HSDF THE PODCAST

From Information Sharing to Operational Integration Part 1

Kevin Long

Share episode

Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.

0:00 | 30:16

Welcome to our “TUESDAY EDITION of HSDF THE PODCAST,” a collection of policy discussions on government technology and homeland security brought to you by the Homeland Security and Defense Forum

 In this episode our panel will at why cyber threat intelligence sharing still fails to stop real-world breaches, especially for small organizations that lack the people to turn alerts into action. We map out what “collective defense” looks like when you connect government authorities, industry engineering muscle, and AI-powered defense without slowing everything down with bureaucracy.

 Featuring: 

 This discussion took place June 10th, 2026, at HSDF’s Cyber Symposium

Follow  HSDF THE PODCAST and never miss latest insider talk on government technology, innovation, and security.  Visit the HSDF YouTube channel to view hours of insightful policy discussion.  For more information about the Homeland Security & Defense Forum (HSDF), visit hsdf.org.

Setting The Stakes And The Panel

SPEAKER_01

So a state representative, not federal, not industry, not academia. I see some friendly faces in the audience. I hope none of you will be converted to adversaries at the end of the discussion. And welcome to the Commonwealth Partners and Ukraine and Japan for being here. Like you, I am a problem owner. And I'm hoping that everyone in the audience will encourage the guy on my left and the guy on my right to answer all your questions about how they are going to solve the problems that we share in cybersecurity through collective something, collective partnership, collective communication, collective sharing, collective defense, collective security. So I was given 10 questions, which I was told to ask, and I left them at the hotel. So we're gonna figure it out if that's all right, General. And Rich? Okay, Rich, just to set the stage for everybody here, you and I have known each other a long time. You were in the Navy, I was in the Navy, you saw the light and got into industry quicker than I did. You've had a very successful career. You've come to and from government service a couple times. You retired also out of the reserves. You recently were back in US Federal Service at a very senior level.

Information Sharing Improved Action Lags

SPEAKER_01

What is the one biggest thing that you've seen change in terms of solving problems?

SPEAKER_00

I actually believe that we are actually sharing information well. And what I mean by that is if I go back all those years, all the way back to PDD 63 Clinton administration, when the whole information sharing concept got established and the journey that we've been on with the state ISACs, the industry ISACs, and then the dependency of the critical infrastructure and the government acknowledge of that. I have watched information sharing mature, and I think the information is there. So I think it's positive. The opportunity that still exists now is the action associated with the information that we're sharing.

SPEAKER_01

Okay. So, General, good to see you again. Yes, sir. Uh brief introduction for those who don't know. We started out in the Army. You transitioned to the private sector, state in the reserves. You did stuff at a very high level with data science and analytics. You still do that while you're not on recall orders or active duty orders. And what you help the J2 at U.S. Cyber Command do is solve personnel challenges, right? Bringing talent out of the private sector that are doing reserve duty and other augmentation capabilities and bring that to the analytics stack at U.S. Cyber Command. Do I kind of have that right?

SPEAKER_02

And that's one thing that we've realized at especially U.S. Cyber Command since we share so much of that with the commercial world as far as networks and protected networks and security. A lot of your talent resides in the garden reserve because most of those individuals either work for IT securities companies, they work for private industry where they have those certifications and they understand the threats and the problems that we're facing as well.

Why DoD Needs Private Infrastructure

SPEAKER_01

Okay. So when we use these terms like collective security, what does that mean to the Department of Defense, the Department of War and the Armed Forces?

SPEAKER_02

For prior to cyber becoming its own domain and everything, prior to that, the military fought overseas. And so we're always worried about our mobilization or deployments and stuff like that in other theaters. Once we started looking back now with the cyber threats, we start seeing the fact of we're very dependent on critical infrastructure that we don't own, such as power generation, some of our communication networks, water, all those others that enable us to mobilize and move forward. So once we started peeling that apart, we started saying, hey, you know what? A threat to my network, which is what Cyber Command number one missions protect the Department of War information networks, is dependent also on what private industry is doing, since we use that as a backbone as well. So with 85% of critical infrastructure being privately owned, we better have a collective plan to prepare and defend all those networks, all those capabilities together.

