Simply Solving Cyber
This show features an interactive discussion, expert hosts, and guests focused on solving cyber security and privacy challenges in innovative and creative ways. Our goal is for our audience to learn and discover real, tangible, usable ideas that don't require a huge budget to accomplish. Shows like “How It’s Made” have become popular because they explain complicated or largely unknown things in easy terms. This show brings the human element to cyber security and privacy.
Simply Solving Cyber
Simply Solving Cyber - Bob Casey
What if understanding human behavior could be the key to bolstering your organization's cybersecurity? Join us for an enlightening conversation with Bob Casey, a veteran security expert whose career has spanned the FBI, Houston Police Department, and corporate security at a major pharmaceutical company. Bob's journey from handling organized crime on the midnight beat in Houston to transforming the FBI's intelligence capabilities post-9/11 is packed with lessons and insights that every threat intelligence analyst needs to hear.
Discover the critical importance of integrating physical and cybersecurity through a cyclical approach to intelligence and security. Bob delves into the human elements behind cyber threats, discussing insider threats, intellectual property protection, and the interplay between cyber attacks and human behavior. His real-life example of a Texas firm's cyber intrusion underscores the necessity of continuous employee education and cybersecurity vigilance, offering a sobering reminder that overconfidence can lead to significant vulnerabilities.
To wrap it all up, Bob shares some of his most memorable encounters with historical figures, including an intriguing story about briefing former President George W. Bush. From advice for aspiring cybersecurity professionals to personal reflections on significant historical moments, this episode is filled with fascinating anecdotes and crucial advice. Whether you're looking to build a career in cybersecurity or simply want to understand the complex world of modern security challenges, you won't want to miss this captivating episode!
All right, thanks for tuning back in to Simply Solving Cyber. I'm Aaron Pritz and I'm Cody Rivers, and today we're here with Bob Casey. I've actually known Bob now for probably at least a decade. Both worked together at a large pharmaceutical company and before that Bob was in the FBI, houston Police and, of course, then joining the corporate security side, leading corporate security, global security, at the large pharma. So, bob, welcome to the show and maybe give us the quick Bob story.
Speaker 2:Thanks, aaron and Cody. Great to be here, great to be with you guys on this podcast, excited to be a part of it. Yeah, I'm an Indianapolis kid. I graduated from Indiana State University where today, unbelievably, I'm on the board of trustees Moved to Houston and went on the police department as a young man and spent five years there, three years in patrol on the midnight shift that's when all the goblins come out, midnight shift in Houston.
Speaker 2:Yeah, midnight shift in Houston, the infamous Central Division and then transferred to the Criminal Intelligence Division, to the Organized Crime Squad, and my portfolio there was the Asian gang and Asian organized crime portfolio. So I primarily did Chinese and Vietnamese gang and organized crime activities and ended up working with the FBI there and was impressed by the agents I worked with and they encouraged me to think about applying to the bureau. So after clearing it with my wife and getting her approval, I applied and of course went through a lengthy process taking a year through the process, and was offered an appointment. So entered the FBI Academy in 1986 and spent the next 25 years in the Bureau as an agent, going through the ranks as an investigative field agent in Phoenix, arizona, and then promoted the FBI headquarters in Washington as a junior level program manager in the European Asian unit of the criminal enterprise branch and then on to Chicago as a squad supervisor of a gang squad, gang task force and then a drug squad. Then to Miami as assistant special agent in charge that would be the number two level leader in the field in the FBI field division and supervised the organized crime, drug and intelligence programs there for two years.
Speaker 2:9-11 attacks happened while he was there and of course we were heavily involved there in Miami because of the connections in South Florida to a number of the hijackers.
Speaker 2:So I was involved in that and really those attacks changed the course of my career because the FBI then began to focus on transforming its intelligence capability. I had intelligence experience in a large urban police department and in the FBI's earlier programs in intelligence and consequently was promoted by the director of the FBI to the senior executive service so that's the more senior leadership ranks in the federal government transferred back to FBI headquarters and really began a very transformational journey in examining what happened in those attacks, what were the intelligence failures and deficiencies and how could those be improved. And the FBI and the CIA were primarily, in my view, examined most closely for what happened and what needed to happen going forward. So a lot of my work at FBI headquarters obviously focused on the second part is don't let it happen again, which really was the admonition from the White House, from Congress and from the American people. Stressful, long hours, long commute, a lot of pressure.
