilities of, you know, digital giants like Facebook and Google, you know, collecting data information, how much of it is actually necessary and what is the cost and what is the benefit from, from, from gathering that data versus protecting it or PR, utilizing other types of, whether it’s, you know, implementing laws or implementing best practices across industries, for cybersecurity. So I’d love to hear your thoughts on, on, how these organizations can kind of insulate themselves from digital threats and how much, you know, data collection kind of falls into,
Jack Barsky: 14:10 well, first of all, this was a very astute observation. If, if the incentive for hackers is that the hacking itself, there is almost no way to, you know, talk somebody out of it as long as they can. So, so, you know, this, this is going to persistence part of han nature. Some people saw that, that, that was, I never thought about this, a very astute observation. Now I heard, more than one question, in your, question there initially you, I think you were asking, so how do we protect ourselves? And this is, this is where we are going in, in cybersecurity, and various industries and various companies are at various stages of, of approaching cybersecurity comprehensively end to end, which includes the technology tech. You know, firewalls have a, there is a reason for firewalls. , but, there’s, there’s a whole lot of technology out there, a lot of, you know, startups, or relatively young companies that have come up with solutions that are quite interesting and that will add to your security. For instance, I recently gave a speech at a company that embeds knowledge of data within the data. In other words, it embeds a set of metadata right next to the data and it, and it knows who has touched the data, what, when the data is gone, whether it’s always with the data and it’s relatively easy to extract and find out, you know, threats that haven’t really materialized. And there’s many other such similar solutions. , the, the other thing is, that also, would help a lot. It’s a, it’s a, it’s a change in architecture and on, and, and instead of having a sort of a monolithic architecture when, when somebody comes in, they are pretty much, you know, have access to everything that you’re doing. , a Confederate art architecture with subnets that are, well protected by themselves will limit damage because the bottom line is at one point there, there will be damage. And so the other thing that I wanted to point out, there is no such thing as a hundred percent security. So part of your cyber security, efforts must be a plan how to recover from damage if and when it occurs. So, so this is a, this is a very comprehensive approach, which includes, and this is at this point, not too many companies are doing a good job with this, which includes, training of, first of all the IT folks to be a security, focused no matter what they do. And, also the entire, you know, workforce, there has to be more of a culture of, of safety and security in our companies. And this is one of those things that is very often considered overhead. And then once he, you do have the damage because it was caused by, some body, not, you know, in being engaged in what I call a cybersecurity hygiene and making a stupid errors or sometimes not so stupid errors, but you know, han errors. And in all, all of this, you know, we’ve, we have to go in that direction. This is not just for companies, but it’s also from a national security point of view, very important. I don’t see enough of that yet in the public sector. I don’t hear a lot of politicians talk about it. I don’t, you know, I know the FBI is a, as a, as a best effort in cybersecurity, but as far as, you know, bringing this out into the public, I don’t, I don’t see enough of that yet. So that was my first answer. The second answer, you know, where, where do you draw the line between collecting, data and spying on people? As a matter of fact, if, if, and so it starts out that people put a lot of, their own personal data on, on the internet. The only, by the way, the only way you can prevent somebody else getting your data is not getting on the internet. , the moment you get on, you know, you, you create an account for yourself, you got to have an identifier them. , so where do you draw the line? Is a, that’s a, that’s a tough one. But, I would, I would say if you take information that I put out without my knowledge, you are stealing from me. , that should not be allowed. I shouldn’t have to give you permission. Having said that, there’s a lot of people and, and you know, there is a way to give permission like by opting in and opting out, if you have to opt out already, this, this, this, this is sort of a loophole. There’s all kinds of ways to obtain that permission. But even if I, if people have to explicitly give permission for a certain type of data to be used, there’s a lot of people who give it anyway. So now what that problem will not, not ever be solved.
Lisette Alvarez: 19:52 Yes. And that’s, I’m sure that goes back to that cybersecurity hygiene that you talked about of, of teaching people how to behave and how, how to best protect themselves. Cause this is, this kind of gets into the, the conversation around, GDPR, and, and opting in. There’s a couple of, you know, questions that people have that so many of these sites are necessary for modern life. So is it really a choice to opt out of engaging with that site if or, or if the site decides, you don’t get access to this content if you don’t opt in? You know, where does, yeah, I think that’s, that’s also a, I feel a psychological marketing ploy too, is how much of this data is necessary and if it is necessary, you know, who, who decides what is or is not necessary.
