HSDF THE PODCAST

From Information Sharing to Operational Integration Part 2

Kevin Long

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 28:55

Welcome to our “TUESDAY EDITION of HSDF THE PODCAST,” a collection of policy discussions on government technology and homeland security brought to you by the Homeland Security and Defense Forum

 In this episode our panel will at why cyber threat intelligence sharing still fails to stop real-world breaches, especially for small organizations that lack the people to turn alerts into action. We map out what “collective defense” looks like when you connect government authorities, industry engineering muscle, and AI-powered defense without slowing everything down with bureaucracy.

 Featuring:

 This discussion took place June 10th, 2026, at HSDF’s Cyber Symposium

Follow  HSDF THE PODCAST and never miss latest insider talk on government technology, innovation, and security.  Visit the HSDF YouTube channel to view hours of insightful policy discussion.  For more information about the Homeland Security & Defense Forum (HSDF), visit hsdf.org.

Why Sharing Still Doesn’t Scale

SPEAKER_08

I'm just gonna in the audience is anyone.

SPEAKER_05

Okay, or the micron over here or just or just yell. Thanks for the discussion.

SPEAKER_02

We've often we often hear about the need There we go. We often hear about the need to share cyber threat information, but sharing information is only useful if it helps organizations act faster together. And you've alluded to it, but what do you see are the biggest barriers that still prevent government and industry from turning shared cyber threat information into coordinated action before attackers can spread across network sectors or jurisdictions?

SPEAKER_06

Again, from my perspective, when I look at large enterprises, I I think the sharing is there. Small to medium businesses is where I think the biggest gap is, right? Because again, if you are Susie's sandwich shop, who's your IT person, right? Or if you're a middle-sized business, you may not have that. And you may not have that connectivity back into the different information sharing elements that are there. We have multitudes of information sharing. Most states have them, right? Industry sectors have them, all these different entities there. And again, from where I sit over the last 20 years, we have really improved on that capability. But the challenge still is do you have the team and the expertise then to turn around and action it? That's where I think our biggest opportunity is now with the whole private-public partnership, is how do we action off of that?

SPEAKER_07

Yeah, same. When you're talking about this municipalities as well, where the CISO is the IT who is everything all involved, there's one computer running the water system. And so even though you said, hey, there's vulnerability here, how do I know that's been patched? Because I only need one vector to get in there and affect that system. And I think it's really going to become the yes, we shared the information, or you don't want to fall back on the we told them, and it still occurs. So it's like, how do we have that read that feedback mechanism to say, hey, we've been patched, or guess what? We just took it offline because we're we don't have that capability. So we're just gonna take this piece of infrastructure offline, run it manually until you tell me this threat's over, or I can go in and affect it.

SPEAKER_08

Okay, I'm gonna have a follow-up to that, but looking for a hand for anybody who wants to the next

Mobilizing Industry Expertise Before Crisis

SPEAKER_08

question. Okay, so you talked about having a team, okay. So how which I think means not just process and technology and coordinated action, but it's also people. So, how between the mobilization assistant for the J2 and for industry, who has a very large team with your company, like how does state, local, federal government take advantage of that team? How can we mobilize your expertise in advance of a need or crisis?

SPEAKER_06

So, first off, I do we actually do participate in some of the government exercises, right? So we actually do that. Where I think we have an opportunity is if we understand what government or military obstacles are in place, we we may have a unique ability to provide the data, obviously through the appropriate legal forums to help them solve that. Oftentimes we don't necessarily know what an issue is. So I'll try to give a real tangible example, right? So mobile proxies, right? So in a telecommunication environment, mobile proxies in general seem to be used in a fashion that is not of good nature, right? Bad actors can use them. I wouldn't necessarily know that unless the government were to go and tell me, hey, we see that predominantly these mobile proxies are used. Is there something you all can do? And we can actually go engineer, right? We can actually go do something to potentially help solve those issues. But I don't I don't think, I don't think government or department of war thinks like that. We know this is a platform, right? Again, I'm going back to center of gravity. The center of gravity is they're using this platform, they're using it for all these different bad activities. But if we can dissolve the platform, if we can eliminate the attack surface or secure the attack surface so they can't use it anywhere, then we address issues, right? So I think that's where, from a collective defense standpoint, is still another opportunity. Because if we understood the problems better, we might be able to. Sometimes we can't, right, TJ. And you and I were talking about this before, right? So we're now in this frontier model era, right? We all know we got to do better jobs, patching, and all those things. But you know what? As with everything we've always done as cyber professionals, it's all about driving the costs up to the adversary, right? So what if we're able to figure out to identify frontier model-like traffic that is attacking an organization? And can you then put that into honeypot and burn up all the tokens, make it very expensive for somebody to do that? If that is the if that is a driving force that can help, then that's something collectively we might be able to figure out how to do. Right. So again, knowing the problem, we might be able to help solve. Thought on people.

