July 19, 2024 • 26 mins
What if understanding human behavior could be the key to bolstering your organization's cybersecurity? Join us for an enlightening conversation with Bob Casey, a veteran security expert whose career has spanned the FBI, Houston Police Department, and corporate security at a major pharmaceutical company. Bob's journey from handling organized crime on the midnight beat in Houston to transforming the FBI's intelligence capabilities post-9/11 is packed with lessons and insights that every threat intelligence analyst needs to hear.
Discover the critical importance of integrating physical and cybersecurity through a cyclical approach to intelligence and security. Bob delves into the human elements behind cyber threats, discussing insider threats, intellectual property protection, and the interplay between cyber attacks and human behavior. His real-life example of a Texas firm's cyber intrusion underscores the necessity of continuous employee education and cybersecurity vigilance, offering a sobering reminder that overconfidence can lead to significant vulnerabilities.
To wrap it all up, Bob shares some of his most memorable encounters with historical figures, including an intriguing story about briefing former President George W. Bush. From advice for aspiring cybersecurity professionals to personal reflections on significant historical moments, this episode is filled with fascinating anecdotes and crucial advice. Whether you're looking to build a career in cybersecurity or simply want to understand the complex world of modern security challenges, you won't want to miss this captivating episode!
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:05):
All right, thanks for tuning back in to Simply
Solving Cyber.
I'm Aaron Pritz and I'm CodyRivers, and today we're here
with Bob Casey.
I've actually known Bob now forprobably at least a decade.
Both worked together at a largepharmaceutical company and
before that Bob was in the FBI,houston Police and, of course,
then joining the corporatesecurity side, leading corporate
security, global security, atthe large pharma.
(00:28):
So, bob, welcome to the showand maybe give us the quick Bob
story.
Speaker 2 (00:32):
Thanks, aaron and Cody.
Great to be here, great to bewith you guys on this podcast,
excited to be a part of it.
Yeah, I'm an Indianapolis kid.
I graduated from Indiana StateUniversity where today,
unbelievably, I'm on the boardof trustees Moved to Houston and
went on the police departmentas a young man and spent five
(00:55):
years there, three years inpatrol on the midnight shift
that's when all the goblins comeout, midnight shift in Houston.
Yeah, midnight shift in Houston,the infamous Central Division
and then transferred to theCriminal Intelligence Division,
to the Organized Crime Squad,and my portfolio there was the
Asian gang and Asian organizedcrime portfolio.
(01:15):
So I primarily did Chinese andVietnamese gang and organized
crime activities and ended upworking with the FBI there and
was impressed by the agents Iworked with and they encouraged
me to think about applying tothe bureau.
So after clearing it with mywife and getting her approval, I
(01:37):
applied and of course wentthrough a lengthy process taking
a year through the process, andwas offered an appointment.
So entered the FBI Academy in1986 and spent the next 25 years
in the Bureau as an agent,going through the ranks as an
investigative field agent inPhoenix, arizona, and then
(01:58):
promoted the FBI headquarters inWashington as a junior level
program manager in the EuropeanAsian unit of the criminal
enterprise branch and then on toChicago as a squad supervisor
of a gang squad, gang task forceand then a drug squad.
Then to Miami as assistantspecial agent in charge that
(02:23):
would be the number two levelleader in the field in the FBI
field division and supervisedthe organized crime, drug and
intelligence programs there fortwo years.
9-11 attacks happened while hewas there and of course we were
heavily involved there in Miamibecause of the connections in
(02:43):
South Florida to a number of thehijackers.
So I was involved in that andreally those attacks changed the
course of my career because theFBI then began to focus on
transforming its intelligencecapability.
I had intelligence experiencein a large urban police
(03:06):
department and in the FBI'searlier programs in intelligence
and consequently was promotedby the director of the FBI to
the senior executive service sothat's the more senior
leadership ranks in the federalgovernment transferred back to
FBI headquarters and reallybegan a very transformational
(03:30):
journey in examining whathappened in those attacks, what
were the intelligence failuresand deficiencies and how could
those be improved.
And the FBI and the CIA wereprimarily, in my view, examined
most closely for what happenedand what needed to happen going
(03:51):
forward.
So a lot of my work at FBIheadquarters obviously focused
on the second part is don't letit happen again, which really
was the admonition from theWhite House, from Congress and
from the American people.
Stressful, long hours, longcommute, a lot of pressure.
Speaker 1 (04:12):
No traffic yeah traffic everywhere.
Speaker 2 (04:15):
My office was right down the executive hallway from
the FBI director and the otherexecutive, so on any given day
if you walk out into the hallwayyou could run into the FBI
director.
So you have to have your acttogether 24-7 while you're there
, but a number of veryinteresting projects.
I led the FBI team that did anew memorandum of understanding
(04:39):
between the FBI and the CIA tocoordinate our activities
globally.
The FBI and the CIA tocoordinate our activities
globally helped design the newfield intelligence program for
the FBI which was then put inplace in all 56 FBI field
divisions in the US.
Speaker 1 (04:56):
So actually I want to double click on that and I'm
sure we talked about it togetheron the corporate side.
But for all the cyberpractitioners listening,
obviously threat intelligence isa form of practice within the
cyber community as well.
Having built that, what aresome tips for some maybe early
career threat intelligenceanalysts within cyber Like,
where would they start?
(05:16):
How do they get better?
All that?
Speaker 2 (05:18):
Yeah, absolutely Key.
I'm glad you brought it up.
First of all, let's talk aboutintelligence.
What is it?
Intelligence is information thatfulfills a need to make
decisions.
(05:45):
It clears up things that mighthave been unclear, although it
is often cast in ways thatintelligence itself, the work of
intelligence or a threatintelligence analyst, is about
the unknown, the unclear and thedeliberately deceptive.