Jack Barsky: 20:45 This is so tricky. And for the longest time, I did not allow my cell phone to disclose where I was and then I moved to another city and now I’m using Google maps and it needs to know where I’m at. There are many such examples. And, I, as I said, I don’t know if there’s any way to, to perfectly secure, one state one’s information and prevent, abuse other than, you know, do your best and hope that, you know, maybe 90, that you can handle 90% with the criminal, procedures, catching people, teaching cyber hygiene, being a little bit alert and aware, teaching our children. We’re not educating them, we’re not teaching our children. And you know what right now with what’s coming out more and more in the, in the, in the public discourse, in politics, you know, people that put something on the internet 20 years ago when when they first started and said something really stupid, they’re digging out, digging it up now. So, so what I would tell my daughter as she gets on the internet right now, it’s highly supervised. I would tell her, don’t put something stupid on the internet. Don’t even put something that you think is clever on the internet because maybe 20 years from now you think it was stupid.
Lisette Alvarez: 22:18 Yeah, no, that is, that’s a, that’s a really good point. And this kind of goes into, I think your story bit cause your, your time as a, as an agent for the Soviet Union is well documented and you’ve, you’ve been very open about it as well. Do you see any correlations between this idea of restricting information or giving information as a part of espionage versus kind of the world of digital and marketing?
Jack Barsky: 22:50 Obviously, the target data for espionage, maybe a little bit different. There’s, there’s industrial espionage and the Russians are really very good at it,, and some of the Chinese, and then there’s, then there’s the the espionage that is going after military secrets. Your average Joe Schmoe, your average hacker doesn’t really care about that stuff. , and then there’s, then there’s the, the disinformation, which is really in the intelligence world. We used to call this active measures. Now they call it fake news. Ah, that’s the, just create trouble in, in other countries that is, has been practiced, since I was 19, 20, in, in those days, this inflammation was primarily done through newspapers and magazines. And nowadays it’s so much easier on you. You know, you see what’s happening on the internet and it’s just amazing. And the problem is that, we as a country are not very well educated. We’re not very well trained to, to spot the worst fakes. You know, if it’s on the internet, it has to be true. No, no. Now that doesn’t mean, you know, I get hold to everybody will get folded. That depends on the sophistication of, of the one who’s doing the fooling. It’s a, it’s a, it’s a really, really scary world. And, we as a, as a nation overall are not, not aware of how scary it actually is. And there are, there are scenarios and, and you this very well, it is quite possible to bring down an entire country with a well coordinated attack on the internet. And believe you, me, we do the same thing. It is, it is a war behind the scenes. You, you have to be prepared. If you are attacked, you, you come up with, with a swift counterattack to disable the other side. I hope it’s not gonna come to this, but I’m having nightmares of a scenario that, we’ll come close close enough to the way we came pretty close in the sixties and seventies and early eighties, too close to a nuclear, world war.
Lisette Alvarez: 25:36 Yeah. I’ve been told by many people when thinking about these very serious problems is it’s not paranoia if they’re really after you. And, you know, even though we have a sense of kind of general security as a general public, we hope that our military and intelligence agencies are going to protect us, are going to from outside threats. There’s also a question of insight threats. Like you mentioned, some of these hackers, they might not have any particular strong tie to one type of a country or, or belief or another. They just enjoy it based off of the power.
Jack Barsky: 26:15 Let me, let me tell you, let me tell you something about the insider threat. You know, in, in, in my times the, the typical insight I would, would have been somebody like me. There weren’t too many candidates nowadays. There is a massive potential for insiders to be smuggled into organizations, possibly even government, from the outside, you know, because there are so much more, movement amongst countries. There’s, there’s, you know, people from Russia and China studying over here. , there, there’s a lot of it workers that are not us citizens and I don’t even know how and, and, and all this outsourcing, I have no idea, how is whether it’s possible to, to actually do a good background check on everybody. You don’t have any data on, you know, whether somebody, who, who works at say an India, worked for a reputable Indian company and this fellow was recruited by a Russian and paid by a Russian and he’s working on rather sensitive stuff. We, we, the company that outsourced to India is checking on the Indian company, but the Indian company doesn’t have a clue how to check on the, their own employees. This is, this is a massive, massive threat and I guarantee you there’s a lot of damage being done by insiders, period.
