March 4, 2025 • 44 mins
Scott Baucum’s official title at Bayer U.S. is Vice President of Special Compliance and Asset Protection. But his day-to-day focus is stopping those bad actors attempting to infiltrate American technology companies to steal their proprietary data. Sometimes those scheming to steal exist within the ranks of the companies targeted. And as Scott Baucum knows firsthand, these “insider threats” often pose the most risk. Designated’s host, Yaya Jata Fanusie, spoke with Scott about what it's like being a target for economic espionage and to find out how a kid who grew up on a farm in Texas applies his vast agricultural knowledge toward dismantling Chinese spies plotting to steal biotech secrets from American companies.
----------------------------------------------------------------------------------------------------------------
Designated’s Proud Sponsors: TRM offers leading blockchain intelligence for AML compliance at financial institutions, crypto businesses, and regulatory organizations alike - with sanctions support on 65 blockchains and coverage of more than 70 million digital assets. In a recent customer survey, 85% of users agree that TRM accelerates their work. 92% of users agree that TRM provides actionable intelligence. And 83% of users agree that TRM has provided intelligence they would not otherwise have. See for yourself why our customers rave about TRM by requesting a free trial or demo at trmlabs.com
----------------------------------------------------------------------------------------------------------------
Illicit Edge: Breaking News for Financial Crime Yaya Jata Fanusie, a former CIA analyst with years of experience in counterterrorism and financial crime investigations, will go behind the scenes with the professionals working to safeguard the global financial system from illicit acts. #financialcrime #compliance #china #blockchain #espionage
See omnystudio.com/listener for privacy information.
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:03):
Today's podcast is supported by TRM. TRM enables compliance teams
to accelerate business revenue and deliver actionable intelligence to regulatory
and law enforcement stakeholders with leading attribution of severe risk categories.
Request a free trial today at trmlabs dot com. On
(00:35):
Yaya Jata Finoussi. Scott Bacham grew up on a cotton
farm in Lubbo, Texas, and went on to attend Texas
A and M, and then passed on his knowledge of
agriculture as a high school teacher. So how did Scott
Bacham apply his vast agricultural knowledge towards dismantling Chinese spies
plotting to steal biotech secrets from American companies. I learned
(00:58):
about Scott him in an FBI short film called Made
in Beijing, about the People's Republic of China's decades long
effort to infiltrate American tech companies in order to steal
their proprietary data. Scott's official role at the Bayer US
company is Vice President of Special Compliance and Asset Protection,
(01:19):
but his day to day focus is stopping the insider threat.
Scott and I talked about what it's like being a
target for economic espionage and now he has dealt with
many cases of Chinese spies, so many that he serves
as a strategic Engagement advisor for the FBI. It's time
to get designated with Scott Bacham on the Illicit Edge Network. Scott,
(01:44):
tell us, where are you from and how did you
get to Bayer.
Speaker 2 (01:48):
I have to tell you I have a very unconventional
path in my career. It certainly was never by design,
and you know, kind of fascinating when somebody else asked
me that question. I grew up, first of all, in
rural Texas. My dad farmed. I graduated from Texas A
and M University, and I became a vocational agriculture teacher
(02:12):
and an FFA advisor. Absolutely loved that job. And then
I went to work after that as an agronomist and
sales representative for Monsano Company out in that same you know, geography.
I lost my mind.
Speaker 1 (02:29):
I left there.
Speaker 2 (02:30):
I went to law school. I graduated law school, practice law.
I hated that what I was doing in that regard,
and so I just told my wife, I said, I'm
not living my life like this, and I went out
interviewed in Lo and behold, I ended up going back
to work for Monsano just at the moment in time
(02:51):
when we launched biotechnology, so it was excellent timing for me.
And then of course in twenty seventeen by our Age
acquired on Cento Company and I was at that time
the global compliance officer, so I was reassigned from my
role as director of Business Conduct into a role that
focused on what I'm doing now and that is Vice President,
(03:14):
Special Compliance and Asset Protection.
Speaker 1 (03:17):
Well, Scott, you mentioned bear ag, but before we even
get into the company, you use the term that I
want to break down a little bit. Everyone knows what
bio is, and everyone knows what technology is, but practically
what is biotech.
Speaker 2 (03:33):
Well, biotech is actually emerging science from the science of
genetics into the science of biology. In our case, other
people may do in the animal kingdom, we kind of
exclusively work inside of the plant kingdom. And where you
are bringing science into where you can actually change what
(03:54):
you have in biology the DNA makeup of a plant,
and you can make it more or beneficial. You can
incorporate some capabilities inside of DNA that otherwise you would,
for example, have to use a pesticide for or where
the plant has long been exposed. It is just kind
of the next step in designer plants, if you will.
Speaker 1 (04:18):
And so then how does this fit into to bear?
Is that one of the things you do explain a
little bit more.
Speaker 2 (04:24):
Well, Yeah, So buyer ag is actually a global company
that is made up of global based subsidiaries, and we
operate inside of three different sectors. We operate in the
pharma sector, we operate in the consumer health and care sector,
and then we operate inside of agriculture and we do
(04:47):
those off for those products all around the world. And
in reality, that is a life sciences company when you
combine all of those things, because what you'll learn in
biote technology is is that is kind of fundamentally all
the same all of life. The genetic makeup would be
made up of a's, t's, g's, and c's. It's a
(05:10):
little bit like the binary codes eros and ones. It's
just depending on how that's put together. So it's the
same a's, t's, g's, and c's in the plant as
it is in the human. But the combination of how
those are put together determines how that's going to present
phenotypically out in the world. So when you combine those
(05:31):
sciences together, it creates a synergy there, if you will,
that helps everybody working inside of science to do a
little bit better, a little bit faster.
Speaker 1 (05:41):
Well, in your role, you deal with insider threats, something
that a lot of people don't know much about. So
can you explain to us exactly what is an insider threat? Oh?
Speaker 2 (05:53):
You bet, okay, And it's very important to understand that
and distinguish that from maybe some other things there. First
of all, gets started with this. I'd just like to
clarify that I'm given comments and opinions here today not
necessarily shared by my employer. I am also a strategic
Engagement advisor for the FBI and ask to give converce
(06:17):
give talks like this in a lot of different areas.
But I'm going to be expressing my opinions today. Well,
first of all, insider threat We are, as I explained,
a science company. We invest about two point five billion
euros a year into research and development. We do research
(06:37):
and development on the front end of things. We actually
invent brand new things, and that's usually in collaboration with
other people and joint ventures and that kind of thing. Well,
when you invest that heavily into something brand new, then
that makes you very attractive to what we call economic
(06:57):
aggression actors or people that are in pursuit of that.
We're investing heavily in order to develop that. There are
others that want to take a shortcut and try to
get access to that without going through the long form.
So I'll distinguish insider threat from cyber threat generally when
I talk about this, a cyber threat is somebody on
(07:20):
the outside of the organization trying to penetrate in and
trying to get access to information from the outside of
the company. But the insider threat, the insider threat is
the person that comes to work for the company, is
given access credentials badges to get inside the building and
then computer and system log on in order to get
(07:42):
on the system. Then they use that access then to
go places that they're not authorized to go to get
into information that is not theirs to play around with.
So I would distinguish those two things in that regard.
Speaker 1 (07:57):
So you're dealing with threats, in particular the inside threat.
So it seems like if I'm an employee and you're
talking to me, something has gone wrong. What type of
activities would cause you to be speaking to an employee?
Speaker 2 (08:14):
Well, if you talk about it broadly, you've got disgruntled employees,
and then you've got employees that are accessing information that
they shouldn't get. Right, disgruntled employees have been known to
do theft, They've been known to do sabotage because they're angry,
and even all the way up to some type of
physical reaction like an active shooter or a physical threat
(08:35):
of some kind of thing like that in the workplace.
Far more frequent it would be in the accessing of information.
