HSDF THE PODCAST

Operational Cybersecurity in Action Part 4 of 4

Homeland Security & Defense Forum

Share episode

Welcome to “HSDF THE PODCAST,” a collection of policy discussions on government technology and homeland security brought to you by the Homeland Security and Defense Forum

What's holding federal agencies back from fully embracing AI? This revealing panel discussion cuts through the complexity of technology adoption in government, showcasing how different agencies are navigating the delicate balance between innovation and security.

Featuring:
•Bob Costello, Chief Information Officer, CISA
•Todd Hemmen, Deputy Assistant Director, Cyber Division, Cyber Capabilities Branch, FBI
•Donald Coulter, Senior Science Advisor, Cybersecurity, S&T Directorate, Department of Homeland Security 
Jason Hill, Senior Executive Director, Cyber Practice, MANTECH 
•Michael Prado, Deputy Assistant Director, Cyber Crimes Center, Homeland Security Investigations
•Dr. Barry West, Former Senior Advisor (DHS OCIO) and Former FEMA CIO (moderator)

This discussion took place July 23rd, 2025, at HSDF’s Cybersecurity Symposium,  Navigating Cybersecurity Strategies in a Volatile World

Follow HSDF THE PODCAST and never miss latest insider talk on government technology, innovation, and security. Visit the HSDF YouTube channel to view hours of insightful policy discussion. For more information about the Homeland Security & Defense Forum (HSDF), visit hsdf.org.

Audience:

Over here. Thank you, htsf, thank you for this panel, thank you to all the panel members. Sudha Venkateshwaran, alpha Omega. I've heard and maybe it's not true that AI from outside is not permitted to be used, at least in certain organizations, and we heard some of the panel members talk about how they're leveraging AI. Can we please explain? Maybe, mike or maybe Bob, you can talk about whether they're leveraging AI. Can we please explain? Maybe, mike, or maybe Bob, you can talk about whether you are using AI or AI is allowed to be used.

Michael Prado, Deputy Assistant Director, Cyber Crimes Center, Homeland Security Investigations:

Yeah, I can address at least in part on that and then maybe defer to Todd and maybe FBI has a different perspective From a DHS in particular HSI as a federal law enforcement agency, even though the executive orders were kind of lifted in January that really placed a lot stricter regulation and prohibition on what we can and could not use, we are still proceeding in a relatively cautious manner for some of the reasons I outlined earlier, as it relates to civil liberties, as it relates to making sure that we're not unleashing something on the public that we don't have control of or fully understand. At the same time and I know Todd touched on this as well we have to be very careful with the data, because the data that we have is extremely sensitive beyond just regular PII. It's criminal investigative data, it's sources and methods, it's undercover operations, et cetera, that we have to be careful.

Michael Prado, Deputy Assistant Director, Cyber Crimes Center, Homeland Security Investigations:

How we apply AI to help enhance efficiencies does not result in any sort of spillage or breach of our data. So what we have done within our cyber and operational technology division, where our cybercrime center resides, is we have invested significantly internally with AI. S&t has helped us to a large degree in that. We've come up with some internal solutions. But again, as I mentioned earlier, we still require private sector assistance and I think we're proceeding in that cautious approach. That's allowing us to look, and a lot of your platforms and I know many of you because I've had conversations with some of you in person or over the phone have AI enhancements or at least touch upon AI tools, and so we are still looking at those and we're willing to take those on, but we have to do it in a measured response for the reasons I outlined.

Todd Hemmen, Deputy Assistant Director, Cyber Division, Cyber Capabilities Branch, FBI:

Yeah, in a very similar response. We historically have viewed use of AI strictly through data protection. So while we were theoretically permitted to use AI, it became overly restrictive to do so. Those policies are now changing. We love AI, we want to be able to use it, but we have to use it responsibly.

Dr. Barry West, Former Senior Advisor (DHS OCIO) and Former FEMA CIO (moderator):

Okay, other questions? Yes, right here in the front.