Speaker 1:No traffic yeah traffic everywhere.
Speaker 2:My office was right down the executive hallway from the FBI director and the other executive, so on any given day if you walk out into the hallway you could run into the FBI director.
Speaker 2:So you have to have your act together 24-7 while you're there, but a number of very interesting projects. I led the FBI team that did a new memorandum of understanding between the FBI and the CIA to coordinate our activities globally. The FBI and the CIA to coordinate our activities globally helped design the new field intelligence program for the FBI which was then put in place in all 56 FBI field divisions in the US.
Speaker 1:So actually I want to double click on that and I'm sure we talked about it together on the corporate side. But for all the cyber practitioners listening, obviously threat intelligence is a form of practice within the cyber community as well. Having built that, what are some tips for some maybe early career threat intelligence analysts within cyber Like, where would they start? How do they get better? All that?
Speaker 2:Yeah, absolutely Key. I'm glad you brought it up. First of all, let's talk about intelligence. What is it?
Speaker 2:Intelligence is information that fulfills a need to make decisions.
Speaker 2:It clears up things that might have been unclear, although it is often cast in ways that intelligence itself, the work of intelligence or a threat intelligence analyst, is about the unknown, the unclear and the deliberately deceptive.
Speaker 2:So one has to understand that that's the world that they will be in. It really comes down, I think, heavily to a good requirements management structure, and what I mean by that is that whether you're the United States government, the President of the United States, the US government, the Secretary of Defense, whether you're a CEO, whether you're a police chief, you really need to know what your intelligence requirements are, what are the essential items of information that will help you make good decisions in your operating environment, and there has to be some sort of structure to that, and those who are in a position to collect that intelligence or that information need to know what those requirements are and when they do. You can do a couple of things First, you can actually aid in your decision-making and secondly, you can determine whether or not you have a lot of gaps in your collection mechanisms and you need to improve those, you need to shore those up Sounds like a lot of governance and process and policy.
Speaker 2:Yes, one should be careful not to make it too complicated or too convoluted.
Speaker 2:But the people who are in the best decision to articulate requirements are those who have responsibilities in the organization to advance it, to sell, to market, to defend it, to defend the country requirements structure which then feeds a collection management structure, which then feeds an analytic structure, which then feeds a production structure. To go back to that requirements holder and say, here's what we found, does this help? And if the requirements holder says, well, this helps a lot or this only helps halfway, I need to know these other things. Now, or now that you've given me this, I have additional questions and those become requirements and it's a cycle and you have to think of it in a cyclical fashion. So that would be my advice to anyone talking about the intelligence game in the corporate world, a business firm or a young intelligence analyst or intelligence manager. But I would say, be careful, because intelligence is more than just analysis. It is about a requirement structure, it's about collection management, it's about analysis, it's about production and it's about feeding that cycle back around again.
Speaker 3:Nice, so I know you also had a corporate stint as well too. We do a lot within cybersecurity, but talk about the relationship between the physical security and your background and working with global cybersecurity.
Speaker 2:Sure, I always felt like it should not be a competition and you should not be trying to hide the ball. You should not be trying to one-up each other. The integration of physical personnel, facility security and information security or cybersecurity is critical to have a really good, strong handshake and complement each other. The physical security folks in my experience in the corporate world they're really good at understanding human behaviors because they see all kinds of behaviors. They probably came out of law enforcement or a national security career in the government and they understand human behavior and they can inject that knowledge into physical security, protective measures, physical security consultation and integrating their work or partnering with information security and cyber security.