So one has to understand thatthat's the world that they will
be in.
It really comes down, I think,heavily to a good requirements
management structure, and what Imean by that is that whether
you're the United Statesgovernment, the President of the
(06:05):
United States, the USgovernment, the Secretary of
Defense, whether you're a CEO,whether you're a police chief,
you really need to know whatyour intelligence requirements
are, what are the essentialitems of information that will
help you make good decisions inyour operating environment, and
there has to be some sort ofstructure to that, and those who
(06:28):
are in a position to collectthat intelligence or that
information need to know whatthose requirements are and when
they do.
You can do a couple of thingsFirst, you can actually aid in
your decision-making andsecondly, you can determine
whether or not you have a lot ofgaps in your collection
mechanisms and you need toimprove those, you need to shore
(06:50):
those up Sounds like a lot ofgovernance and process and
policy.
Yes, one should be careful notto make it too complicated or
too convoluted.
But the people who are in thebest decision to articulate
requirements are those who haveresponsibilities in the
organization to advance it, tosell, to market, to defend it,
(07:14):
to defend the countryrequirements structure which
then feeds a collectionmanagement structure, which then
feeds an analytic structure,which then feeds a production
structure.
To go back to that requirementsholder and say, here's what we
found, does this help?
(07:35):
And if the requirements holdersays, well, this helps a lot or
this only helps halfway, I needto know these other things.
Now, or now that you've givenme this, I have additional
questions and those becomerequirements and it's a cycle
and you have to think of it in acyclical fashion.
So that would be my advice toanyone talking about the
(07:59):
intelligence game in thecorporate world, a business firm
or a young intelligence analystor intelligence manager.
But I would say, be careful,because intelligence is more
than just analysis.
It is about a requirementstructure, it's about collection
management, it's about analysis, it's about production and it's
(08:20):
about feeding that cycle backaround again.
Speaker 3 (08:23):
Nice, so I know you also had a corporate stint as
well too.
We do a lot withincybersecurity, but talk about
the relationship between thephysical security and your
background and working withglobal cybersecurity.
Speaker 2 (08:36):
Sure, I always felt like it should not be a
competition and you should notbe trying to hide the ball.
You should not be trying toone-up each other.
The integration of physicalpersonnel, facility security and
information security orcybersecurity is critical to
have a really good, stronghandshake and complement each
(08:58):
other.
The physical security folks inmy experience in the corporate
world they're really good atunderstanding human behaviors
because they see all kinds ofbehaviors.
They probably came out of lawenforcement or a national
security career in thegovernment and they understand
human behavior and they caninject that knowledge into
(09:23):
physical security, protectivemeasures, physical security
consultation and integratingtheir work or partnering with
information security and cybersecurity.
I mean, I have a real, strongbelief that threats to probably
the companies and firms that arelistening to this podcast
(09:46):
originate from a human being.
Yes, you could have a threatthat is a natural disaster that
could disrupt your informationtechnology infrastructure and
the security of your informationnetwork, but generally speaking
, the origin of a threat isgoing to start with a human
being.
It could be a lone actor thatis a criminal whose motivation
(10:08):
is economic they want to stealmoney.
It could be a nation statewhere it is a collection of
human beings being guided by thepolicy and objectives of that
particular government, wherethey're trying to steal
technology and innovation Right.
So you really have to thinkabout who would be the adversary
(10:29):
.
What type of person or people,what capabilities do they have,
what opportunities do they haveand what do you have that they
would want?
Whether it's sabotaging you,whether it's stealing from you,
whether it's recruiting some ofyour people to do all those
(10:49):
things to you as well.
So really think about whatyou're trying to protect and
understand what the adversarywould be interested in.
Don't just stop at what youwant to protect and not think
about the capabilities of anadversary or what their
motivations would be, becauseyou may end up spending a lot of
(11:09):
money and investing a lot oftime in building protective
measures that are not going tobe needed Because the adversary
is really not interested in that.
They may be interested insomething else that you haven't
thought of.
Just remember that the threatpicture coming at you by an
(11:31):
adversary is going to be whatintent do they have to hurt you,
what capabilities do they haveto hurt you and what
opportunities are there toemploy those first two things to
hurt you In your job, you maynot be able to change the intent
of the adversary.
You may not be able to changethe intent of the adversary and
you might have limited successin degrading the capabilities,
(11:54):
especially in the private sector, of an adversary.
Speaker 1 (12:12):
But you do have a lot of ways to close off
opportunities and that's one wayto think about building a cyber
defense or a physical andpersonal security defense.
I remember probably 10 years ago, bob, you were coaching me on
kind of nation state or even runof the mill online cyber
criminals versus and I likedwhat you said earlier
departments shouldn't becompeting against each other,
but sometimes like competing forwhat's most important.
Even if individuals aren'ttrying to compete, they can end
up feeling competitive or beingcompetitive.
And I know you were coaching meon like insider threat of think
(12:36):
about intellectual propertythat you know takes proprietary
knowledge to know the means,like you mentioned, or the
capabilities to do somethingwith it, and like connecting
that with maybe an online cyberattack with.
Even if they got some of thethings we're worried about,
would they be sophisticatedenough to know how and what to
do with that?
And then also, every outsideattack usually has some human
(12:59):
element involved, like whetherit's a co-opted insider or
tricking a non-suspectingindividual into helping them
with their mission.
Any additional thoughts on kindof that full connected human
factor when it comes to alltypes of cyber crime?
Speaker 2 (13:15):
Yeah Well, first there has to be a belief that I
could be tricked, that I couldbe victimized.
