.jpg)
HSDF THE PODCAST
The Homeland Security and Defense Forum proudly presents HSDF THE PODCAST, an engaging series of policy discussions with senior government and industry experts on technology and innovation in government. HSDF THE PODCAST looks at how emerging technology - such Artificial Intelligence, cloud computing, 5G, and cybersecurity - is being used to support government missions and secure U.S. national interests.
HSDF THE PODCAST
Operational Cybersecurity in Action Part 2 of 4
Welcome to “HSDF THE PODCAST,” a collection of policy discussions on government technology and homeland security brought to you by the Homeland Security and Defense Forum
The cybersecurity landscape is undergoing radical transformation, with artificial intelligence reshaping both attack vectors and defense strategies. This eye-opening discussion brings together experts from the FBI, HSI, CISA, and private industry to examine how the security paradigm is evolving in real-time.
Featuring:
•Bob Costello, Chief Information Officer, CISA
•Todd Hemmen, Deputy Assistant Director, Cyber Division, Cyber Capabilities Branch, FBI
•Donald Coulter, Senior Science Advisor, Cybersecurity, S&T Directorate, Department of Homeland Security
Jason Hill, Senior Executive Director, Cyber Practice, MANTECH
•Michael Prado, Deputy Assistant Director, Cyber Crimes Center, Homeland Security Investigations
•Dr. Barry West, Former Senior Advisor (DHS OCIO) and Former FEMA CIO (moderator)
This discussion took place July 23rd, 2025, at HSDF’s Cybersecurity Symposium, Navigating Cybersecurity Strategies in a Volatile World
Follow HSDF THE PODCAST and never miss latest insider talk on government technology, innovation, and security. Visit the HSDF YouTube channel to view hours of insightful policy discussion. For more information about the Homeland Security & Defense Forum (HSDF), visit hsdf.org.
Jason, you're our only industry participant here on this panel. Welcome, thank you. But you bring a really good background. You spent over nine years at CISA military background. Wanted to get your thoughts from where you sit at Mantec on GSA's movement right now with FedRAMP 20X. A lot of talk from this administration about efficiencies and I know we've got some folks here in the room that are very familiar with FedRAMP, that have lived and breathed it, and I know many companies have spent a lot of money and time on it but I'd like to get your feelings on where that's headed from where you sit efficiency savings, streamlining, risk management around FedRAMP, trust and so on.
Jason Hill, Senior Executive Director, Cyber Practice, MANTECH :Yeah, thanks for that, barry, and I'm happy to be here.
Jason Hill, Senior Executive Director, Cyber Practice, MANTECH :Thanks for having me.
Jason Hill, Senior Executive Director, Cyber Practice, MANTECH :I think, as Mike just mentioned, and well, everyone on the panel so far, efficiencies are the biggest thing out there lately, in the last few months or the last almost year now, and I think, using the AI example that everyone has just talked about, I think, from the industry standpoint, we're looking for ways that we can force, multiply and help do more with less, and I think we're at a great intersection of technology and timing where we can utilize technology like AI.
Jason Hill, Senior Executive Director, Cyber Practice, MANTECH :That's somewhat nascent right now as it pertains to the government and industry perspective on some of these technologies, where a lot of you all who work for some of the industry partners that these folks work with, have the ability to use AI or any of these technologies, not only in these gentlemen's focus areas but also in other areas so DOD, intel and FedSiv and so we can utilize what we find and what we learn, enhance, adjust and then work as a trusted partner with folks like the gentleman here on the panel to help bring those efficiencies and force multiply. So we've got to do more with less and, from a FedRAMP perspective again, I think it's trying to find those areas where we can force, multiply, where we can utilize technology to help push forward and meet the goals for that FedRAMP goal.
Dr. Barry West, Former Senior Advisor (DHS OCIO) and Former FEMA CIO (moderator):Yeah, thank you, jason. I'd like to stay with you, okay, as cyber threats are changing, how are tools changing?