Audience:

Got a mic coming? Hi, david Krupp, david Crawford, cgi. This question is for Bob, following up on Barry's question about zero trust. What do you think industry needs to be doing to help the FCEB in terms of some of the potential gaps in the pillars right now? You mentioned identity. I strongly agree with that, but then you got to pivot.

Bob Costello, Chief Information Officer, CISA:

Yeah. So the F-STEP is huge, like it's a gigantic enterprise, as we all know. You know 100 agencies. You know we're not talking about 10 endpoints. You know millions of users, millions of different connections and data points and various missions. So I think it does come back to industry understanding their customer and how to help them get through and where they're at. One of the interesting things that I find it says is the scope of agencies that we work with. You work with some very, very large veterans affairs second largest federal agency outside the Department of Defense. It's huge, it's gigantic, quite capable. Department of State very, very capable too. And then we work with very, very small micro agencies, small agencies, honestly, cisa's enterprise.

Bob Costello, Chief Information Officer, CISA:

We're very nimble for our size, but I don't have 65,000 people like I had at CBP. I think if I was a CIO at an equivalent size agency out there in the FSEB, I wouldn't be running IT like I run it here. I'd be looking for managed service providers, I'd be looking for help from others, and I think that's changing. I think we have to change how we help the FSEB and work with them and then train up the federal workforce to take on these roles, and every agency will be a little bit different. I don't think zero trust at an agency with 100 people is the same as zero trust at an agency with 65,000. Name is zero trust at an agency with 65,000. And I do think some agencies we absolutely believe I work with all vendors. Some agencies might be more one vendor than other agencies. No one can maintain a tech stack of 20 different major items at a small agency and we shouldn't expect them to, because it gets hard even at the larger agencies. So I think where we need to work together is defining good tech stacks and then maintaining them.

Bob Costello, Chief Information Officer, CISA:

And then I think the other thing that we've heard here too, we all have a lot of projects, programs. We have our mission, work that's ongoing. That can't stop. You need to know when to pull the plug, and I think that that's on both sides too.

Bob Costello, Chief Information Officer, CISA:

I think sometimes we buy a solution and no one wants to say it's not working. We need to all get better and say you know what? This isn't going to work in your environment. We want to remain a good partner. We suggest disconnecting, and I was a network engineer so I was always just going circuits. So I think that's where the partnership comes and I always say it's a very big pond here in the United States. There's room for every company and every mission. Sometimes a product just won't work and we spend years trying to make projects work and it's up to us to work together to say it's no longer effective. And sometimes I think on the industry side it may not be cost effective, it may not be driving the bottom line if you keep resourcing things that we all know maybe are just not going in the direction that we need.

Audience:

Yeah, Time for one more question. Before we hit the break, any more questions.

Dr. Barry West, Former Senior Advisor (DHS OCIO) and Former FEMA CIO (moderator):

I got one.

Donald Coulter, Senior Science Advisor, Cybersecurity, S&T Directorate, Department of Homeland Security :

All right.

Dr. Barry West, Former Senior Advisor (DHS OCIO) and Former FEMA CIO (moderator):

Let's talk about procurement. A lot of new activity going on with procurement policy direction out of GSA, combining, mandating or highly suggesting, et cetera. Meanwhile, you all have lost a lot of talent in the building. I just want to get some thoughts. Maybe I'll pick on Bob, but I'd like to talk to HSI and FBI as well, just to get some thoughts about are you excited about some of this direction? Are you using some of these new techniques OTAs, csops, et cetera to get at some of this technology and buy it in a more modern way than you've bought it in the past?

Bob Costello, Chief Information Officer, CISA:

MIKE GREENMANN.

Bob Costello, Chief Information Officer, CISA:

Well, I think some of that work S&T at DHS would be great to answer.