National Guard Teams And Defend Forward

SPEAKER_07

Yeah. So for when people, when it comes to domestic operations, so Title 32, that's the National Guard. So we have cyber protection teams, and what they can do a lot of times is, like you said, these small organizations that can come in and assist with that as well. So sometimes they'll perform the same job as a contact team. They come in, especially for small organizations, they'll assist them, especially if they have a state requirement on top of that. They'll help state systems, and that becomes your domestic contact team and allows us to operate inside the US. So we've used that a lot of times when it comes to cyber cyber infrastructure failures, as well as part of the planning of, hey, if a cyber event does occur, have these on ready so we can actually plug them where needed. So we can actually bolster the response. So that's one way that we can help domestically. And like I said, taking that forward and doing best best practices as well. When it comes to defend forward, meaning outside the US, this is where CyberCom gets involved, where you said, hey, there is a node or a nexus of bad actors coming out of this location. Let us go forward, take down that network so it can no longer affect us as U.S. And so that's how you start seeing the federal play. And then, like I said, always sharing with Homeland Security. When we're operating domestically, we're always in support. So we'll be protecting or supporting some other federal organization.

SPEAKER_05

Mike, over here.

Zero Trust As Higher Assurance

SPEAKER_05

Hi, Colin Suter from Deloitte.

SPEAKER_01

Thank you for the discussion this morning. Very interesting. I wanted to maybe just go back to something that Rich had said earlier about and in terms of shutting things down. If we think about reverting back to something that's of higher assurance than before, makes me wonder have we as an industry maybe over-indexed on zero trust as a concept in terms of saying it's binary, it's zero trust or nothing. I'm thinking about if you've got elevated trust levels when we've all gone out and bought a boatload of zero trust, right? How do you get that gradation in there that allows you to adjust accordingly and commensurate with the actual threat that's at hand?

SPEAKER_06

Yeah, look, zero trust principles, I think, are very sound. And realistically, it's really high assurance, right? You can choose whatever description you want to occur, right? But you're getting an assurance level that the person on the other end is who they say they are, the machine on the other end is who they say they are. Those are all great fundamental cybersecurity practices that may not have been necessary implemented as we've gone through this transition from traditional networks to cloud to now AI. And we haven't done a good job like learning from our mistakes. I'll give you an example. We go back to the late 1990s when firewalls first came out, they were shipped wide open, right? And then people quickly realized that's a bad thing. Let's ship it close, right? Fast forward, we jumped to the next from the internet to the next biggest thing, which was cloud, right? And then go and think cloud s3 is when they came out. How are they? They were wide open. Now what are they wide shut? And so now we jump to AI, right? So now do we have AI being distributed? Is the AI secure or is the AI wide open? So it's funny, like we we see history repeating itself all the way through. So zero trust principles, I think, are sound, and we need to implement as many as we can, but I look at it as really higher levels of assurance. That's what zero trust principles gives me.

SPEAKER_05

Okay. Over here.

Can Critical Infrastructure Run Isolated

SPEAKER_09

Hi, thanks. Ming Lang from SAIC. I was at uh another conference yesterday and heard a panelist talk about a part of the resilience plan around critical infrastructure build-out is allowing enabling the particular infrastructure, the sector to run independent of others. Water without energy, without comms. Just wanted to hear your thoughts on that.

SPEAKER_06

I have not heard that myself. I start thinking about it from an engineering standpoint. Listen, independence is great for resilience, but I don't know how realistically you could do that per se. I guess it would depend, but I don't again, I don't I've never heard that as a strategy as of yet.