Jason Hill, Senior Executive Director, Cyber Practice, MANTECH :Yeah, so, as you mentioned, I was at CISA for for for nine years. Uh, I was also in the military for 23 and I am a computer nerd. So I'm a, I'm still technical. I still go home and and and type on the keyboard and build things and tear things apart.
Jason Hill, Senior Executive Director, Cyber Practice, MANTECH :One of the biggest issues that I that I have seen, uh, in my experience, is going to like Black Hat or DEF CON or any of these other cyber conferences that you go to, where you see you walk onto the vendor floor and you see a thousand different vendors and they're selling a thousand different things to do four things. And when you're in the government, how do you know what to spend your resources on? You're very limited now resources. Right, they were limited before when I worked, it says, and they're even more so limited now.
Jason Hill, Senior Executive Director, Cyber Practice, MANTECH :So when you talk about how do we figure out what tools to use or what is changing, I think, as industry, we need to be tool agnostic. I think we need to focus on the technology itself rather than the tooling. I think the tooling always changes. It's the underlying technology. So I think, from our perspective, from industry's perspective and again I throw my old hat on when we go in and talk to clients and potential clients and other folks that we're trying to help solve problems with. We listen to their problems and then we come up with the best solution and it's not really tied to a vendor product. So for us, to answer your question, for us it's not really what the product is or who the product comes from, but is the product solving the problem now and will it continue to solve the problem in the future that we are trying to put on our Nostradamus hats and predict? Okay?
Dr. Barry West, Former Senior Advisor (DHS OCIO) and Former FEMA CIO (moderator):thank you, Michael. I'd like to come back to you. I know you just gave some really good examples, but let's get back to the AI piece. What trends does law enforcement see specific to threat actor or cyber criminal use of AI?
Michael Prado, Deputy Assistant Director, Cyber Crimes Center, Homeland Security Investigations:Yeah, and I did kind of touch on it, so I don't want to repeat anything, but I will say that what we are seeing is just a more overall, widespread use of the technology, a more comfortability, and I'll give you an example. I mean, you're seeing that criminal organizations and criminal individuals, whether they're in the financial fraud sector or, as I talked about earlier, child exploitation migrating towards these tools because they're so readily available. In turn, and similar to kind of what Jason just talked about. As government, we've got to be prepared to do that. So, again, leading the Cybercrime Center, trying to find those technologies that are going to give us the resources, the ability to efficiently address these issues, identify individuals this is really probably the largest from my perspective and I've got 23 years in federal law enforcement, 24 years almost.
Michael Prado, Deputy Assistant Director, Cyber Crimes Center, Homeland Security Investigations:One of the biggest tectonic shifts that we've seen in cyber crime and cyber facilitated crime is this just really, all of a sudden explosive growth of generative AI and explosive use of it by criminal actors? One of the bigger challenges preceding that would have been the encryption issue, the whole going dark phenomenon, which we're still struggling with to a certain degree, and, of course, the creation of the mobile smartphones and being able to carry all that data around on one's person. But this to me and to my colleagues, not just at HSI but in other conversations with folks at the Bureau, secret Service, even state and local law enforcement the generative AI touching on every aspect of cybercrime and really any crime for that matter, has become just so. It's not just one trend, as I spoke of earlier. Earlier, the child exploitation piece is. There's metrics involved in there that we can point to, but that's really just a kind of representative, uh example of the overall shift for for criminal organizations and criminal actors who who operate in this space to have migrated to that technology.
Michael Prado, Deputy Assistant Director, Cyber Crimes Center, Homeland Security Investigations:It's become extremely difficult and we need those tools to help combat it and Todd touched on this a little bit. We don't have the luxury and Jason talked about it as well we don't have the luxury really of being able to just try anything, as Todd mentioned very astutely. Civil liberty concerns, privacy concerns. We have to operate, rightly so, within the framework of the Constitution and the Fourth Amendment, tools out there that may be available to other components of government that we cannot necessarily as a federal law enforcement agency where we have to take things into court and deal with attribution and chain of evidence, chain of custody and, as I mentioned, the constitutional protections afforded everybody. We cannot just, you know, be as aggressive as maybe we would like to, and nor should we. We have to be very measured in our approach, and that creates a challenge because we have to move at a much more cautious approach than the criminals that we're pursuing Right.