They employees may go and do fraud, They may engage
in embezzlement. It could be negligent action they just don't
know what they're doing, or it could be coerced somebody
is enticing them to do something that they wouldn't otherwise do. Really,
(09:00):
what we talk about and the reason why we need
an insider threat program is to address the more serious
matters under eighteen USC Sections eighteen thirty two and thirty one,
which are industrial espionage and economic espionage. That is, when
people very organized intentionally send folks into a company with
(09:24):
a shopping list to go after technology that is trade
secret or proprietary and then come out of the company
with that. So you asked Yaia, where I would get involved. Well,
we have a process at our company where if there
is a detection of some information that's leaving the company,
(09:47):
there's a team of people that would detect that. They
would actually verify that it's important enough to spend time on,
and then they would go and interview the individual or
somebody in that group to determin and confirm, hey, is
this really important. If it's not important, then we may
just re educate that employee, send them through training again,
(10:08):
something of that nature, or we may go sit down
with them. The team may go sit down with them
and interview them and say, look, you did this, you're
not supposed to. We need to go into your systems
and your accounts to recover what you took and to
make sure that you didn't forward it to some other place.
And if that all goes swimmingly well, then I would
(10:30):
only see it on a weekly report of sorts. But
if they were to push back on it, I might
go into the situation and interview them myself, or if
they were still not cooperative, then we may go to
outside council. We would always encourage them to get an
attorney because that works out better and then if that
(10:53):
doesn't work, then we fouled civil suit for recovery of
what we're doing.
Speaker 1 (10:58):
So Scott, when when you are with them, if they're
talking to you, and it's been elevated at that level,
what sort of things are you saying to them and
what are they saying back?
Speaker 2 (11:10):
Well, yeah, so it's really good to get a grasp
of all of this. The vast majority of people would
make some excuse, They would feel embarrassed, they got caught.
They would say something that they thought was in their
best interest. Oh, I didn't know I just grabbed a
bucket of files, or I grabbed a file folder. I
(11:31):
didn't realize that that was in there. That's something that
we hear pretty frequently. You know. Some of the more
concerning ones are even with all the training that we've
ever done, we still get employees that say, well, you know,
I was working here too, and that is my work
product and I should have some ownership interest in that
(11:51):
as well. And we have to go through and remind
them when you came to work here, yes, sign this
agreement that said the work product belongs to the company,
We compensated you for that work, and you can't take
this information with you when you go so there you
have people that feel some level of entitlement they don't have,
(12:12):
and you know, you you've got to go in and
deal with people in that regard, and then they will
react differently. Right some people will just simply say, I'm sorry,
I'm new, shouldn't have done it. I just did it.
I was scared, I was laid off, I knew I
was gonna need to get another job. I thought this
would help me in the next job. Anything from that
(12:35):
all the way, you know, to the it was an
accident and didn't realize it. And then you get into
people that react negatively. They will fight back, defend vigorously.
Those are the ones that are really kind of sad
because we you know, we will follow them in the
escalation of that. If we have to file a civil
(12:56):
suit to get our stuff back, then it costs them
a bunch of money and it ends up aggravating them,
and then the exit from the company becomes something that
doesn't leave a good impression with them as they go
out there. Ex employees are always ambassadors to your company,
and it's just very unfortunate when we get into a
(13:19):
situation like.
Speaker 1 (13:20):
That, and Scott I must say you've dealt with quite
a few situations. In fact, you came on our radar
through a film the FBI put together called Made in Beijing,
and it was largely about Chinese economic espionage. So could
(13:40):
you walk us through how economic espionage from China came
on your radar? Well?
Speaker 2 (13:47):
Sure, again, you know, kind of accidentally. I didn't go
looking for trouble. But in my role with Monsano was
head of global internal Investigations. In that was if we
got an alert from our data loss protection technology that says, hey,
yah yah has taken some information here, every indication is
(14:11):
it's important and we need to go check on that.
So we would investigate that the same as we would
any whistleblower allegation. Uh, And then we would have a
report infrequently and we would escalate as that was necessary.
But I'm gonna tell you in two thousand and eight,
two thousand and nine, ten eleven twelve, in that time period,
(14:32):
we begin to notice that our that our total investigation load,
the percentage of things we were investigating, was going up
inside of the data protection category. Doesn't mean the others
were coming down, but we did notice more frequency there,
you know. Simultaneously, we're rocking along, we're minding our own business.
(14:55):
I get a telephone call from my corporate security team saying,
and you have a visitor here. The fb I is
here and they want to talk to you. You know
I got a clear conscience. Yeah, yeah, but but I
couldn't imagine.
Speaker 1 (15:14):
What that was.
Speaker 2 (15:15):
Yeah. So I met with them, and very quickly, the
first thing they say is do you have a security clearance?
One though I know, well, I need you to sign
right here because we're going to tell you things that
you can't disclose. It all seems very formal, right, it
all seems very Tom clancy. And but in the course
(15:36):
of doing that, they explained to me that they were
investigating the case where an employee of a Chinese seed
company was caught in a farmer's field in Iowa digging
up the seeds that were planted in that field. You know,
this is ill advised. I think culturally people really don't
(15:58):
understand people in rural US how they feel about private
property trespassing in those kinds of things. But that, nonetheless
is what had happened, and they needed our help to
develop the evidence on the case that they suspected that
this was directed by the Chinese Communist Party, and we
(16:21):
began to help them as they requested, helped them understand
the science so that they could understand how to put
that evidence together. And that's where it became a team sport.
Speaker 1 (16:32):
So it's a team sport. You all are working together
in that particular case. How did it come to an end?
Speaker 2 (16:40):
Well, it really lasted, right, It had legs that just
kind of extended in all of that. So that particular case,
we worked with them on it for really quite some time.
They developed the evidence on that and they developed it
out of the Southern District of Iowa, I believe federal
courts system. Uh. We worked with them, We got the
(17:02):
evidence right, we proved up our trade secrets uh for them,
and they got a can Well they got a plea
agreement on the way to a conviction.
Speaker 1 (17:12):
UH.
Speaker 2 (17:13):
That individual pled guilty and then served a prison sentence
there for attempting to take that seed.
Speaker 1 (17:21):
So you've dealt with more than one case like this,
And before we get into you know, maybe the A
to Z of of of how they have operated and
and how you've dealt with them. First of all, why
would the Chinese Communist Party go after your secrets. What's
(17:44):
the value.
Speaker 2 (17:45):
Yeah, it's it's a it's a very good question, and
I would answer by saying, we need to really think
globally and culturally when we start asking questions like that. Okay,
here in the United States, we are very you know,
we're very tuned in too, operating from a standpoint of capitalism,
(18:11):
the concept of private property rights, rugged individualism, uh, and
being an entrepreneur. Right, that's that's really kind of a
strong part of our culture here. But that is not
necessarily true in every culture around the world. For example,
in the People's Republic of China, there tends to be
(18:32):
more of a mentality of community, of socialistic thinking about
all for one and one for all kind of mentality.
And so you have to start with the psychology of
this first. But you know, when you just answer the
question straight out, we invest two point five billion dollars
(18:55):
a year. Rarely would we ever invent anything inside of
one year. It is a long process. A new biotechnology
product can take as much as ten years over one
hundred million dollars in order to develop it and get
it there to the first commercialization. Well, if they can
(19:15):
send somebody in in phase three, phase four, of research,
pick that up. Then they can come to market almost
simultaneously with us. They can bypass all of that experience,
all of that expense, and all of the time that
it took to get there, and they can have it
almost immediately by operating this espionage type of model.
Speaker 1 (19:40):
So this model involves operatives, right, the folks doing the espionage.
What's the caliber of the folks that have been sent
to do this?
Speaker 2 (19:52):
Well, I'll tell you ya ya, that's a very dynamic question. Okay.