And you know, we had a case inTexas when I headed up the FBI
field office in Dallas, whereour national security cyber
intrusion squad that's all theydid detected an intrusion into a
business in Texas, a firm,fairly large firm, and the agent
(13:39):
went and paid a visit to thefirm, the cyber squad agent and
the firm produced the generalcounsel to come outside and talk
to the agent and the agent gavehis spiel and said you've been
intruded upon.
And the general counsel was indenial and said no, no, no, no.
We have great cyber securityhere and there's no way because
(14:02):
we've never noticed anything, wehaven't seen anything, no one's
reported anything and I'm thegeneral counsel and I would know
.
So this comes up to me becausewe knew that this was going to
be a pretty serious matter.
So we sent the supervisor ofthe agent and the agent back and
asked to speak to the CEO ofthat company.
And so they went and theyshowed, they laid out the case
(14:25):
on a technical basis and ofcourse that's when everybody sat
up straight in their chair andsaid, uh-oh, we've been had.
So, as it turned out in thiscase, the nation-state adversary
that we attributed this to usedthis firm as a hot point to go
(14:45):
to a major research universityin the United States and conduct
an intrusion there.
So this particular firm was notthe end victim and we figured
out that they were just hijackedto use their IP address
identity because they happenedto be in a line of work that did
business with universities andcolleges around the United
(15:07):
States and we knew that researchtaking place at this university
was of interest to thisparticular nation state for
their military weaponrycapabilities.
So we kind of closed the loopthere.
But you have to be reallycareful of being overconfident
that one of your employees willnot be of interest to a
(15:28):
sophisticated adversary, one ofyour employees will not be of
interest to a sophisticatedadversary, and then you have to
do enough in the employeeawareness and education space to
make sure that they understandI could be targeted defensive
mechanisms that hopefully yourcybersecurity group in your
(15:51):
company or a firm like RevealRisk, if you're doing business
with a company, would advicethat they would give and you
need to follow it.
Speaker 3 (16:00):
Yeah, I think a lot of times there's a lot of focus
on the intentional insider riskand not the unintentional.
So actually that kind of makesme think about some things you
know looking at, you know careeradvice for early opportunities,
but those interested in FBI,and we'll kind of get that into
a second.
But I kind of want to start offwith thinking of Bob Casey.
Now you get to make a phonecall and you call Bob Casey,
(16:22):
3035, 40 years ago, and you getto have a two to five minute
conversation with him.
What things are you telling him?
Speaker 2 (16:30):
Yeah, I would tell him be careful about when
opportunities are presented toyou, unique opportunities in
your career.
Be careful about believing orconvincing yourself.
Well, it's not the right time.
It would take me away from mypermanent duties to go on this
temporary assignment.
(16:50):
It would take me away from mypermanent duties to go on this
temporary assignment.
Stop yourself, because there'sa number of opportunities and
assignments that have beenpresented to me that I chose not
to pursue or tried to talk themout of having me do it.
And had I done it, I think mycareer maybe even would have
expanded in other ways.
I would have had some veryinteresting experiences.
(17:12):
Now I had a lot of greatexperiences and I had things
come my way that I felt was notthe right time.
And in some of those cases Iwas told well, you're going to
do it anyway and it turned outto be okay.
There were some challengesthere, obviously, and you know,
depending on the line of workyou're in, family challenges
that come with thoseopportunities.
But I would say in that phonecall I would say, hey, don't
(17:35):
dismiss.
Even though it may not be theright time, you may not think
you're exactly qualified, whywould they be calling me
Possibly stop yourself and thenmaybe think about leaping and
taking advantage of those things.
That's excellent, because youcan grow.
Speaker 3 (17:50):
Yeah, I do a lot of mentoring to some young
individuals, both men and women,here in Indiana and a lot of
things they ask me is what'snext?
What should I do next?
And so, talking to those whoare interested in cybersecurity,
corporate security or maybeeven in an FBI or FBI
partnership, what's some kind ofadvice for early careers as far
as what to get engaged with,who to talk with or what are
some things to be thinking aboutif that's the right path for
(18:11):
them?
Speaker 2 (18:11):
Yeah, Well, obviously , the pursuit of a bachelor's
degree at least, is important.
It opens so many doors, and Isay that being affiliated with
Indiana State University and mywife and I endowing a
scholarship beginning this yearat Indiana.
State University for students inthe School of Criminology and
Security Studies, which, by theway, has a cybersecurity program
(18:32):
as well, and we're very glad tobe able to do that, and I also
have spoken to and mentored anumber of students at Indiana
State going into those careers.
You really need to, as a basiclaunching pad, you need that
bachelor's degree.
Understand your field ofinterest and what they are
(18:53):
looking for to hire, and evenentry level.
Understand the attributes andthe skills and the
qualifications that thepotential employer is looking
for.
Don't think you know.
Understand what they requireand what they're seeking.
So I would say do a lot ofresearch.
Ask yourself am I willing tomove around?
(19:16):
Am I only comfortable stayinglocal?
Would I be willing to move?
Would I be willing to movearound periodically?
Would I take to move around?
Am I only comfortable stayinglocal?
Would I be willing to move?
Would I be willing to movearound periodically?
Would I take a foreign rolesomewhere?
Don't sell yourself short interms of doing the right kind of
research.
I think for some careers thetype of degree makes a
difference, and in other careersthe type of degree doesn't
(19:37):
necessarily make a difference,and in other careers, the type
of degree doesn't necessarilymake a difference, and I also am
not sure that which schoolmakes a huge difference, because
I don't ever recall being askedwhat school I went to.
Hardly at all.
Once I got started my career,what my supervisors and leaders
were more concerned about waswhat kind of performer was I?
