We recently interviewed RDML Tracy Hines, Director, Enterprise Networks and Cybersecurity, Office of the Chief of Naval Operations, about her work, the intersection between geospatial intelligence and cyber, and her concerns for securing much-needed GEOINT data for the Service.
trajectory: From a GEOINT perspective, where everything occurs at a physical time and place, the cyber realm is tied to real locations of servers, cables, and terminals through which it exists. Would you give us your 30,000-foot view of the intersection between GEOINT and cyber?
Hines: That intersection is how we can better share information to best serve Naval operations. The Navy is highly dependent on NGA’s GEOINT products and services to support our operating forces (both afloat and ashore) around the globe. We share some of the same challenges, especially increasing the cybersecurity posture, while ensuring that the Navy continues to have ready access to GEOINT information. We successfully integrated the GEOINT Unified Naval Streaming System, NGA’s map of the world, a mounted container, into our shipboard systems.
The Navy has one problem that NGA appears to have solved: faster review and approval of new applications. That is, we have to send our software through an authority-to-operate process. It makes it difficult for us to integrate GEOINT software into naval networks because of the time that the process takes, sometimes as long as one to two years. If we could better understand how NGA has been able to avoid a cumbersome process, we can better integrate and share information.
What are your thoughts about the cybersecurity supply chain and data integrity?
We must leverage commercial technology because it is a ubiquitous commodity or we will have less capability. We constantly discover new zero day exploits, so the Navy needs to be postured to isolate and clear anonymous activity that attacks our networks. We must have trust in the supply chain, from tooth to tail, to make sure that we can develop and implement these technologies. We definitely will not compromise security for the capability, but we must make sure we build that trust and those good relationships with our partners so everybody understands that the whole supply chain must be secure. Better situational awareness of where things are coming from and going out, with the right checks and balances in place, will help us rely on that technology and have the capability we need.
Long ago, the U.S. military implemented a policy to detect and engage threats in their own space, where they are. What is the cyber equivalent to this, that is, how do we not just build a good fence, but keep them away from the fence too?
As I’ve often said, we need to spend more time examining those precursor behaviors, those predictive things, those anomalies that happen before the threat. We have the fence, but what about before the fence is built? What are those activities, the things that we need to sniff out so that we can know how strong, how rigid, our fence needs to be?
As a DoD entity, we’re trying to apply a zero trust policy on our enclaves that will help us ensure that we keep them away from the fence. We have that with strong friends, but we have policies to detect and engage at all levels. In the cyber realm, I want us to seriously look at it from a predictive standpoint and invest in those types of things that help us understand and build the type of fence we need.
With the Navy’s frequent deployment to foreign ports, how do you approach the challenges of relying on foreign infrastructure?
I’ve experienced this firsthand, while I was in Seventh Fleet as the Internal Security (INSEC) officer, so I’ve worked with our coalition partners a lot, in particular, Korea and Japan. One of their key questions is: How do we become an information warfare community? How do we stand up something like that? Then, everyone asks about cybersecurity. Interoperability is one critical component, but having trust in and being able to share information with our partners is equally critical. Quite frankly, we have discussed the question: If things go down, how am I going to get that information to my coalition partner rapidly and not have to go through all these hoops?
We’ve discussed the need to declassify or be able to share more information with our partners. We are working on how and why we use the “NO FOREIGN” classification restriction so much. And we don’t have the best descriptor of what that means and why we use it. We are asking classifiers to consider: “What are you really trying to say?” We’re seriously reviewing that issue. We’re taking a broader look at its use to help us share more information with our partners.
We also have coalition networks, Citrix is one of them. We have certain enclaves within Citrix. There’s a Citrix J (Japan) and a separate Citrix K (Korea). My challenge has been to address the question: “Sometimes I need to send things to both Japan and Korea. How do I do that?” We need a classified space to be able to talk. Being aware of that, we need to clear up those caveats so that we can share relevant information in a timely matter.