SPEAKER_01

Okay, so Rich, I'm I'm a little intrigued, right? Because I think I too remember not too long ago, but it seems increasingly longer, my time in uniform where I think the US military machine would say, yes, our goal, of course, is to fight the away game, to go elsewhere so we don't have to do the homeland defense game. Right. But you're gonna rely on infrastructure, as you pointed out. And Rich, your industry, your sector, that's the base layer, right? So what are you guys doing to both protect the global commons, but also to enable, or what should we do to enable what the Department of Defense and our allies require?

Building A Global Telecom Sharing Pact

SPEAKER_00

Yeah, TJ, the whole idea of the dependency on the public-private collaboration, right? And the acknowledgement that, hey, as a country, as a war fighting machine, we depend on our critical infrastructure and our ability to have resilient infrastructure. So from a telecommunication industry standpoint, we've taken that extremely seriously. So about two years ago, we instituted an information sharing agreement where we got some US entities, Canada, we've got Japan, we've got Australia, we've got the UK, we've got Germany, we've got Spain, and we knocked down some of the legal barriers that are traditionally associated with commercial companies sharing information and established this group. And this group, now we meet. Every month our operators get together, they're sharing tools and techniques that they're sharing around the world, right? Because this adversary, the adversary of cyber, isn't centric to the US, isn't centric to any country, right? It's geographically dispersed. What they may see in Australia before we see could be a value to us. What they see in Germany could be a value before. So we've actually coordinated that. And then we took it one step further. And just this month, we uh announced the communications cybersecurity sharing analysis center, the C2ISAC, which collectively now we've established a traditional nonprofit where right now there's eight US companies, and our plan is to expand that out. But to have that infrastructure to support exactly what you said is what will the communications infrastructure do during a time of crisis? What we need to do is obviously have a rally-in point, which obviously could be virtual in nature, streamline playbooks, understanding tools available to us, and be working very closely and partnering with not just industry, other industries, but also the government.

Launching C2ISAC For Real Operations

SPEAKER_01

Okay, so that C2 ISAC is a creation of the industry, and it's separate from the organized or managed sector risk management ISACs. Is that right? 100% correct. Okay, so what is the hoped for relationship between the C2 ISAC very narrowly and deliberately in industry creation, and then in the case of the US, the telecommunications sector?

SPEAKER_00

Our kind of our direction and our charter is we are going to establish an appropriate information sharing mechanism, right? Not just Slack channel as an example, that will enable anybody in the ISAC to be able to communicate and share. We'll figure out how that then also provides an interface, not just to the US government, right? To any appropriate government, so that information sharing can go both ways and the timeliness. But in addition to that, also, what can we do to help the industry? I'll give you an example. We've taken on this idea of addressing, trying to address resident proxies, right? We talk about collective defense. Resident proxies is an issue which bad actors take advantage of. There are some limitations there of things we can and can't do as telecommunication providers. But there are authorities available to the Bureau and other entities that can potentially enable. But our view is if it's just one entity going after a residential proxy or any other campaign, more than likely it's dispersed. So now with this global perspective, we could really do some disruption on some of these bad actor campaigns and maybe eliminate them, or more importantly, make it harder for them to get established going forward. And then one step further to that, to really the ISAC wants to be very operationally focused. We also have a telecommunications, basically cyber range exercise every year. We hosted our first one last year. We'll do another one this year, where we had teams from those entities that had that information sharing agreement in place, came in and war games. And then actually last year was the first time that we created a the war gaming entity, created a collaboration cell, which means you got points for sharing information and then you got points for utilizing the information. Right. So again, as an exercise, you can talk about it and then you can do it. So the actual collaboration, the teams got points for. So the hope is obviously that will now be part of basically standard practice when any entity is dealing with an issue. So does DHS CISA and the Department of War play in that war game? Not yet. Part of that was on the first one, can you imagine if you're like Spain, Germany, UK, and suddenly Cyber Command and Department of War are playing, just in the US, right? We would need to make sure that this is more, more five eyes or more globally to allow that to happen. You could include Texas any time that you want, just selfishly.

SPEAKER_01

Yeah, I understand. We should do that. Okay, so what do you

Hunt Forward Insights And Joint Exercises

SPEAKER_01

guys need? What is the J2 at US Cyber Command? What kind of relationship in distinguishing between data feeds and knowledge sharing?