Speaker 1 (19:59):
And if you knew Larry Bird and if I knew Larry Bird
no Went to school.
Speaker 2 (20:03):
When he went, he was a year ahead of me, but no, I
did not know him.
So, yeah, that would be myadvice and in terms of, of
course, the government, the FBIwhether it's the National
Security Agency, cia, fbi, youknow you're going to be required
to hold a top secret clearanceand with that comes how have you
(20:26):
lived your life?
What sort of character do?
Speaker 1 (20:27):
you have Reputation.
What sort of associates did youhave?
Be careful what you put onsocial media?
Speaker 2 (20:30):
Yeah, absolutely.
I hammer that home to studentsthat I speak with, because young
people I think in some casesnot just young people quite
frankly have this tendency tobelieve that their social media
persona is separate from theirreal persona in life yeah.
Speaker 3 (20:47):
And that is not true.
Speaker 2 (20:49):
That is absolutely not true.
All I did was follow the personor like the posting, or just
all I did was repost it.
I didn't comment.
Sorry, that's all going to beviewed in terms of your
character and your reputation.
Speaker 1 (21:06):
We've got time for about two more questions.
One question that I have is oneof the topics we always talk
about is people in process, anda lot of times in cybersecurity
technology takes the frontbilling and almost to a fault,
like we bought a bunch of toolsand we can't put them all in
place.
We don't have enough people, wedon't have processes to scale
anything.
Both of our reveal riskpractice as well as this
(21:28):
discussion we talk a lot aboutlike making sure that's
emphasized.
Give us an example of a projectthat you were on Could be
corporate, could be in the FBI,where process clarity, humans in
the right place doing the rightthing, made the big difference.
Speaker 2 (21:43):
I would say that in the FBI, for an example, we
acquired evidence against aperson who was building an
improvised explosive device inthe United States and planned to
detonate it, and we had tosequence our investigative
activities properly.
So you're talking about process, you're talking about
compliance, because you have tofollow legal requirements, and
(22:08):
so how do we sequence, build andintegrate surveillance,
physical surveillance of theperson?
How do we sequence enteringinto his residence to acquire
evidence surreptitiously withouthim knowing it?
How did we do all of thosethings?
And it really requires someexperience.
(22:28):
It requires, I would say,adherence to tried and true
processes and not let a specialcircumstance deviate you too
much from those things, becausethat's when you run into
problems, failures of youroperation, of your task or even
compliance issues.
You can run into complianceissues as well.
So when you look at a case likethat, that's an example that
(22:53):
comes to mind in terms of people.
Do you have the right peoplewho understand what they're
trying to do in theinvestigative work?
How are you going to speak towitnesses and others without
surfacing knowledge of the caseprematurely?
How well do you understand theprocess you have to go through
to obtain evidence and make surethat it can stand up in court
(23:16):
In the corporate world, thecorporate security world.
We had a major theft in thecompany that I worked for a
dozen years ago of our product,a very significant theft tens of
millions of dollars where aphysical security system was
defeated.
And what was learned in thatcase is there was a lack of
(23:38):
security standards put forwardin the company, a lack of
compliance environment, tellingthe sites and facilities you
have to meet these standards.
These are minimum standards,security standards and you have
to meet them.
And then processes by whichthey could internally review and
understand if they were meetingthem.
And then process for us in thesecurity department to do
(24:02):
compliance reviews.
So things like testing thesecurity cameras, developing a
process to do that so they don'tfail on you and you don't know
it, or testing the alarm systemand the sensors, testing the
badge access system, having aprocess to reissue badges that
are lost, and things like that.
(24:23):
So all of those being veryfundamental process activities
and they need a rigor to themand a cultural environment to
comply with them.
Speaker 1 (24:32):
I'm sure you fixed all that.
But going back to the processon the law enforcement side, are
you saying that Beverly HillsCop is not a realistic depiction
on how you should run your game?
Speaker 2 (24:42):
Well, I remember seeing that movie many years ago
for the entertainment value.
Speaker 1 (24:46):
No, there's a new one that just came out in 2024.
They ran it all the way backand it was the same damn movie.
Like same music, samesoundtrack, same Eddie Murphy
Don't fix it, man.
Speaker 2 (24:56):
If in that movie I see them doing six or eight
hours of paperwork for everyfive minutes of action, then
I'll believe it's true.
Speaker 1 (25:03):
There you go, okay, well, that just wouldn't play
well in Hollywood, I guess.
Speaker 2 (25:05):
No I guess not.
Speaker 3 (25:06):
Man.
One question here to close thisout.
I want to ask all of ourattendees this one here and
again.
This is interesting facts Ifsomeone, for those who may not
know Bob Casey personally,interesting facts or hobbies
that very few people would knowabout you, so in the big reveal
interesting facts in.
Speaker 2 (25:23):
Dallas I met the Dallas police homicide detective
, jim Lovell, who was handcuffedto Lee Harvey Oswald when Jack
Ruby shot and killed him in thebasement of Dallas police
headquarters after Oswald hadbeen arrested for the
assassination of PresidentKennedy.
Speaker 1 (25:40):
Wow, can we talk about a second shooter?
Speaker 2 (25:43):
There was no second shooter, I assure you of that.
So I heard the whole story fromLavelle.
I also met the Secret Serviceagent, clint Hill, who climbed
up on the back of Kennedy'slimousine after he was shot and
rode to the hospital.
And the third fun fact is alsowhile in Dallas it was an
interesting time I personallybriefed George W Bush, former
(26:06):
president of the United States,about six weeks after he was out
of office in his temporaryoffice in Dallas.
I gave him a classifiedbriefing of a matter that
concerned him after I was sentthere by FBI headquarters to do
that and that was a veryinteresting experience.