What I can tell you is that the individuals that
are sent from the PRC and the companies that are
in the PRC, they are very sophisticated people. First of all,
they're extremely smart, some of the smartest people that I've
ever come up, you know, to talk with in my
(20:16):
entire life. And then they have special training on how
to approach this, how to do this without getting detected,
how to get caught, and quite frankly and sadly, I
feel like most of the time that they're training and
their ability is outpacing my ability to detect it and
(20:37):
put a stop to it. And so let me just
give you some examples. In contrast, the vast majority of
data exfiltration is going to be an employee with no
preconceived idea about what they're going to do with the data,
but they feel compelled to take the data for one
(20:58):
reason or another. We would see that because they would
transfer that data to their personal email account through webmail
connectivity in our company, or they would send it to
upload it to a data cloud somewhere, or they would
hit print. They would print it off and move along. Well,
(21:19):
the sophisticated trained agents no longer really engage in that
kind of thing. They have figured out that we are
watching that they do far more sophisticated things.
Speaker 1 (21:32):
Now.
Speaker 2 (21:33):
They can do things that I actually can't understand. My
forensics people have to kind of explain it to me.
But one of the simple things they'll do is they'll
pull the information up on the screen, They'll take their
personal phone out and they'll simply snap a picture on
their personal phone. There's really very little that a company
can do in that regard, and some of the technologies
(21:55):
under development to try to address that or either extremely
expense or you know, not quite ready for prime time yet.
Speaker 1 (22:04):
So, Scott, you've told us about a case where you
actually caught the person, But tell us about a time
when the person got away.
Speaker 2 (22:14):
Well, I will tell you probably the most memorable case
that I have ever had. You remember, in the beginning
I said, there's tentacles to this purple Maze case. Right
about four or five years later, I am interviewing another
person where our data loss protection alerts signaled that there
(22:34):
was some exfiltration of data. We put that individual in
the chair. We were interviewing that person. I will tell
you very quickly, it was apparent that this is the
smartest person maybe I've ever spoken to in my life
as far as intelligence. Clearly smarter than me. And we're
going through asking questions about the data that's disappeared. It
(22:57):
was very long conversations. These are very long interviews because
we've got a lot of things to ask about and
we're trying to determine telling the truth. We asked the
open ending questions. Then we follow that up with impeachment
if we are information says that it's different than what
the employee said. Well, along the way, the employee begins
(23:18):
to telegraph a weakness, which is he thought more highly
of himself than he ought. And so you know, with
our training, we go in and we start playing off
of that, and he really does get overly confident, and
he begins to say other things, and then he volunteers
(23:39):
that he understands what our concern is that it is
the same thing as Mohylong, which is the name of
the defendant in the Purple Maze case. And I just
asked him. I stopped and I said, what do you
know about that? And he said to me, well, I
knew MO, and I've talked with him and interacted with
(24:02):
him when I lived in Iowa. Well, immediately I understood
what this was all about. And I said, what did
you interact with Mo about when you lived in Iowa?
And he said, well, we talked about all kinds of
things about he worked at a seed company and he
wanted to improve what was going on there, and we
(24:25):
talked about all kinds of things. And the look on
his face was such that I knew that he was
toy and around with me. Well, you know, my spiders
senses were up at that point in time, and that,
combined with my propensity to lose my temper, I began
(24:45):
to go after him pretty hard. And in the context
of how red my face was, context of the fact
that I'm leaning forward and talking with a higher volume
and asking questions that get increasingly uncomfortable for him. It
spooked him. He decided he wanted to leave the room.
(25:08):
We can't keep them there.
Speaker 1 (25:11):
And FBI was.
Speaker 2 (25:12):
Collaborating with us on that Everything was going fine until
I blew it and we didn't get everything that we needed.
That individual went home in conversation with his wife, they
decided to leave the country very soon. Within days, they
got on an airplane, they left and they never came back.
So very hard lesson for me to learn, very humiliating
(25:36):
for me to learn about be ready for anything. I
was surprised by that, and it answered a very long
standing question. All right. Well, in the course of all
of that happening, that shook up a lot of people
at the company. Many people knew this individual, they knew
what had happened. They had lots of questions, and they
(25:57):
were very concerned for a number of different reasons, mainly
not knowing what happened, and some even said I didn't
know if I was doing something wrong or not. But
in the course of that, we had a very heads
up h R manager who called our team and said,
you know what, when you guys did that there are
(26:20):
a couple of employees here that I think kind of overreacted.
It certainly was created a lot more anxiety with them
than with the others. They began to whisper with each other.
They don't normally work together, but they started hanging out
several times a day. So we turned our daily loss
(26:40):
protection monitoring onto those employees, and it was very apparent
that they were downloading and printing lots of information that
they should not have been doing. And you know, I
find out that there's lots of information being nex filtrated
about seven thirty one morning. By four o'clock that afternoon,
(27:02):
we had enough evidence and we had FBI there. We
put them in a room, put them in a chair,
We started asking questions of him. He got very uncomfortable.
He then at the end of that experience, he went home.
Four days later, he decided he was going to leave
the country and he was intercepted by US Customs, TSA
(27:28):
and FBI at the airport on his way out of
the country. Didn't have enough to arrest the individual at
that point in time, but they were able to pull
data sticks and micro drives off of this individual. We
were able to look at it and sure enough, we
confirmed one of our most valuable trade secrets and other
(27:52):
things were on that micro drive on his laptop, so
we felt like we were able to save trade secret
at that point in time. The individual then came back
several months later. The FBI at that point in time
was able to pick them up, arrested them, and we
completed making the case on him. He also went to
(28:14):
prison for twenty seven months. So it's amazing how these
things just kind of connect together. People are very highly networked,
even if it's just for social reasons. Conversations that we
would normally have in the neighborhood with friends that are
over those things can tend to get way too substantive,
(28:36):
and then you never know when you're sharing things you
shouldn't with strangers.
Speaker 1 (28:42):
TRM offers leading blockchain intelligence for MML compliance at financial institutions,
crypto businesses, and regulatory organizations alike, with sanctioned support on
sixty five blockchains and coverage of more than seventy million
digital assets. In a recent customer survey, eighty five percent
of users agree that TRM accelerates their work. Ninety two
(29:06):
percent of users agree that TRM provides actionable intelligence. And
eighty three percent of users agree that TRM has provided
intelligence they would not otherwise have. See for yourself why
customers rave about TRM by requesting a free trial or
demo at trmlabs dot com. Well, in terms of sharing things,
(29:28):
I mean, you mentioned a fine line, I think, the
fine line between an interview and interrogation, and it sounds
like you have to be able to do a little
bit of both. But what I picked up is that
it seems like you have technique. It seems like you
have even a tradecraft about how to interview someone. Any
(29:49):
tips or anything you can share about how you interview
someone when they are a suspect.
Speaker 2 (29:55):
Well obviously, yeah, yeah, I'm a little apprehensive about sharing
mine because I just told you that I'm not very
good at it, right, But I think, you know, read
investigative training is certainly one that everyone knows out there
if they haven't been, they should consider people that have experience.
We had former detectives at PD that were on our crew,
(30:18):
other investigators federal agencies. We get together and work, you know,
hand in hand about that, teach each other good things.
But I think just in general, you start out with
open ended questions with somebody, you break the eyes, you
get to know them, You try to build a little
bit of trust in that regard, and then you increase
(30:39):
the you know, the detail and specificity of the cases
to see if they're telling you the truth. Eventually, if
there is something to hide there, they may have the
tendency to start answering in ways that they think are
in their best interest. That's not always the truth. And
when they don't tell you the truth, you ask them,
(30:59):
are you sure that that's your answer to that question?
You sure it didn't happen a different way. They get suspicious,
and then you show them that you have evidence to
the contrary that they should have known. If you do
that a few times, most people are going to realize
at that point that you know more than you've been
letting on and that they should it's in their best
(31:22):
interest to come clean about it. So you know, everyone
is going to have their approach to doing it. I
learned an awful lot from former police Department detectives are
federal agent retired, the people that had retired, we worked together,
We taught each other, and then in the course of
a long career practicing law, you pick these things up
(31:44):
as well. That's just kind of the standard approach to
doing those things, doing depositions as well well.
Speaker 1 (31:54):
So a large company though that might be at risk
for infiltrate, for insider secrets being stolen and inside having
insider threats, what should they do to protect themselves?