SPEAKER_07

Sorry to ignore you. I didn't I'm pointing over here and I'm ignoring the whole side of the room. Again, what he's talking about, it's so interlaid. It's kind of like I find it difficult to be able to separate those items unless you can have self-power generation for your own water treatment, or when you think about it, power pretty much runs the world. So how do I maintain other critical infrastructure without access to that power? And if I look at the national power grid, the sector for Texas, who's on independent, how do I start separating myself and parsing out that power grid? And a fact of, okay, certain areas may black out, but where's my power generation source coming from? And how do I re-network that? We've talked about it, but at the same time, a lot of these capabilities that we have, especially like there's a small area called Camp Shelby, Mississippi, who has their own power generation if they need to. They can go completely off the grid. They have a closed loop fiber network. They're starting to think that if I have to exist as a small city by myself, how do I do it? When I start trying to apply that across the entire nation, there's a lot more infrastructure we have to create to do that, I think.

SPEAKER_08

Okay, scanning for additional questions. Okay, here in the center.

Frontier AI Models And Defense Prep

SPEAKER_04

And then ma'am, back to you. Morning, Ryan Madden from Dev Technology. Thanks for being here today. Getting to the frontier model topic. Obviously, we had the release of Mythos yesterday with some restrictions, and there's a lot of focus on the July 1st date for the next release of Mythos without those restrictions, as I understand it. What are the preparations that government and industry or the government is doing and that industry can help with as we look at these frontier models? Like right now it's mythos, but a couple months it'll be something else. And how can we all support that?

SPEAKER_07

So again, if you start thinking about how it operates, basically we're taking vulnerabilities. It's able to do multiple branches and SQL very rapidly. That's basically the gain you're getting out of this of, hey, I want to get from point A to point B. Give me a thousand ways I can get there by using these vulnerabilities and stacking them. And so again, it comes back to where on these priority lists do you have understanding your own networks, understanding your own systems, understanding your own vulnerabilities, and start working on a plan to at least, hey, can I interrupt that mid-node because I fixed that one vulnerability I knew I had? And so you prioritize them in the sense of, okay, what's my easiest fix? And what's the one that's gonna give me the biggest bang for my buck? And so I think that's really how the approach is gonna be now. Part of that is everybody's up worried about the threat. I'd also flip it on his head saying, hey, let's use this for good. Point it at your own system and let it generate that list of vulnerabilities. And that kind of gives you your roadmap on, hey, this is how I'm gonna fix my portion of the pie.

SPEAKER_06

You know, and I think it may present a great opportunity for collective defense, as we talk about, and as TJ says, what that might be. There could be opportunities for industries, right, or cross-government clearinghouse concepts, right, which can address these issues. I think we have to realize some of this can't be done and completed by each individual entity just because of costs and clarity. So I think there may be some opportunities because of AI and these frontier models to do a larger collective clearinghouse industry-led type of things that, again, as I we say, test once, satisfy many, maybe solve once, satisfy many. But again, it goes back to how then when we would distribute the those solutions out to entities and their ability to digest and apply them.

unknown

Yeah.

SPEAKER_07

And I'd add to that too, it would make maybe that kind of product of insulation, meaning you deal with some very small carriers out there that's still part of your enterprise. And it's kind of like, all right, but if I can fix mine and have them surrounded and protected, it's at least harder for them to be an attack vector. Industry using the large industry using their might can protect the small ones until they can shore up.

SPEAKER_08

Okay, I'm keeping an eye on Megan to see if we're gonna get the hook anytime soon, but okay, good to go. All right, okay, another question.

The Easy Button For Reporting Attacks

SPEAKER_00

Eileen Rubin, DHS. Eileen Rubin, DHS. So uh the problem that we see a lot is where the government were here to help, and that's everyone in industry's favorite phrase. And you talked a lot about coordinating with industry, getting information out, sharing information. How do we rebuild those connections so that when something happens, there's already a community there to share information, to know who to go to? We've spoken with people in some of the projects I've worked on where they say, I don't even know where to go. I know I'm being attacked, but I'm not even sure how to go about it. And I know you talked a little about the ISAC and and other industry working groups, but how do we as a government, as a community, build the on those connections ahead of time so that as we're going on the offensive, we have that foundation to work on?