Dr. Barry West, Former Senior Advisor (DHS OCIO) and Former FEMA CIO (moderator):Thanks, michael Todd. I'd like that same question answered from the FBI perspective, from where you sit.
Todd Hemmen, Deputy Assistant Director, Cyber Division, Cyber Capabilities Branch, FBI:Yeah, and I wish I had something new and interesting to say. I think Mike really hit it on the head. Where we're seeing the most prevalence and again really strictly focused on computer intrusion investigations, is just use of social engineering, ai to facilitate social engineering, phishing, phishing schemes, primarily with criminal intent. But that's where we're seeing it most heavily. I can't imagine what it looks like outside of strictly computer intrusions. When we talk about kind of internet-enabled fraud schemes, I have to imagine it's operating at much larger scale. But really again, just to echo, mike said it so well the social engineering aspect of AI is where we're seeing it most. Okay.
Dr. Barry West, Former Senior Advisor (DHS OCIO) and Former FEMA CIO (moderator):Thank you, don. From an operational cybersecurity perspective, what are you looking at long-term over the next three to five years and I know it's tough Sometimes, it's tough to even keep track of things over the next 18 months from a technology standpoint?
Donald Coulter, Senior Science Advisor, Cybersecurity, S&T Directorate, Department of Homeland Security :Yeah, it really is, especially with the rapid kind of growth and capability available to the broader public with these generative AI tools.
Donald Coulter, Senior Science Advisor, Cybersecurity, S&T Directorate, Department of Homeland Security :The next evolution, even beyond what you're familiar with probably now, is using more agentic AI tools, and so we're seeing people already research and set up these agents, that kind of imbue them with a couple instructions and then let them go forth, but they learn on their own, they start making decisions on their own, they grow and evolve in ways that you won't necessarily predict or understand, and I think this is the area that we're looking into now to see how can we prepare and how can we get ahead of that.
Donald Coulter, Senior Science Advisor, Cybersecurity, S&T Directorate, Department of Homeland Security :And you talked about the growth of even some of these social engineering attacks. I mean, what do you do when people can? Right now, these tools already allow you to set up mass campaigns and implement them. But what do you do now, when you can set an agent up and it can keep going off and it can evolve and it can identify who it wants to target and then it can tailor its message to them and even identify larger societal goals? So this is a very interesting and challenging space the reasoning capability and the amount of memory and space that these things can hold and take on larger timeframe objectives and move without human interference, and action is going to be even a harder challenge for us to deal with going forward.
Dr. Barry West, Former Senior Advisor (DHS OCIO) and Former FEMA CIO (moderator):Sticking along the same lines, but a different topic is quantum computing. Are you all giving some time and thought to that? I know I was out at the Consumer Electronics Show back in January and Jensen Wong at his keynote talked about quantum being at least 15 years out. And then recently, in the last three months, he's backtracked. He's now saying that's more like a two to three-year time period.
Donald Coulter, Senior Science Advisor, Cybersecurity, S&T Directorate, Department of Homeland Security :Yeah, we kind of see those dates shift and continue to come closer and closer and so, yeah, we're looking at that, we're kind of working hand in hand with our partners and CISA as well, because we're both doing kind of the inventory of our current assets and trying to make sure that they're on point, doing that stuff, but also thinking ahead of how do we implement some of these post-quantum resilient algorithms. How are they going to affect our operation, not only on our traditional IT systems but one of those challenging areas of all this operational technology, that's, within our critical infrastructure. How do we poise and enable our partners to set up their systems so that they can transition smoothly and start being resilient to some of those impending threats that are coming?