Speaker 2 (32:10):
I could go on for hours in answering that question,
what should you do to protect yourself? I will say
that there are a number of pretty good videos in
there that talk about the details of it, But I
want to tell you first there is no substitute for
prevention and deterrence. There are a lot of people in
general that are exfiltrating things from a company. I think
(32:32):
anybody in this business will say, there's far more volume
here than we want there to be. You really have
to decide what you're going to pursue. You really only
want to pursue that which could be damaging to your company,
and you have to figure out how to sort that out.
But nothing will substitute for preventing that information from being
x filtraded or deterring people from attempting to exfiltrate that
(32:57):
if you don't have prevention and deterrent established inside of
your systems. I would say that in large part, you're
going to be ineffective and unproductive. And then I would say,
second of all, you need to learn how to build
that ideal cross function team inside of the company. You're
(33:18):
going to need corporate security people with investigative skills. You
are going to need IT security people with forensic skills.
You're going to need people in the law, and you're
going to need people in HR. And you're going to
bring all of those folks together to make a team.
And I will tell you, if you're going to bring
a team like that together, it is essential that that
(33:42):
team have a single goal document about what it is
that they're supposed to be achieving. If you have a
company that has compartmentalized functions, where Global security has their
goals and they're going to be about doing that, and
HR has their goal apart from that, and they're going
to do that and IT security and law department, then
(34:07):
I think you're not going to be where you want
to be. You'll be ineffective, you'll be unproductive in what
you're doing. When you put cross function teams together, yah yah,
you need to give them a common goal that needs
to be formalized. They need to know that's what they
have to deliver, and that will create a lot more
opportunity for collaboration, teaming commitment to one another, because then
(34:31):
we're all in it together. If you fail, I fail,
And it's that kind of dynamic that you want to create.
You've got to have the skill set, but then you've
got to have everybody focused up on the same priority.
That's where I would leave it, because there's all kinds
of details about elements you have to have and all
of that. I just can't stress enough. You don't get
(34:52):
those first two things right, you don't win well.
Speaker 1 (34:56):
So it's a team effort. But what about the small company.
They may not have the resources of a fortune five hundred.
Speaker 2 (35:02):
Company, right, And I think that you've really hit on
something there, but I will tell you it might surprise you.
I come in contact with smaller companies in the course
of acquisition and investment. If my company wants to acquire
another company or wants to invest in that company, then
I'll do due diligence on that, and that's where I'll
(35:24):
discover things. And I've actually looked at the data security
of a very small organization. But the founder of that
organization understood the importance of data security, and they had
a fabulous data security system in place, with compartmentalized data practices.
(35:44):
They had access logs that were retained for a very
long time, They had all of the elements there. They
had frequent training telling people how important it was, and
I was very impressed. But that's one in many. I
can tell you just one very important example. Years and
(36:05):
years ago, we acquired a very important company. We spent
over one hundred million dollars to acquire this company. We
were very excited to win it because there were competitors
trying to buy this company. We got that company. Our
MBAs were so excited to go out into the market
and announce that we were the winners, and they announced
(36:27):
it right away. In our course of our integration, I
interviewed the head of IT security there and I said, okay,
tell me about your IT security and she said, well,
Jim went down to Walmart about I don't know, three
(36:47):
months ago or something, and he bought the latest version
of McCaffrey protection and we installed that on our computers.
And yah, y'all, I was just stunned. I didn't know
what to say in that regard. I said, really, and
of course our IT security team came in and did
(37:08):
the forensics there, mostly to do a baseline and find
out where they were at and where we needed to
build it up to. And what they discovered was the
night we announced our acquisition. The night we announced, somebody
penetrated into that system, took everything they had. They didn't
even detect it. We didn't even detect it until weeks
(37:29):
later when we were running the statistics. So I'm going
to tell you right now, go to school on us.
Don't ever let that happen. If you're an NBA, you
hush you mouth until your IT security team can get
in there and harden those systems before you go blab
into the world that you've made a key or strategic acquisition.
I can't stress it enough. It's very important you harden
(37:52):
those systems. Today. We don't announce anything until our IT
security people goes in hardens up and make sure that
we have the protections in place. We need very very
expensive and hard and humbling lesson to learn. I hope
that the listeners can learn that, go to school on
it and avoid that in their world.
Speaker 1 (38:14):
Loose lips still sink ships. It still stands absolutely Scott.
Before I let you go. I want to say that, actually,
I think your auto reply email message is the best
one that I've seen. I sent you an email to
your corporate address and I just got a reply saying
(38:36):
one sentence, I am retiring, and that was it. And
I love that. That tells you all you need to know.
So obviously you're you're working on, you know, transitioning out
of your role. So what's next for Scott?
Speaker 2 (38:51):
We welcome well after thirty three years. I'm really proud
of the work that we've done here. I think that
the work I've done in this company is really important
for the world. We feed people that would not otherwise
eat or would not otherwise eat. As well, we create
medicines that help people to feel better and certainly that
(39:12):
save lives. I think that you really can't spend the
one career that you have in any better way. And
I am thrilled and honored to have been able to
serve in this company, you know, as long as what
I did. But I think that successful retirement for me
will be for me to be able to stay retired
(39:33):
not doing anything for let's say sixty days. If I
can stay retired for sixty days without work and that
will be a successful retirement for me. But I still
got gas in the tank. I want to go out.
I want to find a company, very serious company with
a very serious problem, and I want to bring a
(39:54):
sustainable and cost effective solution to that. That is what
I do is work with companies that recognize they've got
a bad problem and want somebody to do something about it.
I'm going to find an environment like that, go to
work and try to make another contribution. Uh. If I can't,
and if I can't, if nobody wants me, then I'll
(40:16):
go to my farm and I'll fish and I'll enjoy
whatever time I have.
Speaker 1 (40:21):
Well, well, either way, I'm sure you're on to a
to a great, great, great sunset or great great things
up on your horizon, Scott, Is there anything yes? Is
there anything else that you want to share or before
I let you go? Well?
Speaker 2 (40:39):
Uh, yeah, yeah, I would say if if there's a
closing message for everybody, I would have a message to Congressman, senators,
those that are in the national security realm that are
writing mitigation agreements like through Scyphius or through FIRMA. Realized
(41:00):
that the President's memorandom came out last week We're yet
to see what changes might be. But I'm going to
tell you right now this thing that I mentioned in
an earlier conversation with you. We are up against a
formidable opponent. They are organized, they are centralized. Their government
comes together and decides what needs to get done. Historically
(41:24):
and increasingly, we have been at odds with one another.
The private sector tends to battle against the public or
government sector. The government sector has regulations, then we've got
the court system. None of these things are really, you know,
working hand in hand. We are up against a formidable
(41:44):
foe who does. And I think the ability to bring
the private sector experts into the room with the public
sector national security experts and build the future together is
the only way we're gonna be able to achieve anything.
And I think the first step is we have to
(42:05):
admit that that's true, and we have to admit that
we're gonna have to get together now because it'll take
us years to do anything about it. We need to
build the details of our national economic defense together. I
can't do it alone, and neither can my government colleagues. Together,
(42:26):
we're gonna be able to build something that actually works,
that actually protects the future. Of the United States and
their economic machine. We'll be able to build something that
can protect our first place position in AI and analytics
and all those other areas that are important foundational technologies.
(42:47):
The longer it takes us to accept that, the longer
it takes us to get everybody together in a meaningful way,
then the more of our technology we're going to keep losing.
So I do hope that somebody pays attention to that,
and besides that we need to get that done.