Speaker 2:I mean, I have a real, strong belief that threats to probably the companies and firms that are listening to this podcast originate from a human being. Yes, you could have a threat that is a natural disaster that could disrupt your information technology infrastructure and the security of your information network, but generally speaking, the origin of a threat is going to start with a human being. It could be a lone actor that is a criminal whose motivation is economic they want to steal money. It could be a nation state where it is a collection of human beings being guided by the policy and objectives of that particular government, where they're trying to steal technology and innovation Right. So you really have to think about who would be the adversary. What type of person or people, what capabilities do they have, what opportunities do they have and what do you have that they would want?
Speaker 2:Whether it's sabotaging you, whether it's stealing from you, whether it's recruiting some of your people to do all those things to you as well.
Speaker 2:So really think about what you're trying to protect and understand what the adversary would be interested in. Don't just stop at what you want to protect and not think about the capabilities of an adversary or what their motivations would be, because you may end up spending a lot of money and investing a lot of time in building protective measures that are not going to be needed Because the adversary is really not interested in that. They may be interested in something else that you haven't thought of. Just remember that the threat picture coming at you by an adversary is going to be what intent do they have to hurt you, what capabilities do they have to hurt you and what opportunities are there to employ those first two things to hurt you In your job, you may not be able to change the intent of the adversary. You may not be able to change the intent of the adversary and you might have limited success in degrading the capabilities, especially in the private sector, of an adversary.
Speaker 1:But you do have a lot of ways to close off opportunities and that's one way to think about building a cyber defense or a physical and personal security defense.
Speaker 1:I remember probably 10 years ago, bob, you were coaching me on kind of nation state or even run of the mill online cyber criminals versus and I liked what you said earlier departments shouldn't be competing against each other, but sometimes like competing for what's most important. Even if individuals aren't trying to compete, they can end up feeling competitive or being competitive. And I know you were coaching me on like insider threat of think about intellectual property that you know takes proprietary knowledge to know the means, like you mentioned, or the capabilities to do something with it, and like connecting that with maybe an online cyber attack with. Even if they got some of the things we're worried about, would they be sophisticated enough to know how and what to do with that? And then also, every outside attack usually has some human element involved, like whether it's a co-opted insider or tricking a non-suspecting individual into helping them with their mission. Any additional thoughts on kind of that full connected human factor when it comes to all types of cyber crime?
Speaker 2:Yeah Well, first there has to be a belief that I could be tricked, that I could be victimized. And you know, we had a case in Texas when I headed up the FBI field office in Dallas, where our national security cyber intrusion squad that's all they did detected an intrusion into a business in Texas, a firm, fairly large firm, and the agent went and paid a visit to the firm, the cyber squad agent and the firm produced the general counsel to come outside and talk to the agent and the agent gave his spiel and said you've been intruded upon. And the general counsel was in denial and said no, no, no, no. We have great cyber security here and there's no way because we've never noticed anything, we haven't seen anything, no one's reported anything and I'm the general counsel and I would know. So this comes up to me because we knew that this was going to be a pretty serious matter. So we sent the supervisor of the agent and the agent back and asked to speak to the CEO of that company. And so they went and they showed, they laid out the case on a technical basis and of course that's when everybody sat up straight in their chair and said, uh-oh, we've been had.
Speaker 2:So, as it turned out in this case, the nation-state adversary that we attributed this to used this firm as a hot point to go to a major research university in the United States and conduct an intrusion there.
Speaker 2:So this particular firm was not the end victim and we figured out that they were just hijacked to use their IP address identity because they happened to be in a line of work that did business with universities and colleges around the United States and we knew that research taking place at this university was of interest to this particular nation state for their military weaponry capabilities. So we kind of closed the loop there. But you have to be really careful of being overconfident that one of your employees will not be of interest to a sophisticated adversary, one of your employees will not be of interest to a sophisticated adversary, and then you have to do enough in the employee awareness and education space to make sure that they understand I could be targeted defensive mechanisms that hopefully your cybersecurity group in your company or a firm like Reveal Risk, if you're doing business with a company, would advice that they would give and you need to follow it.
Speaker 3:Yeah, I think a lot of times there's a lot of focus on the intentional insider risk and not the unintentional. So actually that kind of makes me think about some things you know looking at, you know career advice for early opportunities, but those interested in FBI, and we'll kind of get that into a second. But I kind of want to start off with thinking of Bob Casey. Now you get to make a phone call and you call Bob Casey, 3035, 40 years ago, and you get to have a two to five minute conversation with him. What things are you telling him?