Lisette Alvarez: 27:41 No, that’s something that, I know I’ve picked up through my studies and I think it’s interesting too the kind of correlation between how we understand digital through a communications as you know, as the fact that it’s open being a positive aspect of the internet. Whereas there really is kind of a false sense of security about how open and how secure that actually is and how beneficial it is.
Jack Barsky: 28:13 Let me strongly agree with you. If you put something out on the internet, that’s the equivalent of in the, in the old days, putting it on, on page one of the New York Times, it’s out in the open and, and I, and then you lose control over it. It may get copied and stored away and you think you can kill it. You can’t, it has a life of its own.
Lisette Alvarez: 28:37 Right. And, I mean, we’ve seen through a lot of the public discourse about Facebook and about, you know, Google and other places that even if you try to, you know, take back or delete your information, it is stored somewhere. Based off of, you know, whatever proprietary technology that those companies and, you know, desire. If you have some time, some more time to talk a little bit about how you, as you know, through your training as, an, you know, intelligence, actor, what are some of the things that you’ve seen in how current, I guess, current, bad actors interact with digital that you would want to tell other organizations to kind of warn them or to essentially teach them on how they think and how to counteract them?
Jack Barsky: 29:36 It depends upon, you know, are we talking about highly trained professionals? Are we talking about people that are recruited because they’re, you know, they’re technically very good and they like hacking. , the, the, the, the profile of, of a hacker is pretty well known. So I don’t, I don’t think I can, I can add a whole lot of, information to that. And as I said, you know, they, they are relatively easy to recruit. , the, the professionals, the ones that are actually, you know, are operating from the inside of, of an, of an intelligence, hostile intelligence organization, you probably wouldn’t even know that they exist. So that is a real problem. , you know, they’re not coming to knock on your door. They’re doing and , they are sneaking around in such a way they will, they will cover up the trace. They have never been there. If they have successfully penetrated to someplace they get out and, and wipe out all kinds of traces. This is, these people are super dangerous and you would to get a really good answer and you might not get it. You would have to talk to the special, forces in the, in the FBI NSA that does counter intelligence and it’s in cybersecurity. They are very intimately aware of what’s going on. I don’t know if they will give you the answers. No.
Lisette Alvarez: 31:23 Yeah. Have you seen, or do you know of any programs that, you know, the FBI or any of the internal, you know, intelligence organizations within the U S are doing to convince or work with, the, you know, the U S government and other agencies and the private sector as well on, you know, setting standards because you know, obviously the FBI is probably a bit, a little bit better positioned to understand what the current threats are, you know, what are, what are some of the ways in which you’ve seen in general, any concerted effort to try to establish a, you know, a set standard of cybersecurity?
Jack Barsky: 32:02 I am not aware of, of of a, of a national standard. The standards very often for the security, are set by industry. For instance, you know, not the energy industry is subject to quite a few standards. Here’s an observation that may strike some people, is a bit odd, but I am reasonably certain that I’m right about this. , so a lot of those standards, we call it, you know, there, there, there are, there are frameworks compliance, you gotta behave in a certain way. You do this, this, this and this and you get audited against those compliance standards every year are, they’re actually very often counterproductive because what happens is that, such as in Sarbanes Oxley, the auditors are the ones that that originally came up with the rules and then the audit against the rules. And I have seen personally seen, and I’m not going to talk about in what company that happened that, you know, the auditor and the, the, the executive management had a very chmy relationship. And so they, they became friends and, and the auditors would just like give you a pass and with a wink and a nod his head. And that’s not quite right. He has a check and, and, and so the focus, and I’ve seen massive efforts to make sure that you come out clean out of that audit. And it taught to a point where people falsify records or, tons and tons of documentation that the auditor that they possibly can even all absorb. And the, and here’s the, the motivation behind this is if you fail an audit, you might get fired. If, if you, if you pass the audit, you get to, you know, be an executive for another year. , so that there’s a, almost a cottage industry that it is a cottage industry that has a, sprung up out of compliance. And, and I’m not the only one, who, who, who says that, but not too many people in the industry. I have the courage to open up their mouth. It’s the, the folks that I’ve heard say the same thing are I have stepped out of corporate but are still involved. So, that really, you know, if I leave it up to Congress to come up with a national standard for stuff that doesn’t work, because, and, that’s, that’s really a concern because we were the diverting resources, limited resources for making us more secure by trying to make us more compliant.
Lisette Alvarez: 34:58 And I feel like this is kind of speaks to the fact that if, you know, these hostile, you know, actors understand that there’s this cottage industry, would it then make more sense for them to enter those industries because they know the businesses are motivated not to look for them?