Just me, one other guy andformer President Bush in his
(26:28):
temporary office, with the doorclosed at 10 o'clock in the
morning.
Speaker 3 (26:33):
Wow, well, I'll tell you, man, we've had quite a few
conversations and lunches andstuff, and it never ceases to
amaze me, man.
Speaker 1 (26:39):
Always a new story.
Appreciate it.
Bob, Thanks for coming out andhave a good rest of the day.
Speaker 2 (26:43):
Yeah, happy to be here.
Thanks, guys.
All right, thanks for tuning back in to Simply
Solving Cyber.
I'm Aaron Pritz and I'm CodyRivers, and today we're here
with Bob Casey.
I've actually known Bob now forprobably at least a decade.
Both worked together at a largepharmaceutical company and
before that Bob was in the FBI,houston Police and, of course,
then joining the corporatesecurity side, leading corporate
security, global security, atthe large pharma.
(00:28):
So, bob, welcome to the showand maybe give us the quick Bob
story.
Speaker 2 (00:32):
Thanks, aaron and Cody.
Great to be here, great to bewith you guys on this podcast,
excited to be a part of it.
Yeah, I'm an Indianapolis kid.
I graduated from Indiana StateUniversity where today,
unbelievably, I'm on the boardof trustees Moved to Houston and
went on the police departmentas a young man and spent five
(00:55):
years there, three years inpatrol on the midnight shift
that's when all the goblins comeout, midnight shift in Houston.
Yeah, midnight shift in Houston,the infamous Central Division
and then transferred to theCriminal Intelligence Division,
to the Organized Crime Squad,and my portfolio there was the
Asian gang and Asian organizedcrime portfolio.
(01:15):
So I primarily did Chinese andVietnamese gang and organized
crime activities and ended upworking with the FBI there and
was impressed by the agents Iworked with and they encouraged
me to think about applying tothe bureau.
So after clearing it with mywife and getting her approval, I
(01:37):
applied and of course wentthrough a lengthy process taking
a year through the process, andwas offered an appointment.
So entered the FBI Academy in1986 and spent the next 25 years
in the Bureau as an agent,going through the ranks as an
investigative field agent inPhoenix, arizona, and then
(01:58):
promoted the FBI headquarters inWashington as a junior level
program manager in the EuropeanAsian unit of the criminal
enterprise branch and then on toChicago as a squad supervisor
of a gang squad, gang task forceand then a drug squad.
Then to Miami as assistantspecial agent in charge that
(02:23):
would be the number two levelleader in the field in the FBI
field division and supervisedthe organized crime, drug and
intelligence programs there fortwo years.
9-11 attacks happened while hewas there and of course we were
heavily involved there in Miamibecause of the connections in
(02:43):
South Florida to a number of thehijackers.
So I was involved in that andreally those attacks changed the
course of my career because theFBI then began to focus on
transforming its intelligencecapability.
I had intelligence experiencein a large urban police
(03:06):
department and in the FBI'searlier programs in intelligence
and consequently was promotedby the director of the FBI to
the senior executive service sothat's the more senior
leadership ranks in the federalgovernment transferred back to
FBI headquarters and reallybegan a very transformational
(03:30):
journey in examining whathappened in those attacks, what
were the intelligence failuresand deficiencies and how could
those be improved.
And the FBI and the CIA wereprimarily, in my view, examined
most closely for what happenedand what needed to happen going
(03:51):
forward.
So a lot of my work at FBIheadquarters obviously focused
on the second part is don't letit happen again, which really
was the admonition from theWhite House, from Congress and
from the American people.
Stressful, long hours, longcommute, a lot of pressure.
Speaker 1 (04:12):
No traffic yeah traffic everywhere.
Speaker 2 (04:15):
My office was right down the executive hallway from
the FBI director and the otherexecutive, so on any given day
if you walk out into the hallwayyou could run into the FBI
director.
So you have to have your acttogether 24-7 while you're there
, but a number of veryinteresting projects.
I led the FBI team that did anew memorandum of understanding
(04:39):
between the FBI and the CIA tocoordinate our activities
globally.
The FBI and the CIA tocoordinate our activities
globally helped design the newfield intelligence program for
the FBI which was then put inplace in all 56 FBI field
divisions in the US.
Speaker 1 (04:56):
So actually I want to double click on that and I'm
sure we talked about it togetheron the corporate side.
But for all the cyberpractitioners listening,
obviously threat intelligence isa form of practice within the
cyber community as well.
Having built that, what aresome tips for some maybe early
career threat intelligenceanalysts within cyber Like,
where would they start?
(05:16):
How do they get better?
All that?
Speaker 2 (05:18):
Yeah, absolutely Key.
I'm glad you brought it up.
First of all, let's talk aboutintelligence.
What is it?
Intelligence is information thatfulfills a need to make
decisions.
(05:45):
It clears up things that mighthave been unclear, although it
is often cast in ways thatintelligence itself, the work of
intelligence or a threatintelligence analyst, is about
the unknown, the unclear and thedeliberately deceptive.
So one has to understand thatthat's the world that they will
be in.
It really comes down, I think,heavily to a good requirements
management structure, and what Imean by that is that whether
you're the United Statesgovernment, the President of the
(06:05):
United States, the USgovernment, the Secretary of
Defense, whether you're a CEO,whether you're a police chief,
you really need to know whatyour intelligence requirements
are, what are the essentialitems of information that will
help you make good decisions inyour operating environment, and
there has to be some sort ofstructure to that, and those who
(06:28):
are in a position to collectthat intelligence or that
information need to know whatthose requirements are and when
they do.