SPEAKER_06

Yeah, it's a challenging question because the way we're constructed, you've got local and state law enforcement agencies and information sharing centers. You have the FBI, right? You have the CCC through NSA, you have CISA, you have CISA people in the things, and we value the trust related to the personal relationship. And quite honestly, that may not be the best way for things to work. My my vote would be is we should have the easy button, right? We this should not, we shouldn't, somebody shouldn't have to sit there and say, wait a minute, this particular issue, whatever. So I'm just gonna pick on cyber. Cyber is pretty clear, a little bit different than physical, right? But for cyber, it would be great to have the easy cyber button. It's like that show, was it? Night watchman, he picks the phone up, right? One person picks the phone up, or even AI can do it. We go to one location and then from there it dishes it out appropriately to where to go. Now, having had the opportunity to serve in the bureau and other locations, right? The bureau immediately is going to go into a law enforcement protective, which is gonna prevent them from necessarily sharing while they develop their case, right? And if you go to another entity, they're restricted by their authorities and they don't want to share. I thought about this a lot. The easiest thing is from the private sector, we need the easy button. And then the government needs to figure out what's the appropriate dissemination from that, because it is frustrating sometimes when you share information and it takes, let's just say, two weeks before one entity in the government actually gets it, because that other government entity had to do whatever they need to do, which is all fairness to them, by the way. To me, I'm hoping one day we'll have the easy button.

SPEAKER_07

Yeah, same. And hopefully when I have information, how do I share it and get it to you? And again, as there are certain loops, certain hurdles we have to cross and coordination we may through Homeland Security. And like I said, maybe with some of the dissemination tools that are coming out, we can quickly pull out the nuggets that we need that we can legally provide, share those over Homeland Security, and again, distribute that. As far as the how do we actually do that flow and everything, again, these exercises we're trying to do right now, like a cyber guard is what CyberCom's big exercise is, and trying to layer those so we can see, hey, if the flow of information isn't working correctly, what do we change with our authorities or what do we change with our policy to enable that? So that probably one of the better things that come out of exercise is when we look domestically and we build that back up is the fact of, okay, what needs to change? Did this work, yes or no? And if not, let's get it changed. Because again, trying changing policy, authorities, that takes time.

SPEAKER_08

Okay, so I love your idea about the easy button, Rich. So I'm just saying to both of you, whether it's Cybercom J2 or your firm, happy to have you guys come to Texas and help us build the easy button. And then I'll be great. Okay, any other question in the audience, please? In the back. In the back. Yep. But if it was Texas, it would be a big button. It would be a big button. Good morning, guys.

SPEAKER_03

It would have a spur on it. What the both spurs. Good morning, guys. My name is Amon Kunless. I'm with Everforth ECS.

Fixing Government Information Flow Delays

SPEAKER_03

I had a quick question. So, on the same thread of information sharing, you guys have mentioned CISA, which has services and teams like JCDC and AIS for some of these functions. From your guys' perspective, what gaps do you guys see with broader government information sharing at scale and collaboration in this private public partnership space that's really limiting collective defense to drive forward a collaborative operational integration? And where do you see government and industry needing to go in that space?

SPEAKER_06

So, first off, there's a tremendous amount of information that's at the C, and there's a lot there. I think the challenge, just the previous question, is when you respond to that information, and I can't remember if it's PD 42 or 41, right? There's a there's a presidential directive out there that equates to where information from a cyber standpoint needs to originate and go through. The challenge is because of the way all the entities work, they don't share amongst themselves, right? So today, if you're sharing information with the CCC, they can't necessarily share it with with SISA and the FBI. And if you share it with the FBI and it becomes law enforcement sensitive because you're looking at an act of case, there may be a delay before they can share it out to the larger enterprise. Yeah, I think there could be an opportunity to review how that those information flows work, right? And I don't know if you want to call it an SLA, right? But how long can somebody usually sit on information before they share it out to the larger enterprise? But again, the information is there. Does when we provide information to the government, does it get dispersed appropriately through the government in a timely fashion? I would say from where I sit, the answer to that is no, right? But again, I want to stress there is plenty of information sharing coming from the government through the various avenues that exist today, right? Everything from I said the state ISACs to NSA Triple C to InfraGuard program to the FBI through the various CISA programs, even Secret Service has theirs. So everybody has an entity and they are sharing, but is it a collective sharing, meaning everybody on the same page? I don't think so, not this time.