Jack Barsky: 35:16 Well, yeah. The thing about, think about a, a secret meeting, we have lot of me, a potent, meets with, the head of the FSB, Washington intelligence and says, you’ve got to find a way to make these companies less compliant. That would really help us. [inaudible] it is, I don’t know to what extent they are aware of it to what extent, they could actually even, you know, leverage that knowledge. , we’re shooting ourselves in the foot and you know, this is go, this comes down to han nature. You know, ultimately, no matter what you work in technology, we are working with the weaknesses, within the technology sector are caused by weaknesses, with, within the han race period.
Lisette Alvarez: 36:08 Yeah. The problem with, you know, trying to crack down on, on, especially theft over, over, over cyber, you know, you know, phishing emails, anything like types of, extortions that are coming out. It’s motivated by power and money, which is a very, very deep, you know, problem. , so how do we, you know, how do we, how do we address that? So, you know, considering all this, I don’t want to ask whether or not you’re specifically hopeful about the future in general, but whether or not you have some form of hope or that you, you have seen some positive progress in some areas, even if it is, you know, people like yourself who are trying to step up and educate people.
Jack Barsky: 36:55 Well, it’s, it’s tempting to be very, very pessimistic. But, you know, as, as I told you, I have been staying in touch with particularly the cybersecurity community. And I see, I see a lot of good things happening. I see a lot of, from a technology perspective, there’s a lot of things done that will fight the, you know, the tendency of hans to be naive and make mistakes. , for instance, it is very likely that within, you know, the name of few years, four or five years, we won’t need, need to use passport passwords anymore. So this, this mistake to, you know, use the same passwords for every one of the, apps, a mistake to have, write them down and leave them in your desk drawer. , there’s a lot of things that are happening that, that will help us not to be stupid and, and, and the, that’s correct. And the, like, like when you have a, a dog that attacks people, it’s a good idea to put ’em on a leash. So the, that’s a silly example, but you gotta work around, the dangerous that, you know, are there. , and I, and I see the, the folks that operate in cybersecurity are, there’s a lot, a lot of smart people, a lot of very dedicated people, and, and, and great companies with great cultures. So that makes me optimistic. We need to make more progress in the, in the han aspect of it. We need to find a way to get han resources, the han resource department more aware, more involved in this, because, because cyber is part of what everybody’s doing. So, and if, if HR ones wants to still be significant, they need to understand what’s going on there and need to have a closer relationship with information technology that is just maybe at the beginning stages.
Lisette Alvarez: 39:03 And that’s a, that that is a really interesting point. I know we also talked about this initially in our last call, which was, you know, how human resources can vet candidates in a more significant way. Not just, you know, checking to see if, whether or not they are hostile agents of a foreign country, but also if they have themselves a proven track record of cybersecurity hygiene that they, that you know, that they are not going to open a phishing email.
Jack Barsky: 39:32 It’s this thinking that, if you just run a background check and it comes out a, negative, that it’s okay. , without becoming sort of a police state or a, a police company. We need to pay a little attention to patterns that of individual behavior. Now I’ll tell you where they do this, where this is absolute policy is in nuclear plans. The, the, the supervision of personnel and personnel, behavior in a nuclear plants is phenomenal. Ehen they check a references, they don’t check the references, the first tier of references, then they, then they ask those people to give references and they, they check a second tier and, and, and, and, and the entire workforce is reviewed once a year. Now, you know, not, this is because of the, sensitivity of what’s going on in a nuclear plant. Not everybody can afford this, but you know, there are ways to, to ethically watch how your people behave. Right? Right. And, you know, and, and you know, this, this has been bandied about a lot. The see something, say something. I think that’s a valid, a valid approach to, you know, helping us all to, to be a little more secure. As I said before, 100% not gonna. It’s not a valid goal, but, but we can make a lot of improvements and, and I, I am more hopeful than I’m pessimistic.
Lisette Alvarez: 41:17 Those were some really good points. I appreciate it. A note for this section, this interview was conducted remotely. You’re about to hear our content writer and fellow strategy bytes host Andrew Admunson ask an interesting question via phone
Andrew Amundson: 41:30 Hello Jack. Hey, it’s just been fascinating listening to you guys the past 45 minutes. I really just have one question that I wanted to ask you was really just in your time as a…intelligence agent?
Jack Barsky: 41:48 No, no, no… A nasty, nasty communist spy!