Speaker 1 (43:05):
Thankfully, it seems as though the FBI has its very
own batphone with a direct line to Scott Bacham, because,
as our conversation shows, many of the tactics and methods
employed by economic spies are the stuff of spy novels
and movies that few of us could ever imagine in
the real world. But Scott has seen these plot lines
play out in the field literally, so he knows they exist,
(43:29):
and sometimes they exist within the ranks of the same
companies being targeted. It's important for us to pay attention
when he cautions that we must remember that there are
forces out there, like those of the Chinese Communist Party
that want to steal the critical algorithms, formulas, and patents
that companies like Bay or US possess, and that means
(43:50):
that these companies have targets on their backs. In order
to protect themselves against theft, they must remain aware of
and be on the lookout for external risks, all while
keeping close attention to the possibility that the threats that
are most dangerous are on the inside. I'm yaya Jata
Finussi and this is designated on the Illicit Edge Network
Today's podcast is supported by TRM. TRM enables compliance teams
to accelerate business revenue and deliver actionable intelligence to regulatory
and law enforcement stakeholders with leading attribution of severe risk categories.
Request a free trial today at trmlabs dot com. On
(00:35):
Yaya Jata Finoussi. Scott Bacham grew up on a cotton
farm in Lubbo, Texas, and went on to attend Texas
A and M, and then passed on his knowledge of
agriculture as a high school teacher. So how did Scott
Bacham apply his vast agricultural knowledge towards dismantling Chinese spies
plotting to steal biotech secrets from American companies. I learned
(00:58):
about Scott him in an FBI short film called Made
in Beijing, about the People's Republic of China's decades long
effort to infiltrate American tech companies in order to steal
their proprietary data. Scott's official role at the Bayer US
company is Vice President of Special Compliance and Asset Protection,
(01:19):
but his day to day focus is stopping the insider threat.
Scott and I talked about what it's like being a
target for economic espionage and now he has dealt with
many cases of Chinese spies, so many that he serves
as a strategic Engagement advisor for the FBI. It's time
to get designated with Scott Bacham on the Illicit Edge Network. Scott,
(01:44):
tell us, where are you from and how did you
get to Bayer.
Speaker 2 (01:48):
I have to tell you I have a very unconventional
path in my career. It certainly was never by design,
and you know, kind of fascinating when somebody else asked
me that question. I grew up, first of all, in
rural Texas. My dad farmed. I graduated from Texas A
and M University, and I became a vocational agriculture teacher
(02:12):
and an FFA advisor. Absolutely loved that job. And then
I went to work after that as an agronomist and
sales representative for Monsano Company out in that same you know, geography.
I lost my mind.
Speaker 1 (02:29):
I left there.
Speaker 2 (02:30):
I went to law school. I graduated law school, practice law.
I hated that what I was doing in that regard,
and so I just told my wife, I said, I'm
not living my life like this, and I went out
interviewed in Lo and behold, I ended up going back
to work for Monsano just at the moment in time
(02:51):
when we launched biotechnology, so it was excellent timing for me.
And then of course in twenty seventeen by our Age
acquired on Cento Company and I was at that time
the global compliance officer, so I was reassigned from my
role as director of Business Conduct into a role that
focused on what I'm doing now and that is Vice President,
(03:14):
Special Compliance and Asset Protection.
Speaker 1 (03:17):
Well, Scott, you mentioned bear ag, but before we even
get into the company, you use the term that I
want to break down a little bit. Everyone knows what
bio is, and everyone knows what technology is, but practically
what is biotech.
Speaker 2 (03:33):
Well, biotech is actually emerging science from the science of
genetics into the science of biology. In our case, other
people may do in the animal kingdom, we kind of
exclusively work inside of the plant kingdom. And where you
are bringing science into where you can actually change what
(03:54):
you have in biology the DNA makeup of a plant,
and you can make it more or beneficial. You can
incorporate some capabilities inside of DNA that otherwise you would,
for example, have to use a pesticide for or where
the plant has long been exposed. It is just kind
of the next step in designer plants, if you will.
Speaker 1 (04:18):
And so then how does this fit into to bear?
Is that one of the things you do explain a
little bit more.
Speaker 2 (04:24):
Well, Yeah, So buyer ag is actually a global company
that is made up of global based subsidiaries, and we
operate inside of three different sectors. We operate in the
pharma sector, we operate in the consumer health and care sector,
and then we operate inside of agriculture and we do
(04:47):
those off for those products all around the world. And
in reality, that is a life sciences company when you
combine all of those things, because what you'll learn in
biote technology is is that is kind of fundamentally all
the same all of life. The genetic makeup would be
made up of a's, t's, g's, and c's. It's a
(05:10):
little bit like the binary codes eros and ones. It's
just depending on how that's put together. So it's the
same a's, t's, g's, and c's in the plant as
it is in the human. But the combination of how
those are put together determines how that's going to present
phenotypically out in the world. So when you combine those
(05:31):
sciences together, it creates a synergy there, if you will,
that helps everybody working inside of science to do a
little bit better, a little bit faster.
Speaker 1 (05:41):
Well, in your role, you deal with insider threats, something
that a lot of people don't know much about. So
can you explain to us exactly what is an insider threat? Oh?
Speaker 2 (05:53):
You bet, okay, And it's very important to understand that
and distinguish that from maybe some other things there. First
of all, gets started with this. I'd just like to
clarify that I'm given comments and opinions here today not
necessarily shared by my employer. I am also a strategic
Engagement advisor for the FBI and ask to give converce
(06:17):
give talks like this in a lot of different areas.
But I'm going to be expressing my opinions today. Well,
first of all, insider threat We are, as I explained,
a science company. We invest about two point five billion
euros a year into research and development. We do research
(06:37):
and development on the front end of things. We actually
invent brand new things, and that's usually in collaboration with
other people and joint ventures and that kind of thing. Well,
when you invest that heavily into something brand new, then
that makes you very attractive to what we call economic
(06:57):
aggression actors or people that are in pursuit of that.
We're investing heavily in order to develop that. There are
others that want to take a shortcut and try to
get access to that without going through the long form.
So I'll distinguish insider threat from cyber threat generally when
I talk about this, a cyber threat is somebody on
(07:20):
the outside of the organization trying to penetrate in and
trying to get access to information from the outside of
the company. But the insider threat, the insider threat is
the person that comes to work for the company, is
given access credentials badges to get inside the building and
then computer and system log on in order to get
(07:42):
on the system. Then they use that access then to
go places that they're not authorized to go to get
into information that is not theirs to play around with.
So I would distinguish those two things in that regard.
Speaker 1 (07:57):
So you're dealing with threats, in particular the inside threat.
So it seems like if I'm an employee and you're
talking to me, something has gone wrong. What type of
activities would cause you to be speaking to an employee?
Speaker 2 (08:14):
Well, if you talk about it broadly, you've got disgruntled employees,
and then you've got employees that are accessing information that
they shouldn't get. Right, disgruntled employees have been known to
do theft, They've been known to do sabotage because they're angry,
and even all the way up to some type of
physical reaction like an active shooter or a physical threat
(08:35):
of some kind of thing like that in the workplace.
Far more frequent it would be in the accessing of information.
They employees may go and do fraud, They may engage
in embezzlement. It could be negligent action they just don't
know what they're doing, or it could be coerced somebody
is enticing them to do something that they wouldn't otherwise do. Really,
(09:00):
what we talk about and the reason why we need
an insider threat program is to address the more serious
matters under eighteen USC Sections eighteen thirty two and thirty one,
which are industrial espionage and economic espionage. That is, when
people very organized intentionally send folks into a company with
(09:24):
a shopping list to go after technology that is trade
secret or proprietary and then come out of the company
with that. So you asked Yaia, where I would get involved. Well,
we have a process at our company where if there
is a detection of some information that's leaving the company,
(09:47):
there's a team of people that would detect that. They
would actually verify that it's important enough to spend time on,
and then they would go and interview the individual or
somebody in that group to determin and confirm, hey, is
this really important. If it's not important, then we may
just re educate that employee, send them through training again,
(10:08):
something of that nature, or we may go sit down
with them. The team may go sit down with them
and interview them and say, look, you did this, you're
not supposed to. We need to go into your systems
and your accounts to recover what you took and to
make sure that you didn't forward it to some other place.
And if that all goes swimmingly well, then I would
(10:30):
only see it on a weekly report of sorts. But
if they were to push back on it, I might
go into the situation and interview them myself, or if
they were still not cooperative, then we may go to
outside council. We would always encourage them to get an
attorney because that works out better and then if that
(10:53):
doesn't work, then we fouled civil suit for recovery of
what we're doing.
