Robert Anderson Jr. served more than 20 years in the FBI, overseeing criminal and cyber investigations worldwide, including the Edward Snowden investigation. After the FBI, he served as managing director for a global organization helping companies respond to and recover from thousands of data breaches, as well as evaluate M&A target companies for cybersecurity vulnerabilities.
The now Chairman and CEO of Cyber Defense Labs sat down with Smart Business Chief Content Officer Dustin Klein at the Dallas Smart Business Dealmakers Conference to discuss a range of issues, from Anderson's transition to the boardroom to his insights for business leaders on the evolution of cybersecurity threats.
Below is a transcript of an excerpt from that conversation, slightly edited for readability.
On his perspective of how the cybersecurity landscape has evolved since his days in the FBI and the key challenges organizations face today in terms of securing their digital assets:
Yeah, a couple of things. One is it's bigger than any of you know. And here's what I'm telling you. What you see on TV is 1 percent, maybe, of what's going on. Give you a perfect example. I'm the No. 3 guy, 24,000 people under me, I'm charged with cyber and a whole bunch of other stuff all over the world. And when I came out to the private sector at the end of 2015, I thought I knew what I was doing; briefing the Attorney General everyday, briefing the vice president everyday, going up to the Senate and the Congress. I didn't have a clue. Now hear me, I mean, it. I didn't have a clue. I came out and run my first private practice the beginning of 2016 through 2019. We did in, those three years, 2,000 breaches. How many times do you think I talked to the FBI? Once. Now compound that towards 1,000s of companies that do cybercrime, and me as the No. 3 guy way back when, three years before then, that thought I understood the cyber threat to the United States and private sector businesses. I didn't see any of that. All we saw was gigantic breaches. The Sony's, the OPMs. And I think that's one thing you need to realize.
The other thing that makes this extremely complicated besides our adversaries are benefiting from technology just like we are, so they're sending that at you and in vectors. But the reality is, every single state in the United States has a different legal definition of what a breach is; every single one. And so, if you get breached in Dallas by a certain actor, you may have to report that. The same breach happens in Delaware, maybe that company doesn't have to report that. And so, it becomes very complicated when you're trying to protect your infrastructure of your company — I don't care if it's a gigantic company, or teeny family office — when you don't actually know what the threat is coming at you. And I think that's what people really need to realize. It's much greater than you see on TV at all.
When we look at the way actors attack people nowadays .... So, in the old days — and I say this constantly — in the old days of cyber, that's three years ago. It's not like 20 years ago and we're all sitting around drinking coffee talking about the old days. Cyber, it's three years. if you're looking at the threat like you looked at it back, then you're missing everything. And here's why. Because with the advent of technology, people don't sit behind keyboards anymore and hack. The pictures you see of the hoodies and the green lights and the Star Trek figurines sitting around people — I've got a bunch of guys like that at my company. And I love them. But the point is, that's not how bad guys attack companies.
When a bad guy, bad gal, whether in the United States or abroad, attack a company, they attack 1,000 banks at a time. They attack 1,000 health care institutes at a time. And it's with a click of a button. And the difference nowadays, compared to three, five, 10 years ago, with the advent of the technology to do surveillance — and when I say surveillance as a bad guy that doesn't mean I follow you, that means I'm looking, especially if you're a company with prominence, I'm looking at your IT infrastructure, I'm looking at the vulnerabilities that you have across Microsoft because it powers about 95 percent of the world. I look at the emails that you're carrying, and what infrastructure do you use. And so, when I launch an attack, the algorithm — click of a button, it's not a guy or gal hacking — I am almost assured of getting positive hits back. And so, that is a big difference. When we first started looking at cyber way back when I was in the FBI, in '09, 2010-ish, and you're looking at a lot of the hacktivist groups — they're not attacking you to steal stuff, they're attacking you for a cause, can be just as damaging — they, back then, were actually hackers. They were actually men and women that actually knew what they're doing. Nowadays, cybercrime is on an industrial scale. It's a trillion-dollar industry. And unfortunately, catching these men and women are few and far between. It is really hard to actually catch them.