SPEAKER_02

How would you like to see that unfold? And again, when you opened it in the beginning, the collaboration has grown so much since even the first time I got in and especially started working in this domain. And it's a very big emphasis now on the industry and the states and everybody else who facilitates this. So I think just the information sharing alone. When we go forward, we do hunt forwards where we look with our allies, we look with our partners, we see what's affecting them. We'll take those techniques that the adversary may be using, and we'll go through a homeland security through CISA, and we get the information. So you'll know what's actually threatening your infrastructure as well. So we bring that back. It's like you said, that's going to be the canary in the cave, where it's, hey, we're seeing this happen in this area. It may be affecting us as well. They're exploiting this vulnerability. So right now we're at the point where we're doing exercises where we try to layer on top of a maybe a national guard level exercise occurring within a state or a region. They'll bring in their industry partners and we see how that flow of information, how they're speaking to each other, and then how we can take that and push it forward. So, like you said, collaboration at all levels and with our industry partners to a point to one day where we do like a national lever exercise where we'll have the states running their own independent exercises with their industry partners feed that information up so we can see how it affects us on a global scale.

SPEAKER_01

Okay.

Typhoon Campaigns And Prepositioned Access

SPEAKER_01

Something that's been in the news for the last couple of years, pretty heavy duty, is the typhoon series of state actor attacks. And I think we can say, I can say China. Okay, maybe you guys can't. I'll say China. Okay. So two out of three. Okay, this is an example where I think for the practitioners in the room, whatever that state actor activity is or is recognized as having been, I think we would all agree that before it became public, they had been present in doing operations for a while. Right? That's just the nature of I think state actor activity in this space. So how does collective security and collective defense how do how will you guys measure success in terms of impact or timeline between what industry can see, observe, and do, and then what US Cyber Command and its US government federal partners, Intel community partners, like how does how is that gonna work? Who's gonna find out first?

SPEAKER_02

I can kick it off. So let me put my Intel hat on. Again, we found Volt Typhoon and Assault Typhoon, and again, we they came into the program a lot earlier and detected. So how long had it been there? So when we step back and say, all right, why are they there? What really alarmed us was the fact they were sitting in critical infrastructure, they weren't ex-filling data, they weren't doing anything malicious, they were sitting there. So now that really set up the warning flags. It's like, all right, why are they here? What are they doing? And part of that is when it goes overseas, they know they can't beat us platform to platform, okay, weapon system to weapon system. So now they have to extend that. And they use a method called uh system destructive warfare where it's, hey, let's find the critical nodes, go after those critical nodes to prevent me from being able to mobilize forces and move forward. So you pre-position, you set in the networks, and you wait. And so that's the really alarming part, I think, that sent up signal. Hey, they're not trying to steal IP, they're not trying to steal data. They're sitting there pre-positioned to be disruptive. So part of that can be as we get indication warnings overseas of movements, then we can actually start sharing that information saying, hey, maybe you need to tighten down certain networks, certain capabilities. This is what we're seeing over here already starting to play out. Another point of collaboration is since you are forming some of the backbone of our critical infrastructure for us when it comes to the network, is you can't fix everything. You can't secure everything. So at least we can come from our perspective of here are some areas that we would really like and need for you to secure and harden and understanding you'll hold the other at risk, but this is critical for our operations. And so that collaboration there really helps them focus because otherwise you can walk in and say, hey, you need security network. That is no one any good. And if you do take that list and start working down it, maybe necessarily what I actually need to be doing is number 12 or 13 on that list, not one or two.

SPEAKER_00

When I think back and we think of what's happened, a couple of real good things came out of the typhoons. So, first off, if you look at what government did and what government published, right? There are joint advisories, there were advisories across governments, across countries that were put together around this topic, sharing information at the appropriate classification level. So collectively, that brought together. But I think the real lesson learned and the question coming out of all that, and back to what the general was saying, is what are we going to do going forward? One of the things that we talk about in the kind of the C2ISAC and the telecoms is do we need to be thinking about the fact that during a time of some type of conflict, do our networks need to go to higher assurance levels? Is there a more tangentiation to a router that we may want to go to? Some of the things that we're trying to work closely with government with is as we look out into the future and as the world is changing with AI complexities and AI threats and these frontier models, we have to be agile with how we're looking to future defend the country, right? Should we be looking at different types of configurations for our edge devices and firewalls and routers during a time of conflict that can help reduce the risk associated with obviously these nation state actors that are focused off living off the land and different things like that? So I think the Typhoons was a great wake-up call to understand what an APT is. And then more importantly, what causes them to want to actually use whatever those beachheads that they established to achieve whatever objective that they're looking to achieve. So a lot of great lessons learned about it. And to me, I'm more focused on what are we doing forward during a time of heightened conflict, which is really the essence of. What you're describing is they're focused on finding out what are the center of gravity, what are the issues within our country that when potentially exploited can help them achieve their objective, whether that be mobilization, whether that be disruption of power or other things like that.