Speaker 1 (10:58):
So Scott, when when you are with them, if they're
talking to you, and it's been elevated at that level,
what sort of things are you saying to them and
what are they saying back?
Speaker 2 (11:10):
Well, yeah, so it's really good to get a grasp
of all of this. The vast majority of people would
make some excuse, They would feel embarrassed, they got caught.
They would say something that they thought was in their
best interest. Oh, I didn't know I just grabbed a
bucket of files, or I grabbed a file folder. I
(11:31):
didn't realize that that was in there. That's something that
we hear pretty frequently. You know. Some of the more
concerning ones are even with all the training that we've
ever done, we still get employees that say, well, you know,
I was working here too, and that is my work
product and I should have some ownership interest in that
(11:51):
as well. And we have to go through and remind
them when you came to work here, yes, sign this
agreement that said the work product belongs to the company,
We compensated you for that work, and you can't take
this information with you when you go so there you
have people that feel some level of entitlement they don't have,
(12:12):
and you know, you you've got to go in and
deal with people in that regard, and then they will
react differently. Right some people will just simply say, I'm sorry,
I'm new, shouldn't have done it. I just did it.
I was scared, I was laid off, I knew I
was gonna need to get another job. I thought this
would help me in the next job. Anything from that
(12:35):
all the way, you know, to the it was an
accident and didn't realize it. And then you get into
people that react negatively. They will fight back, defend vigorously.
Those are the ones that are really kind of sad
because we you know, we will follow them in the
escalation of that. If we have to file a civil
(12:56):
suit to get our stuff back, then it costs them
a bunch of money and it ends up aggravating them,
and then the exit from the company becomes something that
doesn't leave a good impression with them as they go
out there. Ex employees are always ambassadors to your company,
and it's just very unfortunate when we get into a
(13:19):
situation like.
Speaker 1 (13:20):
That, and Scott I must say you've dealt with quite
a few situations. In fact, you came on our radar
through a film the FBI put together called Made in Beijing,
and it was largely about Chinese economic espionage. So could
(13:40):
you walk us through how economic espionage from China came
on your radar? Well?
Speaker 2 (13:47):
Sure, again, you know, kind of accidentally. I didn't go
looking for trouble. But in my role with Monsano was
head of global internal Investigations. In that was if we
got an alert from our data loss protection technology that says, hey,
yah yah has taken some information here, every indication is
(14:11):
it's important and we need to go check on that.
So we would investigate that the same as we would
any whistleblower allegation. Uh, And then we would have a
report infrequently and we would escalate as that was necessary.
But I'm gonna tell you in two thousand and eight,
two thousand and nine, ten eleven twelve, in that time period,
(14:32):
we begin to notice that our that our total investigation load,
the percentage of things we were investigating, was going up
inside of the data protection category. Doesn't mean the others
were coming down, but we did notice more frequency there,
you know. Simultaneously, we're rocking along, we're minding our own business.
(14:55):
I get a telephone call from my corporate security team saying,
and you have a visitor here. The fb I is
here and they want to talk to you. You know
I got a clear conscience. Yeah, yeah, but but I
couldn't imagine.
Speaker 1 (15:14):
What that was.
Speaker 2 (15:15):
Yeah. So I met with them, and very quickly, the
first thing they say is do you have a security clearance?
One though I know, well, I need you to sign
right here because we're going to tell you things that
you can't disclose. It all seems very formal, right, it
all seems very Tom clancy. And but in the course
(15:36):
of doing that, they explained to me that they were
investigating the case where an employee of a Chinese seed
company was caught in a farmer's field in Iowa digging
up the seeds that were planted in that field. You know,
this is ill advised. I think culturally people really don't
(15:58):
understand people in rural US how they feel about private
property trespassing in those kinds of things. But that, nonetheless
is what had happened, and they needed our help to
develop the evidence on the case that they suspected that
this was directed by the Chinese Communist Party, and we
(16:21):
began to help them as they requested, helped them understand
the science so that they could understand how to put
that evidence together. And that's where it became a team sport.
Speaker 1 (16:32):
So it's a team sport. You all are working together
in that particular case. How did it come to an end?
Speaker 2 (16:40):
Well, it really lasted, right, It had legs that just
kind of extended in all of that. So that particular case,
we worked with them on it for really quite some time.
They developed the evidence on that and they developed it
out of the Southern District of Iowa, I believe federal
courts system. Uh. We worked with them, We got the
(17:02):
evidence right, we proved up our trade secrets uh for them,
and they got a can Well they got a plea
agreement on the way to a conviction.
Speaker 1 (17:12):
UH.
Speaker 2 (17:13):
That individual pled guilty and then served a prison sentence
there for attempting to take that seed.
Speaker 1 (17:21):
So you've dealt with more than one case like this,
And before we get into you know, maybe the A
to Z of of of how they have operated and
and how you've dealt with them. First of all, why
would the Chinese Communist Party go after your secrets. What's
(17:44):
the value.
Speaker 2 (17:45):
Yeah, it's it's a it's a very good question, and
I would answer by saying, we need to really think
globally and culturally when we start asking questions like that. Okay,
here in the United States, we are very you know,
we're very tuned in too, operating from a standpoint of capitalism,
(18:11):
the concept of private property rights, rugged individualism, uh, and
being an entrepreneur. Right, that's that's really kind of a
strong part of our culture here. But that is not
necessarily true in every culture around the world. For example,
in the People's Republic of China, there tends to be
(18:32):
more of a mentality of community, of socialistic thinking about
all for one and one for all kind of mentality.
And so you have to start with the psychology of
this first. But you know, when you just answer the
question straight out, we invest two point five billion dollars
(18:55):
a year. Rarely would we ever invent anything inside of
one year. It is a long process. A new biotechnology
product can take as much as ten years over one
hundred million dollars in order to develop it and get
it there to the first commercialization. Well, if they can
(19:15):
send somebody in in phase three, phase four, of research,
pick that up. Then they can come to market almost
simultaneously with us. They can bypass all of that experience,
all of that expense, and all of the time that
it took to get there, and they can have it
almost immediately by operating this espionage type of model.
Speaker 1 (19:40):
So this model involves operatives, right, the folks doing the espionage.
What's the caliber of the folks that have been sent
to do this?
Speaker 2 (19:52):
Well, I'll tell you ya ya, that's a very dynamic question. Okay.
What I can tell you is that the individuals that
are sent from the PRC and the companies that are
in the PRC, they are very sophisticated people. First of all,
they're extremely smart, some of the smartest people that I've
ever come up, you know, to talk with in my
(20:16):
entire life. And then they have special training on how
to approach this, how to do this without getting detected,
how to get caught, and quite frankly and sadly, I
feel like most of the time that they're training and
their ability is outpacing my ability to detect it and
(20:37):
put a stop to it. And so let me just
give you some examples. In contrast, the vast majority of
data exfiltration is going to be an employee with no
preconceived idea about what they're going to do with the data,
but they feel compelled to take the data for one
(20:58):
reason or another. We would see that because they would
transfer that data to their personal email account through webmail
connectivity in our company, or they would send it to
upload it to a data cloud somewhere, or they would
hit print. They would print it off and move along. Well,
(21:19):
the sophisticated trained agents no longer really engage in that
kind of thing. They have figured out that we are
watching that they do far more sophisticated things.
Speaker 1 (21:32):
Now.
Speaker 2 (21:33):
They can do things that I actually can't understand. My
forensics people have to kind of explain it to me.
But one of the simple things they'll do is they'll
pull the information up on the screen, They'll take their
personal phone out and they'll simply snap a picture on
their personal phone. There's really very little that a company
can do in that regard, and some of the technologies
(21:55):
under development to try to address that or either extremely
expense or you know, not quite ready for prime time yet.
Speaker 1 (22:04):
So, Scott, you've told us about a case where you
actually caught the person, But tell us about a time
when the person got away.
