Anyone who has ever had to endure that obligatory welcome speech given to incoming engineering students each September will recognize the following joke: “Look to your left,” the Dean will suggest from behind the school podium, “and now look to your right.” Which leads to their punch line: “One of these students will be gone by next semester.” So much for supportive education.
I had these Deans in the back of my mind last week while interviewing Mr. Jack Barsky on-stage at the Second Annual TAG Cyber Security Conference, held in New York City at Caroline’s on Broadway. But I shifted the podium story a bit: In my mind, I had each of the participants in my conference looking left and then looking right – only to conclude that one of them might be a foreign spy! (So much for being a gracious host.)
In case you are not familiar with Mr. Barsky, his unique journey involves being recruited as an East German graduate student to become a KGB Spy in the 1970’s. After a period of language and cultural training, he was sent to the United States, where he blended into society, eventually becoming a trusted programmer for a financial services firm in New York. He later became CIO for an energy company. Today, he is a US Citizen.
I first met Mr. Barsky last year after giving a speech. We had the opportunity to chat briefly near the stage about his growing interests in cyber security. His calling card at the time was his recent segment appearance on CBS Sixty Minutes. You can, and should, read the full transcript of his fascinating interview with Steve Kroft at https://www.cbsnews.com/news/former-kgb-spy-jack-barsky-steve-kroft-60-minutes/.
Now, I suspect you may be wondering how a former KGB spy can enjoy a lovely chat over coffee on a night club stage with someone like me, without dozens of fully-armed FBI or KGB agents storming Caroline’s. Rather than answer that obvious question, I suggest that you grab a copy of Mr. Barsky’s recent book: Deep Undercover, (Tyndale House Publishers, 2017) to learn the answer. It is a captivating read, especially if you chase hackers for a living.
So, what was my own takeaway from this KGB spy who infiltrated US companies without a hint of detection from management? It is simply that we make things too easy. Take Mr. Barsky’s method of establishing an identity: Beginning with a forged birth certificate, he easily cascaded the implicit trust upward in a stepwise manner, exploiting a weak library card process to obtain a driver’s license, on his way to the Holy Grail for spies: A US Passport (which he failed to obtain, by the way).
Mr. Barsky explained to me exactly how he managed to communicate with Moscow during his time in New York City. “We used a simple one-time PAD,” he said, “which we knew was an unbreakable code, so long as both sides protect the key information.” He went on to explain how he would spend hours collecting and decoding the shortwave communications sent from “The Center” to obtain his instructions and other information.
Mr. Barsky drew clear parallels between the ease with which he could game our conventional systems three decades ago with how easy it is to game our on-line systems today. “Hackers have such an easy time breaking into targets,” he explained, “because so many mistakes are made in selecting bad passwords, clicking on infected emails, and so on.” Such parallels are chilling to hear from a former spy, because they validate what we already know.
Look, I am not recommending that you degrade the local workplace having everyone start looking over their shoulders for foreign spies. But I would say that when an employee’s story doesn’t quite add up – perhaps with unexplained time gaps in their resume, or when someone seems to exhibit certain other unusual attributes in their personal stories – well, then perhaps, just perhaps, we should be taking a much closer look.
I recommend that you read the Sixty Minutes transcript and then read Mr. Barsky’s book. Once you are done, please take a moment to share your views here. This is a serious and important topic, one that we should be discussing openly across the entire cyber security community.