SPEAKER_02

Yeah, totally agree. And with the other point of that too, is not so much disrupting me, but also causing friction within the country itself. Not only for a network, we the problem with a lot of these exercises, we can't actually go out and turn the power off to see what the result would be. So we rely on natural disasters to see, okay, how does the community, how resilient is that community when they lose power? Jackson, Mississippi lost their water infrastructure. It was due to the construction of it, but we quickly saw that even a city as small as about 150,000 to 180,000 that were impacted, the monumental lift it took to provide them with clean water. So now we see, okay, take that, multiply it by 10 to 12 to 20 country cities, and at the same time, let's start turning off water ports and everything else. Not only think of it from a military perspective, think of it just as a domestic friction point.

Turning Warnings Into Collective Communication

SPEAKER_01

Okay, so as the host announced at the beginning, right? Plenty of time and opportunity for audience questions. So I'd ask you all to be spinning that up because I'm gonna I'm gonna run out of age-related cognizance here in a minute. Okay, listen, you guys have talked about typhoons. I asked the question, is it uh was or is the typhoons an is and are?

SPEAKER_00

Oh, definitely is and are. Yeah, let's break it down. Any type of APT campaign that's associated by a nation state has many different variants, right? We talk about vault typhoon, we talk about salt typhoon, right? To think that a campaign that's originated by a state actor will will they will when will they stop with their campaign? Just depends on their achievement. For the general, it it's pre-positioning and espionage, right? So when will a nation state stop trying to be successful? I wish I could tell you when that is, but I think it's it it like it is and it's are. It's gonna be just a constant fight every single day.

SPEAKER_02

Yeah, and what we're seeing a lot of times too is the fact of even when we publicly display that you're in our network, you have done this, it really doesn't lessen the blow, they continue. And to the point where it's almost feels like sometimes we've normalized intrusion. And because it happens so often and it's persistent and it's always occurring, and that's all you hear on the news is hey, a data breach here, a data breach there. And to the point that we've normalized this, where in the cyber domain where you're not actually present, we don't consider it the same as a as an intrusion in the fact of if there was someone sitting in your house when you walk through the door.

SPEAKER_01

Okay, so in this in the interest of collective something, imply to that, I think, is that there's effect in the messaging. And so we hear about the nation state actor that not only was but is actively present inside infrastructure in a number of places for a number of reasons. Like how do we take collective security, collective defense, and turn that into collective communicating? What needs to be done? You had a previous four-star commander go on 60 minutes and talk about this, and I think that was a blip that lasted for that was an overnight headline.

SPEAKER_00

Yeah, I think TJ, like I when I started, right, the information sharing is happening. It's the action that's associated with it. So much of that is dependent upon the entity that's getting the intelligence. And in the world of AI, especially AI empowerment, we need to think about that and change that game, right? What we need to be doing in addition to sharing intelligence is providing entities the ability to opt in to potentially run tools, right? Verify configurations. We haven't even talked about supply chain, right? For CISOs that work for large companies, they they have large budgets. When you start getting into those small to medium businesses, they really don't, they don't have the IT professionals or the IT help. So even when we go and we say, hey, you need to look for these IOCs or these TTPs, they don't even maybe even understand what that is. So what I think we need to look at from the public-private standpoint, back to your question, is it's now the enablement. And I'll use an example. I think it was about 15 years ago, the Strutz vulnerability came out, right? And it caused chaos for everybody. And I can recall being CISO, and my team designed 10 different ways to go find the vulnerability because it wasn't easily to be found. But there was no way for me to distribute that code and those things out to a larger entity. To quickly help them be able to go find it and remediate it within their own environment. And I think that's the genesis of the JCDC as an example. But I would say we can't grade ourselves well yet on how are we equipping the private as well as the public sector with the tools based on the intelligence so that we can action off of it?

Automation And Rules At Scale

SPEAKER_01

Okay, so the forum is the Homeland Security Defense Forum. Right. So what should I selfishly as the CISO for the state of Texas? What demand signal should I be asking the Department of Defense, the Department of War, or DHS CISA? And what do you think the J2 at U.S. Cyber Command ought to be able to provide?