Speaker 2 (22:14):
Well, I will tell you probably the most memorable case
that I have ever had. You remember, in the beginning
I said, there's tentacles to this purple Maze case. Right
about four or five years later, I am interviewing another
person where our data loss protection alerts signaled that there
(22:34):
was some exfiltration of data. We put that individual in
the chair. We were interviewing that person. I will tell
you very quickly, it was apparent that this is the
smartest person maybe I've ever spoken to in my life
as far as intelligence. Clearly smarter than me. And we're
going through asking questions about the data that's disappeared. It
(22:57):
was very long conversations. These are very long interviews because
we've got a lot of things to ask about and
we're trying to determine telling the truth. We asked the
open ending questions. Then we follow that up with impeachment
if we are information says that it's different than what
the employee said. Well, along the way, the employee begins
(23:18):
to telegraph a weakness, which is he thought more highly
of himself than he ought. And so you know, with
our training, we go in and we start playing off
of that, and he really does get overly confident, and
he begins to say other things, and then he volunteers
(23:39):
that he understands what our concern is that it is
the same thing as Mohylong, which is the name of
the defendant in the Purple Maze case. And I just
asked him. I stopped and I said, what do you
know about that? And he said to me, well, I
knew MO, and I've talked with him and interacted with
(24:02):
him when I lived in Iowa. Well, immediately I understood
what this was all about. And I said, what did
you interact with Mo about when you lived in Iowa?
And he said, well, we talked about all kinds of
things about he worked at a seed company and he
wanted to improve what was going on there, and we
(24:25):
talked about all kinds of things. And the look on
his face was such that I knew that he was
toy and around with me. Well, you know, my spiders
senses were up at that point in time, and that,
combined with my propensity to lose my temper, I began
(24:45):
to go after him pretty hard. And in the context
of how red my face was, context of the fact
that I'm leaning forward and talking with a higher volume
and asking questions that get increasingly uncomfortable for him. It
spooked him. He decided he wanted to leave the room.
(25:08):
We can't keep them there.
Speaker 1 (25:11):
And FBI was.
Speaker 2 (25:12):
Collaborating with us on that Everything was going fine until
I blew it and we didn't get everything that we needed.
That individual went home in conversation with his wife, they
decided to leave the country very soon. Within days, they
got on an airplane, they left and they never came back.
So very hard lesson for me to learn, very humiliating
(25:36):
for me to learn about be ready for anything. I
was surprised by that, and it answered a very long
standing question. All right. Well, in the course of all
of that happening, that shook up a lot of people
at the company. Many people knew this individual, they knew
what had happened. They had lots of questions, and they
(25:57):
were very concerned for a number of different reasons, mainly
not knowing what happened, and some even said I didn't
know if I was doing something wrong or not. But
in the course of that, we had a very heads
up h R manager who called our team and said,
you know what, when you guys did that there are
(26:20):
a couple of employees here that I think kind of overreacted.
It certainly was created a lot more anxiety with them
than with the others. They began to whisper with each other.
They don't normally work together, but they started hanging out
several times a day. So we turned our daily loss
(26:40):
protection monitoring onto those employees, and it was very apparent
that they were downloading and printing lots of information that
they should not have been doing. And you know, I
find out that there's lots of information being nex filtrated
about seven thirty one morning. By four o'clock that afternoon,
(27:02):
we had enough evidence and we had FBI there. We
put them in a room, put them in a chair,
We started asking questions of him. He got very uncomfortable.
He then at the end of that experience, he went home.
Four days later, he decided he was going to leave
the country and he was intercepted by US Customs, TSA
(27:28):
and FBI at the airport on his way out of
the country. Didn't have enough to arrest the individual at
that point in time, but they were able to pull
data sticks and micro drives off of this individual. We
were able to look at it and sure enough, we
confirmed one of our most valuable trade secrets and other
(27:52):
things were on that micro drive on his laptop, so
we felt like we were able to save trade secret
at that point in time. The individual then came back
several months later. The FBI at that point in time
was able to pick them up, arrested them, and we
completed making the case on him. He also went to
(28:14):
prison for twenty seven months. So it's amazing how these
things just kind of connect together. People are very highly networked,
even if it's just for social reasons. Conversations that we
would normally have in the neighborhood with friends that are
over those things can tend to get way too substantive,
(28:36):
and then you never know when you're sharing things you
shouldn't with strangers.
Speaker 1 (28:42):
TRM offers leading blockchain intelligence for MML compliance at financial institutions,
crypto businesses, and regulatory organizations alike, with sanctioned support on
sixty five blockchains and coverage of more than seventy million
digital assets. In a recent customer survey, eighty five percent
of users agree that TRM accelerates their work. Ninety two
(29:06):
percent of users agree that TRM provides actionable intelligence. And
eighty three percent of users agree that TRM has provided
intelligence they would not otherwise have. See for yourself why
customers rave about TRM by requesting a free trial or
demo at trmlabs dot com. Well, in terms of sharing things,
(29:28):
I mean, you mentioned a fine line, I think, the
fine line between an interview and interrogation, and it sounds
like you have to be able to do a little
bit of both. But what I picked up is that
it seems like you have technique. It seems like you
have even a tradecraft about how to interview someone. Any
(29:49):
tips or anything you can share about how you interview
someone when they are a suspect.
Speaker 2 (29:55):
Well obviously, yeah, yeah, I'm a little apprehensive about sharing
mine because I just told you that I'm not very
good at it, right, But I think, you know, read
investigative training is certainly one that everyone knows out there
if they haven't been, they should consider people that have experience.
We had former detectives at PD that were on our crew,
(30:18):
other investigators federal agencies. We get together and work, you know,
hand in hand about that, teach each other good things.
But I think just in general, you start out with
open ended questions with somebody, you break the eyes, you
get to know them, You try to build a little
bit of trust in that regard, and then you increase
(30:39):
the you know, the detail and specificity of the cases
to see if they're telling you the truth. Eventually, if
there is something to hide there, they may have the
tendency to start answering in ways that they think are
in their best interest. That's not always the truth. And
when they don't tell you the truth, you ask them,
(30:59):
are you sure that that's your answer to that question?
You sure it didn't happen a different way. They get suspicious,
and then you show them that you have evidence to
the contrary that they should have known. If you do
that a few times, most people are going to realize
at that point that you know more than you've been
letting on and that they should it's in their best
(31:22):
interest to come clean about it. So you know, everyone
is going to have their approach to doing it. I
learned an awful lot from former police Department detectives are
federal agent retired, the people that had retired, we worked together,
We taught each other, and then in the course of
a long career practicing law, you pick these things up
(31:44):
as well. That's just kind of the standard approach to
doing those things, doing depositions as well well.
Speaker 1 (31:54):
So a large company though that might be at risk
for infiltrate, for insider secrets being stolen and inside having
insider threats, what should they do to protect themselves?
Speaker 2 (32:10):
I could go on for hours in answering that question,
what should you do to protect yourself? I will say
that there are a number of pretty good videos in
there that talk about the details of it, But I
want to tell you first there is no substitute for
prevention and deterrence. There are a lot of people in
general that are exfiltrating things from a company. I think
(32:32):
anybody in this business will say, there's far more volume
here than we want there to be. You really have
to decide what you're going to pursue. You really only
want to pursue that which could be damaging to your company,
and you have to figure out how to sort that out.
But nothing will substitute for preventing that information from being
x filtraded or deterring people from attempting to exfiltrate that
(32:57):
if you don't have prevention and deterrent established inside of
your systems. I would say that in large part, you're
going to be ineffective and unproductive. And then I would say,
second of all, you need to learn how to build
that ideal cross function team inside of the company. You're
(33:18):
going to need corporate security people with investigative skills. You
are going to need IT security people with forensic skills.
You're going to need people in the law, and you're
going to need people in HR. And you're going to
bring all of those folks together to make a team.