Speaker 2:Yeah, I would tell him be careful about when opportunities are presented to you, unique opportunities in your career. Be careful about believing or convincing yourself. Well, it's not the right time. It would take me away from my permanent duties to go on this temporary assignment. It would take me away from my permanent duties to go on this temporary assignment. Stop yourself, because there's a number of opportunities and assignments that have been presented to me that I chose not to pursue or tried to talk them out of having me do it.
Speaker 2:And had I done it, I think my career maybe even would have expanded in other ways. I would have had some very interesting experiences. Now I had a lot of great experiences and I had things come my way that I felt was not the right time. And in some of those cases I was told well, you're going to do it anyway and it turned out to be okay. There were some challenges there, obviously, and you know, depending on the line of work you're in, family challenges that come with those opportunities. But I would say in that phone call I would say, hey, don't dismiss. Even though it may not be the right time, you may not think you're exactly qualified, why would they be calling me Possibly stop yourself and then maybe think about leaping and taking advantage of those things. That's excellent, because you can grow.
Speaker 3:Yeah, I do a lot of mentoring to some young individuals, both men and women, here in Indiana and a lot of things they ask me is what's next? What should I do next? And so, talking to those who are interested in cybersecurity, corporate security or maybe even in an FBI or FBI partnership, what's some kind of advice for early careers as far as what to get engaged with, who to talk with or what are some things to be thinking about if that's the right path for them?
Speaker 2:Yeah, Well, obviously, the pursuit of a bachelor's degree at least, is important. It opens so many doors, and I say that being affiliated with Indiana State University and my wife and I endowing a scholarship beginning this year at Indiana.
Speaker 2:State University for students in the School of Criminology and Security Studies, which, by the way, has a cybersecurity program as well, and we're very glad to be able to do that, and I also have spoken to and mentored a number of students at Indiana State going into those careers. You really need to, as a basic launching pad, you need that bachelor's degree. Understand your field of interest and what they are looking for to hire, and even entry level. Understand the attributes and the skills and the qualifications that the potential employer is looking for. Don't think you know. Understand what they require and what they're seeking.
Speaker 2:So I would say do a lot of research. Ask yourself am I willing to move around? Am I only comfortable staying local? Would I be willing to move? Would I be willing to move around periodically? Would I take to move around? Am I only comfortable staying local? Would I be willing to move? Would I be willing to move around periodically? Would I take a foreign role somewhere? Don't sell yourself short in terms of doing the right kind of research. I think for some careers the type of degree makes a difference, and in other careers the type of degree doesn't necessarily make a difference, and in other careers, the type of degree doesn't necessarily make a difference, and I also am not sure that which school makes a huge difference, because I don't ever recall being asked what school I went to. Hardly at all. Once I got started my career, what my supervisors and leaders were more concerned about was what kind of performer was I?
Speaker 1:And if you knew Larry Bird and if I knew Larry Bird no Went to school.
Speaker 2:When he went, he was a year ahead of me, but no, I did not know him. So, yeah, that would be my advice and in terms of, of course, the government, the FBI whether it's the National Security Agency, cia, fbi, you know you're going to be required to hold a top secret clearance and with that comes how have you lived your life? What sort of character do?
Speaker 1:you have Reputation. What sort of associates did you have? Be careful what you put on social media?
Speaker 2:Yeah, absolutely. I hammer that home to students that I speak with, because young people I think in some cases not just young people quite frankly have this tendency to believe that their social media persona is separate from their real persona in life yeah.
Speaker 3:And that is not true.
Speaker 2:That is absolutely not true. All I did was follow the person or like the posting, or just all I did was repost it. I didn't comment. Sorry, that's all going to be viewed in terms of your character and your reputation.