You can do a couple of thingsFirst, you can actually aid in
your decision-making andsecondly, you can determine
whether or not you have a lot ofgaps in your collection
mechanisms and you need toimprove those, you need to shore
(06:50):
those up Sounds like a lot ofgovernance and process and
policy.
Yes, one should be careful notto make it too complicated or
too convoluted.
But the people who are in thebest decision to articulate
requirements are those who haveresponsibilities in the
organization to advance it, tosell, to market, to defend it,
(07:14):
to defend the countryrequirements structure which
then feeds a collectionmanagement structure, which then
feeds an analytic structure,which then feeds a production
structure.
To go back to that requirementsholder and say, here's what we
found, does this help?
(07:35):
And if the requirements holdersays, well, this helps a lot or
this only helps halfway, I needto know these other things.
Now, or now that you've givenme this, I have additional
questions and those becomerequirements and it's a cycle
and you have to think of it in acyclical fashion.
So that would be my advice toanyone talking about the
(07:59):
intelligence game in thecorporate world, a business firm
or a young intelligence analystor intelligence manager.
But I would say, be careful,because intelligence is more
than just analysis.
It is about a requirementstructure, it's about collection
management, it's about analysis, it's about production and it's
(08:20):
about feeding that cycle backaround again.
Speaker 3 (08:23):
Nice, so I know you also had a corporate stint as
well too.
We do a lot withincybersecurity, but talk about
the relationship between thephysical security and your
background and working withglobal cybersecurity.
Speaker 2 (08:36):
Sure, I always felt like it should not be a
competition and you should notbe trying to hide the ball.
You should not be trying toone-up each other.
The integration of physicalpersonnel, facility security and
information security orcybersecurity is critical to
have a really good, stronghandshake and complement each
(08:58):
other.
The physical security folks inmy experience in the corporate
world they're really good atunderstanding human behaviors
because they see all kinds ofbehaviors.
They probably came out of lawenforcement or a national
security career in thegovernment and they understand
human behavior and they caninject that knowledge into
(09:23):
physical security, protectivemeasures, physical security
consultation and integratingtheir work or partnering with
information security and cybersecurity.
I mean, I have a real, strongbelief that threats to probably
the companies and firms that arelistening to this podcast
(09:46):
originate from a human being.
Yes, you could have a threatthat is a natural disaster that
could disrupt your informationtechnology infrastructure and
the security of your informationnetwork, but generally speaking
, the origin of a threat isgoing to start with a human
being.
It could be a lone actor thatis a criminal whose motivation
(10:08):
is economic they want to stealmoney.
It could be a nation statewhere it is a collection of
human beings being guided by thepolicy and objectives of that
particular government, wherethey're trying to steal
technology and innovation Right.
So you really have to thinkabout who would be the adversary
(10:29):
.
What type of person or people,what capabilities do they have,
what opportunities do they haveand what do you have that they
would want?
Whether it's sabotaging you,whether it's stealing from you,
whether it's recruiting some ofyour people to do all those
(10:49):
things to you as well.
So really think about whatyou're trying to protect and
understand what the adversarywould be interested in.
Don't just stop at what youwant to protect and not think
about the capabilities of anadversary or what their
motivations would be, becauseyou may end up spending a lot of
(11:09):
money and investing a lot oftime in building protective
measures that are not going tobe needed Because the adversary
is really not interested in that.
They may be interested insomething else that you haven't
thought of.
Just remember that the threatpicture coming at you by an
(11:31):
adversary is going to be whatintent do they have to hurt you,
what capabilities do they haveto hurt you and what
opportunities are there toemploy those first two things to
hurt you In your job, you maynot be able to change the intent
of the adversary.
You may not be able to changethe intent of the adversary and
you might have limited successin degrading the capabilities,
(11:54):
especially in the private sector, of an adversary.
Speaker 1 (12:12):
But you do have a lot of ways to close off
opportunities and that's one wayto think about building a cyber
defense or a physical andpersonal security defense.
I remember probably 10 years ago, bob, you were coaching me on
kind of nation state or even runof the mill online cyber
criminals versus and I likedwhat you said earlier
departments shouldn't becompeting against each other,
but sometimes like competing forwhat's most important.
Even if individuals aren'ttrying to compete, they can end
up feeling competitive or beingcompetitive.
And I know you were coaching meon like insider threat of think
(12:36):
about intellectual propertythat you know takes proprietary
knowledge to know the means,like you mentioned, or the
capabilities to do somethingwith it, and like connecting
that with maybe an online cyberattack with.
Even if they got some of thethings we're worried about,
would they be sophisticatedenough to know how and what to
do with that?
And then also, every outsideattack usually has some human
(12:59):
element involved, like whetherit's a co-opted insider or
tricking a non-suspectingindividual into helping them
with their mission.
Any additional thoughts on kindof that full connected human
factor when it comes to alltypes of cyber crime?
Speaker 2 (13:15):
Yeah Well, first there has to be a belief that I
could be tricked, that I couldbe victimized.
And you know, we had a case inTexas when I headed up the FBI
field office in Dallas, whereour national security cyber
intrusion squad that's all theydid detected an intrusion into a
business in Texas, a firm,fairly large firm, and the agent
(13:39):
went and paid a visit to thefirm, the cyber squad agent and
the firm produced the generalcounsel to come outside and talk
to the agent and the agent gavehis spiel and said you've been
intruded upon.
And the general counsel was indenial and said no, no, no, no.
We have great cyber securityhere and there's no way because
(14:02):
we've never noticed anything, wehaven't seen anything, no one's
reported anything and I'm thegeneral counsel and I would know
.
So this comes up to me becausewe knew that this was going to
be a pretty serious matter.
So we sent the supervisor ofthe agent and the agent back and
asked to speak to the CEO ofthat company.