SPEAKER_02

And we already worked through Homeland Security as well as our FBI partners and that communication network to show them hey, this is what we're seeing. Here's all things that we see that could affect you right now and how it's being used, their techniques, procedures. Again, that can fold into what you're talking about. Is now someone needs to generate the solution. How do you go find it? What does it look like? And so part of that too is we'll spill in that, yeah, I know. But as we detect malware and how that malware is operating, that we can self-generate the rules base that can then go feed into the other malware detection, say, okay, it's an automated process. I don't have to sit there and configure my system for it. So it's already seeing the malware, describing what needs to be done, generates the rules. And then, like he's talking about, if we can communicate that out and do a mass distribution, everyone's rule base is updated. So now everybody has that same level of protection. And we're not waiting for how many times have you seen malware or ransomware pop up at another location because they didn't cleanse their system, they're still vulnerable.

SPEAKER_01

Yeah, so I think what I heard you say is AI is going to solve the intergovernmental communication problem between the states and DHS and Department of Defense. Okay, I didn't say that out loud. Exactly. No press in the room, right? Okay, so Rich, I know there is a lawyer in the room, at least one, your lawyer, not mine, and my procurement officer is not in the room, or she'd tell me to shut

What States Should Ask Industry To Deliver

SPEAKER_01

up. But what really can states ask of industry? What should we expect or hope that you can provide at scale, right? Trust, confidence, and effect aside. What does that look like?

SPEAKER_00

So before I answer that, you said something. I just want to make sure. Didn't you all hear him say he's effectively the CISO for Texas? I am. Okay, good. I wanted to make sure that I didn't.

SPEAKER_01

Yeah, that's whether I want it or not, it's in the law. Uh that's great to know, TJ. Yeah. Really, that's that's I should have kept that quiet.

SPEAKER_00

That's great. I know people now. Exactly. TJ, I we have to change the way that we're approaching this issue, especially with AI and stuff. If you look over the last 15 years, 70% of the innovation that has come out is detective controls. Let me tell you have a problem. Let me tell you have an issue. Here's an alert. You need to go do this. And we collectively need to innovate and go more towards the preventive world. When I first started doing this in the late 1990s and firewalls and stuff came out, everything was preventive, right? It was firewalls, IDS controls. It wasn't letting me know I had a problem, it was preventing it. And we need to focus on that. So when I think about the state levels and I think about the opportunities that are available, I think a preventative approach, right? The more we can do on the wire, the more we can prevent bad traffic getting to the endpoints so that the cyber defenders have to sift through and look for the needle in the hashtack, the better off we're gonna be. But that needs to come through innovation. That needs to come through coordination. And then if I was the CISO of Texas, my thought-I know you're gonna tell me what to do. My my thought would be, my thought would be is I want to have some abilities to go to different levels based on what is happening in my environment, right? Because during a time of crisis, you got to have clear, effective communication and the ability to isolate and do different things, right? So let's say, let's just say hypothetically, Texas gets intelligence that something bad's gonna happen, someone's gonna target Texas or whatever the case may be. Well, you might want to say, hey, can we stop all domains except for Texas.gov for the next 12 hours so we make sure we're collectively communicating and false information is not being introduced and different things like that. I think when it comes to the state levels, they have to look at and understand their critical infrastructure and have a way to have the transparency and the visibility so they can make the best risk-based decisions, as well as the ability in a time of emergency to potentially push out controls that can allow the infrastructure to continue to operate while you do with the larger crisis at hand.

Resilience Modes Manual Ops And Public Trust

SPEAKER_02

Yeah. And when you expand on that with the rest of the infrastructure we're looking at, there comes a point, just like you said, where, hey, with the SCADA systems, when do we actually unplug those, run them manually? We're gonna lose efficiencies. There may be interruptions, but at the same time, we want to preserve that capability. So when the threat's over, we can stand it back up. So not only do we have those almost like a watch, hey, we're gonna drop to this level or next level, disconnect, run these operations, make that back up, be able, what's our resiliency plan now? How can we stand this back up if it does occur? So I think there's a lot of exercises states can run through. Again, it becomes the messaging because they are the polts when it really comes to the people of we're taking this action because of A, B, and C. And again, it gets back to the hey, there's a foreign threat or bad actor playing in our that has a threat on our infrastructure. We're gonna have to do these line items, and here's how it's gonna affect you. Put it out there first, and it really makes it.