Dr. Barry West, Former Senior Advisor (DHS OCIO) and Former FEMA CIO (moderator):Thanks, don. Back to you, bob. Every CIO job that I took, I was always amazed at how much software was there. Regarding cybersecurity tools, Every location I went into had a ton of tools. How are you looking at things from? You know interoperability and the governance process around tools. Can you speak to how you've handled this challenge at CISA?
Bob Costello, Chief Information Officer, CISA:Sure, well, there's a lot of people in the room that work with me and I always chafe at the word governance when it comes to my job for certain things. So I think there's certain aspects you have to take as a CIO and the first and foremost, you have to understand the mission and your operators and what they're doing. Every agency is different. Every critical infrastructure operator might be different. So wherever you sit in that IT kind of org chart, you have to understand what's occurring in your organization, like types of data, and use the types of technologies, what the mission is. So at CISA, I have a really fun role organization, like types of data and use the types of technologies, what the mission is. So at CISA, like I have a really fun role. It's like great being the CIO at the cybersecurity agency because you know I have a whole team of people that are helping me on the mission side and they're really good and they're really amazing. So my role is different than it was at Customs and Border Protection or Immigration and Customs Enforcement. I was there a long time ago but designing systems. One of our primary things was officer and agent safety. We talked about a chain of custody. Do these systems, are they reliant? Can we rely on them in court? And I have some of that at CISA. But first and foremost, I need to bring in the cybersecurity division as part of our designs and that's why CISOnet was so successful. Some of the best minds in government were helping us build it and industry as well. We had a really strong partnership with all our vendors through that process.
Bob Costello, Chief Information Officer, CISA:I think when you're looking at tools, I agree I can go to these conferences and it's like wow, I am so tired by day one from a thousand tools solving different problems. You have to identify what problem you are trying to solve and there are often different challenges across the board when you're looking at things. Challenges across the board when you're looking at things, say, at CBP, I could deploy those great agents, but if it slows down travel processing, that's going to be another problem that we have to look at. Or if Border Patrol's mission is impacted because I'm sucking down all the bandwidth and they're out in a very remote region trying to affect the mission. I think it's understanding what problem you're trying to solve and then having either a very defined or even just a gut check on what is the risk. Am I spending a lot of time, money, effort and people resources to defend and secure something, and the only thing on it is data that's publicly available or could be publicly available, and that maybe is the right answer. Probably is not the right answer. So what are your crown jewels? What data are you trying to protect? And then, what are the resources that you have available?
Bob Costello, Chief Information Officer, CISA:One of the advantages I had at CISA when I started four years ago there wasn't a lot of infrastructure built in the CIO's office. There wasn't much there, so I was able to greenfield technologies. I was able to build my staff up in a different way, and that was super exciting to be able to build a team from the ground up. Not every place has that, so you couldn't take the lessons I learned there and apply them elsewhere.
Bob Costello, Chief Information Officer, CISA:I think one of the things that CIS is really concentrating on is you know particularly how we work with the federal civilian executive branch agencies. You know, I think years ago, cdm was very prescriptive. You're going to use this tool, you're going to go with this tool, it's going to be awesome, you're going to love us, there's going to be no problems, and then're hearing from cios and sizzles wow, like nothing's working. Yeah, you know I, I can't. I can't meet your goals, I can't meet my goals. Uh, I was one of those people at another agency like I, this isn't working. So we took a different perspective.
Bob Costello, Chief Information Officer, CISA:Um, and what I'm really excited for now in my role whether it's our, our work on, you know, claw or aggregation, warehouse for logs, persistent access to have sub agencies with our hunt capabilities we are less saying utilize tool from vendor X and more there's a suite of tools that meet our requirements. What works best for you, and where I'm really concentrating in my CIO role, is I have to be able to accept data into SysA's environment from any vendor. I would love it every vendor to normalize things and it would be awesome and amazing. It's not going to happen in short order. So I have to be able to accept what's coming into us and then normalize that on my side. So I want to really lower the barrier for interfacing with CISA, and that's something that I'm super excited about that. I've really just seen a lot in the last 90 days or so as we kind of migrate to our modernized environments that I think it's going to make it a lot easier for industry and our federal and SLTT partners to interface with us. Excellent.