And so they went and theyshowed, they laid out the case
(14:25):
on a technical basis and ofcourse that's when everybody sat
up straight in their chair andsaid, uh-oh, we've been had.
So, as it turned out in thiscase, the nation-state adversary
that we attributed this to usedthis firm as a hot point to go
(14:45):
to a major research universityin the United States and conduct
an intrusion there.
So this particular firm was notthe end victim and we figured
out that they were just hijackedto use their IP address
identity because they happenedto be in a line of work that did
business with universities andcolleges around the United
(15:07):
States and we knew that researchtaking place at this university
was of interest to thisparticular nation state for
their military weaponrycapabilities.
So we kind of closed the loopthere.
But you have to be reallycareful of being overconfident
that one of your employees willnot be of interest to a
(15:28):
sophisticated adversary, one ofyour employees will not be of
interest to a sophisticatedadversary, and then you have to
do enough in the employeeawareness and education space to
make sure that they understandI could be targeted defensive
mechanisms that hopefully yourcybersecurity group in your
(15:51):
company or a firm like RevealRisk, if you're doing business
with a company, would advicethat they would give and you
need to follow it.
Speaker 3 (16:00):
Yeah, I think a lot of times there's a lot of focus
on the intentional insider riskand not the unintentional.
So actually that kind of makesme think about some things you
know looking at, you know careeradvice for early opportunities,
but those interested in FBI,and we'll kind of get that into
a second.
But I kind of want to start offwith thinking of Bob Casey.
Now you get to make a phonecall and you call Bob Casey,
(16:22):
3035, 40 years ago, and you getto have a two to five minute
conversation with him.
What things are you telling him?
Speaker 2 (16:30):
Yeah, I would tell him be careful about when
opportunities are presented toyou, unique opportunities in
your career.
Be careful about believing orconvincing yourself.
Well, it's not the right time.
It would take me away from mypermanent duties to go on this
temporary assignment.
(16:50):
It would take me away from mypermanent duties to go on this
temporary assignment.
Stop yourself, because there'sa number of opportunities and
assignments that have beenpresented to me that I chose not
to pursue or tried to talk themout of having me do it.
And had I done it, I think mycareer maybe even would have
expanded in other ways.
I would have had some veryinteresting experiences.
(17:12):
Now I had a lot of greatexperiences and I had things
come my way that I felt was notthe right time.
And in some of those cases Iwas told well, you're going to
do it anyway and it turned outto be okay.
There were some challengesthere, obviously, and you know,
depending on the line of workyou're in, family challenges
that come with thoseopportunities.
But I would say in that phonecall I would say, hey, don't
(17:35):
dismiss.
Even though it may not be theright time, you may not think
you're exactly qualified, whywould they be calling me
Possibly stop yourself and thenmaybe think about leaping and
taking advantage of those things.
That's excellent, because youcan grow.
Speaker 3 (17:50):
Yeah, I do a lot of mentoring to some young
individuals, both men and women,here in Indiana and a lot of
things they ask me is what'snext?
What should I do next?
And so, talking to those whoare interested in cybersecurity,
corporate security or maybeeven in an FBI or FBI
partnership, what's some kind ofadvice for early careers as far
as what to get engaged with,who to talk with or what are
some things to be thinking aboutif that's the right path for
(18:11):
them?
Speaker 2 (18:11):
Yeah, Well, obviously , the pursuit of a bachelor's
degree at least, is important.
It opens so many doors, and Isay that being affiliated with
Indiana State University and mywife and I endowing a
scholarship beginning this yearat Indiana.
State University for students inthe School of Criminology and
Security Studies, which, by theway, has a cybersecurity program
(18:32):
as well, and we're very glad tobe able to do that, and I also
have spoken to and mentored anumber of students at Indiana
State going into those careers.
You really need to, as a basiclaunching pad, you need that
bachelor's degree.
Understand your field ofinterest and what they are
(18:53):
looking for to hire, and evenentry level.
Understand the attributes andthe skills and the
qualifications that thepotential employer is looking
for.
Don't think you know.
Understand what they requireand what they're seeking.
So I would say do a lot ofresearch.
Ask yourself am I willing tomove around?
(19:16):
Am I only comfortable stayinglocal?
Would I be willing to move?
Would I be willing to movearound periodically?
Would I take to move around?
Am I only comfortable stayinglocal?
Would I be willing to move?
Would I be willing to movearound periodically?
Would I take a foreign rolesomewhere?
Don't sell yourself short interms of doing the right kind of
research.
I think for some careers thetype of degree makes a
difference, and in other careersthe type of degree doesn't
(19:37):
necessarily make a difference,and in other careers, the type
of degree doesn't necessarilymake a difference, and I also am
not sure that which schoolmakes a huge difference, because
I don't ever recall being askedwhat school I went to.
Hardly at all.
Once I got started my career,what my supervisors and leaders
were more concerned about waswhat kind of performer was I?
Speaker 1 (19:59):
And if you knew Larry Bird and if I knew Larry Bird
no Went to school.
Speaker 2 (20:03):
When he went, he was a year ahead of me, but no, I
did not know him.
So, yeah, that would be myadvice and in terms of, of
course, the government, the FBIwhether it's the National
Security Agency, cia, fbi, youknow you're going to be required
to hold a top secret clearanceand with that comes how have you
(20:26):
lived your life?
What sort of character do?
Speaker 1 (20:27):
you have Reputation.
What sort of associates did youhave?
Be careful what you put onsocial media?
Speaker 2 (20:30):
Yeah, absolutely.
I hammer that home to studentsthat I speak with, because young
people I think in some casesnot just young people quite
frankly have this tendency tobelieve that their social media
persona is separate from theirreal persona in life yeah.