Speaker 1:We've got time for about two more questions. One question that I have is one of the topics we always talk about is people in process, and a lot of times in cybersecurity technology takes the front billing and almost to a fault, like we bought a bunch of tools and we can't put them all in place. We don't have enough people, we don't have processes to scale anything. Both of our reveal risk practice as well as this discussion we talk a lot about like making sure that's emphasized. Give us an example of a project that you were on Could be corporate, could be in the FBI, where process clarity, humans in the right place doing the right thing, made the big difference.
Speaker 2:I would say that in the FBI, for an example, we acquired evidence against a person who was building an improvised explosive device in the United States and planned to detonate it, and we had to sequence our investigative activities properly. So you're talking about process, you're talking about compliance, because you have to follow legal requirements, and so how do we sequence, build and integrate surveillance, physical surveillance of the person? How do we sequence entering into his residence to acquire evidence surreptitiously without him knowing it? How did we do all of those things? And it really requires some experience. It requires, I would say, adherence to tried and true processes and not let a special circumstance deviate you too much from those things, because that's when you run into problems, failures of your operation, of your task or even compliance issues. You can run into compliance issues as well. So when you look at a case like that, that's an example that comes to mind in terms of people. Do you have the right people who understand what they're trying to do in the investigative work? How are you going to speak to witnesses and others without surfacing knowledge of the case prematurely? How well do you understand the process you have to go through to obtain evidence and make sure that it can stand up in court In the corporate world, the corporate security world.
Speaker 2:We had a major theft in the company that I worked for a dozen years ago of our product, a very significant theft tens of millions of dollars where a physical security system was defeated. And what was learned in that case is there was a lack of security standards put forward in the company, a lack of compliance environment, telling the sites and facilities you have to meet these standards. These are minimum standards, security standards and you have to meet them. And then processes by which they could internally review and understand if they were meeting them. And then process for us in the security department to do compliance reviews. So things like testing the security cameras, developing a process to do that so they don't fail on you and you don't know it, or testing the alarm system and the sensors, testing the badge access system, having a process to reissue badges that are lost, and things like that. So all of those being very fundamental process activities and they need a rigor to them and a cultural environment to comply with them.
Speaker 1:I'm sure you fixed all that. But going back to the process on the law enforcement side, are you saying that Beverly Hills Cop is not a realistic depiction on how you should run your game?
Speaker 2:Well, I remember seeing that movie many years ago for the entertainment value.
Speaker 1:No, there's a new one that just came out in 2024. They ran it all the way back and it was the same damn movie. Like same music, same soundtrack, same Eddie Murphy Don't fix it, man.
Speaker 2:If in that movie I see them doing six or eight hours of paperwork for every five minutes of action, then I'll believe it's true.
Speaker 1:There you go, okay, well, that just wouldn't play well in Hollywood, I guess.
Speaker 2:No I guess not.
Speaker 3:Man. One question here to close this out. I want to ask all of our attendees this one here and again. This is interesting facts If someone, for those who may not know Bob Casey personally, interesting facts or hobbies that very few people would know about you, so in the big reveal interesting facts in.
Speaker 2:Dallas I met the Dallas police homicide detective, jim Lovell, who was handcuffed to Lee Harvey Oswald when Jack Ruby shot and killed him in the basement of Dallas police headquarters after Oswald had been arrested for the assassination of President Kennedy.
Speaker 1:Wow, can we talk about a second shooter?
Speaker 2:There was no second shooter, I assure you of that.
Speaker 2:So I heard the whole story from Lavelle. I also met the Secret Service agent, clint Hill, who climbed up on the back of Kennedy's limousine after he was shot and rode to the hospital. And the third fun fact is also while in Dallas it was an interesting time I personally briefed George W Bush, former president of the United States, about six weeks after he was out of office in his temporary office in Dallas. I gave him a classified briefing of a matter that concerned him after I was sent there by FBI headquarters to do that and that was a very interesting experience. Just me, one other guy and former President Bush in his temporary office, with the door closed at 10 o'clock in the morning.
Speaker 3:Wow, well, I'll tell you, man, we've had quite a few conversations and lunches and stuff, and it never ceases to amaze me, man.
Speaker 1:Always a new story. Appreciate it. Bob, Thanks for coming out and have a good rest of the day.
Speaker 2:Yeah, happy to be here. Thanks, guys.