Bob Costello, Chief Information Officer, CISA:

I think, where I'm at right now, besides being up here on the stage, I'm excited for potential changes and I think I had a lot of training. I worked for you for a long period of time, luke, and a CIO cannot be effective if you don't have a partnership with your procurement office and acquisition office. So I think the way I'm approaching things right now like I talk to our chief of contracting operations, probably in the morning and the night, because every procurement it says it goes through me in some fashion for a technology review and I think that's what I'm excited for that we're driving towards is better partnerships. And I think you know we want federal agencies to be concentrating on their mission that they're authorized for, and I can't concentrate on that cyber mission if 80% of my time is spent on contracting and trying to buy what I know that I need. So if we can get to a better place where this moves faster and we can enable the operators to get what they need faster, I think all of us on the stage would really applaud that.

Audience:

Any other thoughts?

Todd Hemmen, Deputy Assistant Director, Cyber Division, Cyber Capabilities Branch, FBI:

Yeah, I'm happy to weigh in. I don't have much to add. I would say we have the immense luxury of having a procurement office that we work with. So many of those questions get deferred to them, so not really my area of expertise. I'm sad to be losing people in positions and obviously any efficiencies we can find in those losses are great. But candidly that happens at another division.

Dr. Barry West, Former Senior Advisor (DHS OCIO) and Former FEMA CIO (moderator):

How about S&T?

Donald Coulter, Senior Science Advisor, Cybersecurity, S&T Directorate, Department of Homeland Security :

Yeah. So S&T, we've historically enjoyed a broad flexibility on how we can work with different innovative procurement vehicles and options and we're continuing to evaluate how can we maintain and expand that flexibility in order to support our partners, that flexibility in order to support our partners. Some of that goes into being kind of a petri dish and a test bed for some nascent technologies and doing some of the steps that are going to satisfy some of the procurement questions that you're going to have as you're trying to turn into an acquisition program. So trying to check a lot of those boxes in terms of understanding some of the risks and some of the um um, just the typical questions that you go through as you're trying to stand up and and move through a procurement process, we can help, um, the components do that a little bit quicker. So that's where we're at now. Could I?

Jason Hill, Senior Executive Director, Cyber Practice, MANTECH :

yeah, jason uh, not that I really have a play in this part, but but what I will say is you mentioned gsa and the way they way they're trying to move towards. We have a vehicle now that answers all of those questions, right. So how can we do things more flexible, more quickly from a cyber perspective and not sounding like a commercial? We have a vehicle called ICON that allows for DCO, oco, mission systems, threat intelligence, all of those things that allow you to do one at a time.

Jason Hill, Senior Executive Director, Cyber Practice, MANTECH :

I think from my perspective my time at CISA one of my biggest concern was I worked in VM, which is now Sandy Radesky's area, doing a lot of their red teaming and penetration testing and cyber hygiene, and I remember at the time we were looking to get a contract vehicle in that we could get many different operators on at the time and, if any of you are familiar with that area, getting good penetration testing, red teaming folks is difficult, especially cleared ones, and especially at the time into DHS or CISA through their clearance process.

Jason Hill, Senior Executive Director, Cyber Practice, MANTECH :

And so my concern was, hey, I'm going to get stuck with this for five years, and if these guys aren't good, I'm stuck right, and that's not the way that we want to go about it, and so I think one of the vehicles that we have that vehicle I spoke of, icon has the ability to be flexible at one-year increments and we assign to you what we call it's a manager.

Jason Hill, Senior Executive Director, Cyber Practice, MANTECH :

We assign a manager to you, a partner with you, so that, as that year is unfolding, we're working with you to refine those requirements and if you don't like them, we're adjusting them as we go, and we've got 166 partners right now that are part of this, 66 partners right now that are part of this. That you know they're vendors, right, they all want a piece, um, but the way that we look at it is we listen to you, we find out what you guys need any of you, the rest of you that are here, uh, and we marry you up with the right technology and the right answers and and give you the ability to adjust as we're going, and that's what I wish I had back when I was at CISA. So, from the industry perspective, we're starting to use some of those and I think they're working.

Audience:

Great, let's give our panelists a round of applause.