And I will tell you, if you're going to bring
a team like that together, it is essential that that
(33:42):
team have a single goal document about what it is
that they're supposed to be achieving. If you have a
company that has compartmentalized functions, where Global security has their
goals and they're going to be about doing that, and
HR has their goal apart from that, and they're going
to do that and IT security and law department, then
(34:07):
I think you're not going to be where you want
to be. You'll be ineffective, you'll be unproductive in what
you're doing. When you put cross function teams together, yah yah,
you need to give them a common goal that needs
to be formalized. They need to know that's what they
have to deliver, and that will create a lot more
opportunity for collaboration, teaming commitment to one another, because then
(34:31):
we're all in it together. If you fail, I fail,
And it's that kind of dynamic that you want to create.
You've got to have the skill set, but then you've
got to have everybody focused up on the same priority.
That's where I would leave it, because there's all kinds
of details about elements you have to have and all
of that. I just can't stress enough. You don't get
(34:52):
those first two things right, you don't win well.
Speaker 1 (34:56):
So it's a team effort. But what about the small company.
They may not have the resources of a fortune five hundred.
Speaker 2 (35:02):
Company, right, And I think that you've really hit on
something there, but I will tell you it might surprise you.
I come in contact with smaller companies in the course
of acquisition and investment. If my company wants to acquire
another company or wants to invest in that company, then
I'll do due diligence on that, and that's where I'll
(35:24):
discover things. And I've actually looked at the data security
of a very small organization. But the founder of that
organization understood the importance of data security, and they had
a fabulous data security system in place, with compartmentalized data practices.
(35:44):
They had access logs that were retained for a very
long time, They had all of the elements there. They
had frequent training telling people how important it was, and
I was very impressed. But that's one in many. I
can tell you just one very important example. Years and
(36:05):
years ago, we acquired a very important company. We spent
over one hundred million dollars to acquire this company. We
were very excited to win it because there were competitors
trying to buy this company. We got that company. Our
MBAs were so excited to go out into the market
and announce that we were the winners, and they announced
(36:27):
it right away. In our course of our integration, I
interviewed the head of IT security there and I said, okay,
tell me about your IT security and she said, well,
Jim went down to Walmart about I don't know, three
(36:47):
months ago or something, and he bought the latest version
of McCaffrey protection and we installed that on our computers.
And yah, y'all, I was just stunned. I didn't know
what to say in that regard. I said, really, and
of course our IT security team came in and did
(37:08):
the forensics there, mostly to do a baseline and find
out where they were at and where we needed to
build it up to. And what they discovered was the
night we announced our acquisition. The night we announced, somebody
penetrated into that system, took everything they had. They didn't
even detect it. We didn't even detect it until weeks
(37:29):
later when we were running the statistics. So I'm going
to tell you right now, go to school on us.
Don't ever let that happen. If you're an NBA, you
hush you mouth until your IT security team can get
in there and harden those systems before you go blab
into the world that you've made a key or strategic acquisition.
I can't stress it enough. It's very important you harden
(37:52):
those systems. Today. We don't announce anything until our IT
security people goes in hardens up and make sure that
we have the protections in place. We need very very
expensive and hard and humbling lesson to learn. I hope
that the listeners can learn that, go to school on
it and avoid that in their world.
Speaker 1 (38:14):
Loose lips still sink ships. It still stands absolutely Scott.
Before I let you go. I want to say that, actually,
I think your auto reply email message is the best
one that I've seen. I sent you an email to
your corporate address and I just got a reply saying
(38:36):
one sentence, I am retiring, and that was it. And
I love that. That tells you all you need to know.
So obviously you're you're working on, you know, transitioning out
of your role. So what's next for Scott?
Speaker 2 (38:51):
We welcome well after thirty three years. I'm really proud
of the work that we've done here. I think that
the work I've done in this company is really important
for the world. We feed people that would not otherwise
eat or would not otherwise eat. As well, we create
medicines that help people to feel better and certainly that
(39:12):
save lives. I think that you really can't spend the
one career that you have in any better way. And
I am thrilled and honored to have been able to
serve in this company, you know, as long as what
I did. But I think that successful retirement for me
will be for me to be able to stay retired
(39:33):
not doing anything for let's say sixty days. If I
can stay retired for sixty days without work and that
will be a successful retirement for me. But I still
got gas in the tank. I want to go out.
I want to find a company, very serious company with
a very serious problem, and I want to bring a
(39:54):
sustainable and cost effective solution to that. That is what
I do is work with companies that recognize they've got
a bad problem and want somebody to do something about it.
I'm going to find an environment like that, go to
work and try to make another contribution. Uh. If I can't,
and if I can't, if nobody wants me, then I'll
(40:16):
go to my farm and I'll fish and I'll enjoy
whatever time I have.
Speaker 1 (40:21):
Well, well, either way, I'm sure you're on to a
to a great, great, great sunset or great great things
up on your horizon, Scott, Is there anything yes? Is
there anything else that you want to share or before
I let you go? Well?
Speaker 2 (40:39):
Uh, yeah, yeah, I would say if if there's a
closing message for everybody, I would have a message to Congressman, senators,
those that are in the national security realm that are
writing mitigation agreements like through Scyphius or through FIRMA. Realized
(41:00):
that the President's memorandom came out last week We're yet
to see what changes might be. But I'm going to
tell you right now this thing that I mentioned in
an earlier conversation with you. We are up against a
formidable opponent. They are organized, they are centralized. Their government
comes together and decides what needs to get done. Historically
(41:24):
and increasingly, we have been at odds with one another.
The private sector tends to battle against the public or
government sector. The government sector has regulations, then we've got
the court system. None of these things are really, you know,
working hand in hand. We are up against a formidable
(41:44):
foe who does. And I think the ability to bring
the private sector experts into the room with the public
sector national security experts and build the future together is
the only way we're gonna be able to achieve anything.
And I think the first step is we have to
(42:05):
admit that that's true, and we have to admit that
we're gonna have to get together now because it'll take
us years to do anything about it. We need to
build the details of our national economic defense together. I
can't do it alone, and neither can my government colleagues. Together,
(42:26):
we're gonna be able to build something that actually works,
that actually protects the future. Of the United States and
their economic machine. We'll be able to build something that
can protect our first place position in AI and analytics
and all those other areas that are important foundational technologies.
(42:47):
The longer it takes us to accept that, the longer
it takes us to get everybody together in a meaningful way,
then the more of our technology we're going to keep losing.
So I do hope that somebody pays attention to that,
and besides that we need to get that done.
Speaker 1 (43:05):
Thankfully, it seems as though the FBI has its very
own batphone with a direct line to Scott Bacham, because,
as our conversation shows, many of the tactics and methods
employed by economic spies are the stuff of spy novels
and movies that few of us could ever imagine in
the real world. But Scott has seen these plot lines
play out in the field literally, so he knows they exist,
(43:29):
and sometimes they exist within the ranks of the same
companies being targeted. It's important for us to pay attention
when he cautions that we must remember that there are
forces out there, like those of the Chinese Communist Party
that want to steal the critical algorithms, formulas, and patents
that companies like Bay or US possess, and that means
(43:50):
that these companies have targets on their backs. In order
to protect themselves against theft, they must remain aware of
and be on the lookout for external risks, all while
keeping close attention to the possibility that the threats that
are most dangerous are on the inside. I'm yaya Jata
Finussi and this is designated on the Illicit Edge Network
Popular Podcasts
On Purpose with Jay Shetty
I’m Jay Shetty host of On Purpose the worlds #1 Mental Health podcast and I’m so grateful you found us. I started this podcast 5 years ago to invite you into conversations and workshops that are designed to help make you happier, healthier and more healed. I believe that when you (yes you) feel seen, heard and understood you’re able to deal with relationship struggles, work challenges and life’s ups and downs with more ease and grace. I interview experts, celebrities, thought leaders and athletes so that we can grow our mindset, build better habits and uncover a side of them we’ve never seen before. New episodes every Monday and Friday. Your support means the world to me and I don’t take it for granted — click the follow button and leave a review to help us spread the love with On Purpose. I can’t wait for you to listen to your first or 500th episode!
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
The Joe Rogan Experience
The official podcast of comedian Joe Rogan.