Dr. Barry West, Former Senior Advisor (DHS OCIO) and Former FEMA CIO (moderator):Excellent. Let's shift gears, bob. Stay with you. Zero trust continues to be a big buzzword, obviously, and there's no one security company that can address all the pillars that make up zero trust. But from a cyber perspective, how have you seen it evolving, especially over the past year? First question. And then, what is the one thing industry still misses when supporting Zero Trust, or AI assurance or threat intel modernization?
Bob Costello, Chief Information Officer, CISA:Oh, wow. Well, those are three very different ending statements. So I think I'll, you know, tackle zero trust like buzzwords. It is what it is. I think that we have to change our thinking around incident response, incident management, which is different than when you're responding to it, and maybe the preparation to it and just how we react to it. Like you have to change in your head that you're going to wake up every morning. Maybe we got compromised, maybe it happened. You know, I don't know. We had a major incident a year and a half ago. It says on one of our systems, and I think what was really refreshing was across leadership. It wasn't where did the IT team screw up? It was, you know, how do we respond? How do we react? How do we support you? How do we get better from that? And I think that that's really all part of it.
Bob Costello, Chief Information Officer, CISA:I think when we talk about zero trust, I think you know, first and foremost, whether it's the CISO Trust Maturity Model or DOD's model. It starts with identity. If you don't know what and who is on your network, then you can't even talk about zero trust, and I think that that's something that we really concentrated on when we built our new environments, whether you're a state, local, territorial, tribal government that's working with us on our cyber hygiene resources or some of our infrastructure programs. We know who you are when you access our systems, we know how to work with you, we know what you should have access to and we know that for our employees now, too, at a very deep level, and you have to start assigning risk scores to what's on your network and who's operating on it. But I think really, first and foremost, it's changing our thought process on what happens during an incident. You have to still have plans. You have to make sure your teams get burnt out. I think all of us lived through solar winds and probably saw people six months later that looked five years older. That's not the right answer and it happens no matter where you are.
Bob Costello, Chief Information Officer, CISA:I've been through many different responses. I was on the ground for the response in New York City to Hurricane Sandy. Like I was out there every day for 45 days. You know 18 hour shifts living in an RV at the port of Newark, new York, new Jersey. But I was in Newark and it changes you. You're tired afterwards. It takes you six months to stop getting sick. All the time. That happens in our IT world, in our cyber world. So you have to build up resiliency and resources.
Bob Costello, Chief Information Officer, CISA:And I think one of the things I'm most excited about now, as we see the changes in contracting models and the ability to have these really hard discussions about being able to work with our vendor community for surge capacity when are we tapped out? I need to be able to have an executable plan right away. Bring in resources, surge in and out, surge in and out. And also, this is a perennial problem of human nature. You know what's important right now, what's important to who and how do I respond to it? Often, I think we get that wrong and I don't know how you get that better, except through lots of training. It's something I think the you know the military trains up and gets right. You can't always be hitting your people five minutes for an update on everything, but what I really am trying to concentrate on is how do I build up resiliency in my workforce?
Bob Costello, Chief Information Officer, CISA:And when we talk about industry, I think many in industry know I'm a hard customer, but I'll also be a great partner to you. I'll take that meeting with you, I'll sit down with you, I'll listen to you. I may tell you exactly what I think. But we are absolutely permitted on the government side to have hard conversations and we shouldn't fear from them. And I think what I always ask my industry partners tell me where I'm failing, tell me when my organization is maybe making it difficult for you to be successful. That doesn't mean throwing people under the bus. It means having these hard bilateral conversations so that we're both successful, and that's something that I'm firmly committed to in my work with industry. Great answer. Thanks, bob, of course.