Speaker 3 (20:47):
And that is not true.
Speaker 2 (20:49):
That is absolutely not true.
All I did was follow the personor like the posting, or just
all I did was repost it.
I didn't comment.
Sorry, that's all going to beviewed in terms of your
character and your reputation.
Speaker 1 (21:06):
We've got time for about two more questions.
One question that I have is oneof the topics we always talk
about is people in process, anda lot of times in cybersecurity
technology takes the frontbilling and almost to a fault,
like we bought a bunch of toolsand we can't put them all in
place.
We don't have enough people, wedon't have processes to scale
anything.
Both of our reveal riskpractice as well as this
(21:28):
discussion we talk a lot aboutlike making sure that's
emphasized.
Give us an example of a projectthat you were on Could be
corporate, could be in the FBI,where process clarity, humans in
the right place doing the rightthing, made the big difference.
Speaker 2 (21:43):
I would say that in the FBI, for an example, we
acquired evidence against aperson who was building an
improvised explosive device inthe United States and planned to
detonate it, and we had tosequence our investigative
activities properly.
So you're talking about process, you're talking about
compliance, because you have tofollow legal requirements, and
(22:08):
so how do we sequence, build andintegrate surveillance,
physical surveillance of theperson?
How do we sequence enteringinto his residence to acquire
evidence surreptitiously withouthim knowing it?
How did we do all of thosethings?
And it really requires someexperience.
(22:28):
It requires, I would say,adherence to tried and true
processes and not let a specialcircumstance deviate you too
much from those things, becausethat's when you run into
problems, failures of youroperation, of your task or even
compliance issues.
You can run into complianceissues as well.
So when you look at a case likethat, that's an example that
(22:53):
comes to mind in terms of people.
Do you have the right peoplewho understand what they're
trying to do in theinvestigative work?
How are you going to speak towitnesses and others without
surfacing knowledge of the caseprematurely?
How well do you understand theprocess you have to go through
to obtain evidence and make surethat it can stand up in court
(23:16):
In the corporate world, thecorporate security world.
We had a major theft in thecompany that I worked for a
dozen years ago of our product,a very significant theft tens of
millions of dollars where aphysical security system was
defeated.
And what was learned in thatcase is there was a lack of
(23:38):
security standards put forwardin the company, a lack of
compliance environment, tellingthe sites and facilities you
have to meet these standards.
These are minimum standards,security standards and you have
to meet them.
And then processes by whichthey could internally review and
understand if they were meetingthem.
And then process for us in thesecurity department to do
(24:02):
compliance reviews.
So things like testing thesecurity cameras, developing a
process to do that so they don'tfail on you and you don't know
it, or testing the alarm systemand the sensors, testing the
badge access system, having aprocess to reissue badges that
are lost, and things like that.
(24:23):
So all of those being veryfundamental process activities
and they need a rigor to themand a cultural environment to
comply with them.
Speaker 1 (24:32):
I'm sure you fixed all that.
But going back to the processon the law enforcement side, are
you saying that Beverly HillsCop is not a realistic depiction
on how you should run your game?
Speaker 2 (24:42):
Well, I remember seeing that movie many years ago
for the entertainment value.
Speaker 1 (24:46):
No, there's a new one that just came out in 2024.
They ran it all the way backand it was the same damn movie.
Like same music, samesoundtrack, same Eddie Murphy
Don't fix it, man.
Speaker 2 (24:56):
If in that movie I see them doing six or eight
hours of paperwork for everyfive minutes of action, then
I'll believe it's true.
Speaker 1 (25:03):
There you go, okay, well, that just wouldn't play
well in Hollywood, I guess.
Speaker 2 (25:05):
No I guess not.
Speaker 3 (25:06):
Man.
One question here to close thisout.
I want to ask all of ourattendees this one here and
again.
This is interesting facts Ifsomeone, for those who may not
know Bob Casey personally,interesting facts or hobbies
that very few people would knowabout you, so in the big reveal
interesting facts in.
Speaker 2 (25:23):
Dallas I met the Dallas police homicide detective
, jim Lovell, who was handcuffedto Lee Harvey Oswald when Jack
Ruby shot and killed him in thebasement of Dallas police
headquarters after Oswald hadbeen arrested for the
assassination of PresidentKennedy.
Speaker 1 (25:40):
Wow, can we talk about a second shooter?
Speaker 2 (25:43):
There was no second shooter, I assure you of that.
So I heard the whole story fromLavelle.
I also met the Secret Serviceagent, clint Hill, who climbed
up on the back of Kennedy'slimousine after he was shot and
rode to the hospital.
And the third fun fact is alsowhile in Dallas it was an
interesting time I personallybriefed George W Bush, former
(26:06):
president of the United States,about six weeks after he was out
of office in his temporaryoffice in Dallas.
I gave him a classifiedbriefing of a matter that
concerned him after I was sentthere by FBI headquarters to do
that and that was a veryinteresting experience.
Just me, one other guy andformer President Bush in his
(26:28):
temporary office, with the doorclosed at 10 o'clock in the
morning.
Speaker 3 (26:33):
Wow, well, I'll tell you, man, we've had quite a few
conversations and lunches andstuff, and it never ceases to
amaze me, man.
Speaker 1 (26:39):
Always a new story.
Appreciate it.
Bob, Thanks for coming out andhave a good rest of the day.
Speaker 2 (26:43):
Yeah, happy to be here.
Thanks, guys.
Popular Podcasts
United States of Kennedy
United States of Kennedy is a podcast about our cultural fascination with the Kennedy dynasty. Every week, hosts Lyra Smith and George Civeris go into one aspect of the Kennedy story.
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com