SPEAKER_07

Looking at that standpoint, I won't take his side, whereas we need to develop better protections when you do share information. So instead of sitting and holding that information, hey, we've had a breach, we've had a data compromise, you're trying to short and protect yourself before you release that information out. And so that we need to have better protections for industry, I think, to enable them to share it faster, knowing that there will be no repercussions coming back or other standpoints, unless they're negligent. But for the most part, they want to do the right thing. They want to share the information. So we need to facilitate that. That I agree 100%. My my view is the other direction.

SPEAKER_06

Yep. Not going for much.

SPEAKER_07

So I approached it his side, he approached it my side.

SPEAKER_05

Okay. Additional questions, please.

2032 Outlook And AI Versus AI

SPEAKER_07

Not seeing any. Okay, let me wrap it with one thing, too, is we talked about hey, how do you facilitate some of these conversations, everything else? Because forums like this, because now I know who I'm gonna pick up the phone and call when we have an incident. And it's again, we talked about the personal relationships. That is important. Not only is it the standards, the processes, and everything else, but now bringing us together because before frontier models, we wouldn't have the same discussion six months ago. Probably two years ago, we would be having the same discussion where you had DOW speaking. Speaking with industry directly saying, Here are my needs, which I just think I heard him say you're screwed. Yep.

SPEAKER_08

But can you funnel it through the state attacks? Oh, yeah. Exactly. I'd appreciate that. Anything you want to share directly from the Cybercom J2? I'm happy to get it. Okay. I know we're wrapping up. We're inside a couple minutes. Look, we've talked about the last 10 to 15 years. We've talked about a lot of data being shared. Three years ago, I don't think we were four years ago. We were not talking about AI. We were certainly not talking about frontier AI. I would ask you guys to be very speculative. What does five years from now look like? Tell me what 2032 looks like when it comes to cybersecurity and the relationships between industry and government. And who's going to be ahead? The adversary or collective defense?

SPEAKER_06

I believe if we keep our foot on the pedal, we will be ahead of the adversaries or at least in an even playing field. Right now, the adversary has the upper hand because of speed of execution and the tools that are available to them. But when I look at how things are changing as a cybersecurity defender and cyber professional, right, I think all these different frontier models and future AI models and even quantum resistant algorithms, when adapted properly, are actually make us better. Right now, we're in trouble open source code bases. But you know what? Using these frontier models going forward, we will have the best secure code that we've ever had. Right? If we're using it in pre-production before it gets there and we're doing constant assurance checking along the way. If we drive innovation to prevent bad things and bad actions from occurring, it's only going to make the job as a cyber professional be that much more effective in what we're doing. So I'm really excited by AI from the applicant. Are we going through a bubble time frame where the bad actor has the advantage? Absolutely. But when I think you said five years from now, I see as I see AI fighting AI. I see as a cyber professional using AI to close that speed gap. AI giving me visibility and transparency like I've never had before. Okay.

SPEAKER_07

Same, you stole most of my fire there, but same, but I see us being very well protected five years from now because what's making the news right now is the vulnerability piece and what it can actually do in attack. That because that makes great news. What we're not looking at is, like I said, when you flip it on its head and you start providing the protection, you start closing those holes. Because think, as we're able to purge networks, purge critical infrastructure using AI, it closes that attack surface for the adversary. And so we end up with a chance to, and they're going to see that window closing too. So at least, if anything, it makes them spend more, put themselves at risk, and actually overextend trying to get into a system that is now a thousand times harder. And so as we harden those networks, we can see where we have the gaps and we put our concentration there. So five years from now, great. Next year or two, yes, it's going to be a it's going to be a fight as we're trying to defend and protect as we build up those resources. But I was talking to one expert the other day, and he's like, Yeah, but part of this too is the amount of money that has to be spent for these frontier models. So we're still looking at nation states, very highly paid criminal organizations that can actually afford to develop these models to come after it. So we can limit that down to a number of adversaries to where we can say, okay, we understand they'll have the capability. This one we're not so worried about. Brandon Haney with his personal clawed account is not going to go out and figure out how to hack NSA. Right. So we can actually narrow down that threat vector, know where it's coming from, and again, look and see where those pulses are coming out of.

SPEAKER_08

Okay, to both of you, thank you very much for having the conversation and being part of the dialogue. I think my takeaway is the difference between the bloody three and the happy five is a whole bunch of coulda, shoulda, and woulda. So there you go. All right, fellas, thank you very much.