Andrew Amundson: 41:54 (laughs) Yeah. Wanting to be, but I’ll do accurate, as intelligence, agent history in and now you’ve been around for a while as well. I was really just wondering. I’m sort of new to the digital world. If you saw or see any kind of psychological correlation between how marketers operate and how actors operate in the context of espionage?
Jack Barsky: 42:23 That’s a really good question. They both have pretty much similar, similar needs requirements. So the marketer wants to influence people to do something to buy something, right? They, the intelligence world, they’re the ones that, that is involved in fake news and active measures, one to influence, you know, one in one group or another or one entire country. So that is very similar. , the then the, the, marketers want to find out what’s appealing to you. They want to know about you. This is where Facebook is so, so helpful to the marketers. And, and you know what the most important thing for me was to get to know people and figure out who they are, and what might be leveraged to actually possibly recruit them. So, so the, the targets are the same. One would hope that the marketers are a little more benign. They, they just want to make money out of this. , the, the, the enemy wants to destroy us but, but, but, but you know, if you’d say could move from the marketing industry to the espionage industry, call it an industry, I think that lateral would, would be quite easy. Techniques are the same, then we have a future that essentially doesn’t go well.
Andrew Amundson: 43:58 Thank you so much. That goes like my only question
Jack Barsky: 44:00 That was an excellent question and I think you’ve probably guessed the answer anyway.
Andrew Amundson: 44:09 I was wanting to hear you talk about it. [Thank you]
Jack Barsky: 44:11 you’re welcome.
Lisette Alvarez: 44:12 Thank you so much, Jack for, for speaking with us. If you could give us as a small digital agency, any advice? You know, what we, we work with building websites for other companies and organizations and some government organizations as well. Know what, what would be something that you would recommend?
Jack Barsky: 44:41 Well, you know, the one thing that works really well is scare the heck out of your customers. Honestly, you know, come up with, when you, when you go and you know, give your presentation to a potential customer, you ought to show him something that, where things break, what can and, and how you would prevent this kind of thing. I can’t get into technical details here, but, but this, this is, you know, the, ultimately the, the, the ultimate decision maker very often in, in, in larger companies is the office of the CFO and the CFO will actually spend money if they know this really needs to be done. , I was in a situation once, I, I was hired as a CIO into a company, where, when I got in there, there was a large company, they had servers in a closet, corporate servers. , they were not secure. And, and that didn’t, I didn’t need a lot of convincing to tell them that if, you know, if, if we don’t spend X dollars on this one, your whole company could blow up. , so you don’t, you don’t have to invent the threats, you know, that they’re there. You know, that the damage has been done. It needs to just be pointed out because people like to forget this. , you know, how many people will remember that, you know, the, the Experian hack, the, which was the entertainment, it was, the, the big entertainment company. It wasn’t Disney, Sony, you know, and you know, this needs to be part of, of your, your sales pitch because, you know, based on what I’ve, gotten from your website, you are building your security conscious and you’re trying, you’re trying to build really secure websites. For your customers,I would scare him.
Lisette Alvarez: 46:53 Yeah. Well great. Cause that’s actually something I know we’ve, we’ve talked internally about to is, is security. And I know all of our developers in particular are all security minded. ‘Cause we have had unfortunately a, we won’t say specifics, but we’ve had bad experiences in the past. And past relations of our organization where, you know, either vendors that we’ve hired to secure a website, you know, failed spectacularly. And that’s something that is on the forefront of our mind constantly. But I hear you in terms of, you know, making sure that, that we, we bring it up to the potential client if even if the client doesn’t, really most clients don’t even mention security in their requests for proposals for their website. So that’s something that we can bring up as, as security minded companies .
Jack Barsky: 47:50 There’s one caveat with us, a scare tactic is that it has to be authentic. It can’t be, you can’t be perceived as part of a sales pitch by a slick sales person. It has to be absolutely authentic and that that has to be built, delivered by somebody who possibly has experienced bad things or, or at least somebody who really, really believes in this, you know, in, in cybersecurity and what’s being done to secure companies in the country.
Lisette Alvarez: 48:24 If you want to learn more about Jack and his story, you can pick up his book “deep undercover” and you can find him at his website, jack barsky dot com. Additional information can be found in the show notes. If you want to learn more about how to keep yourself and your company safe, consider listening to our previous episodes on digital hygiene and data privacy. This is Lisette Alvarez signing off for now. Thank you for listening.