Much of that issue concerns better discipline with classification on our part. When we classify products at the strategic level, we’re also sharing our cybersecurity approaches with our foreign partners. Things like our defense-in-depth and zero trust as well as many other efforts at developing tactical cybersecurity doctrine and tactics, techniques, and procedures (TTPs). I have participated in many working groups where we openly discussed many of our challenges. Although we don’t get into specific threats, we are listening to their frustrations, like “Why can’t we share this information? We’ve got the same problem set in the same theater, fighting the same fight, as they are.” So we need to do a better job of engaging and sharing information with our coalition partners.
How can the geopolitical community best address the challenge of the military’s interaction with commercial and government data and service providers?
Throughout the Ukraine crisis, the Ukrainian armed forces have demonstrated the power of using commercial imagery during conventional warfare. So we are asking how the military cybersecurity community can address our challenge with commercial GEOINT providers. Navy cybersecurity is working to address the challenge of interaction with commercial and government data and service providers.
To gain a deeper understanding, I’ve been constantly engaging with industry. I recently met with Google; they have a new community environment where they’re engaging with government specifically. I also just attended the Defense Contractor Summit in Charleston. At these events, I stressed we need to keep security central to the implementation strategies for both data management and development of services and applications, both ashore and afloat. We need to do a better job as a service to coordinate across DoD, to maintain awareness of the latest vulnerabilities, to assess the appropriate requirements to ensure any systems, whether it’s COTS (commercial-off-the-shelf) or GOTS (government-off-the-shelf), meet our security standards.
We’ve looked into embracing some commercial technology. We’ve conducted a few pilots, even some afloat, to take advantage of this capability. It offers more bandwidth, gives us more capacity, allows more sailors to access data, but we have to make sure it’s secure. We’re keenly interested because we are learning so much about how 5G in particular has helped Ukraine.
What is the Cybersecurity Challenge and how does it enhance cybersecurity?
The Challenge is a mandatory, all-hands annual training for everybody, civilians, contractors, and military, to stay certified for systems access and to fill gaps in their knowledge. It used to be “click, click, click” training, but we’ve gotten much better. Now the user goes to an actual site, logs on and works through different realistic scenarios. The user works through a range of issues, such as how to ensure security at home, how to operate in a SCIF. For example, in one scenario, you find your coworker left their CAC (common access card) in their computer. What do you do here? What are the A-B-C steps you have to follow? And you have to get it absolutely right, or else you fail the mission. The user is scored on how they do in a number of areas and must pass at a high level to receive the training certificate.
We use the results of the Challenge to ask key questions. What are some of the meaningful metrics? Are we getting better? Are we getting where we need to be to continue to make security part of everyone’s DNA?
What keeps you up at night?
I want to get to the bad guy or gal before they even start knocking at my door. There are many entities that spend a lot of time looking at things, collecting this and collecting that. For example, it’s as precise as if you have a bank account and there’s one cent missing every month. You might wonder, “Who really pays attention to that?” I want to pay attention to that. So I truly can’t be more proactive than I am. I understand defense in depth, that is, putting out the fire and making things more stringent. But what keeps me up at night is what I don’t know, who’s looking at those things and assembling and assimilating that information intelligibly and creating a threat. We need to be left of boom! Looking at precursor behaviors and anomolies before anyone starts to even knock at the door. We also need to be more proactive with responding to our network outages. With the right predictive analytics, we could detect a potential issue before it becomes an issue.
I’ve challenged my intel briefers to take it in that direction—to tell me clearly: What are the trends you see arising? Do I need to pay attention to this or that area, to be more at the ready? I’ve always been the type of person who asks: What am I not thinking about? Even in physical security. For example, if we had a fire, how would we know what steps we must take to protect the system?
In cybersecurity, which must be in place everywhere, I ask: What are the sensors that are looking at things before they actually happen? A good predictive analysis is difficult but it’s attainable. And I know there are tools in the commercial sector. As I engage with industry, I’ve asked: Show me what’s given you a good predictive analysis, not just something that tells me to look at security logs or the like. For instance, I ask: If there was a spike at a certain time of day, is there something that’s telling you that your network is getting ready to go down? Or is somebody looking at something they shouldn’t be looking at?
Of course I’m fascinated because my degree is in digital forensics. I always want to know what that digital footprint is that causes something. Now I want to get to it before it actually happens.
USGIF offers a scholarship program through which we support the next generation of intelligence professionals. What would you say to a young person who is weighing their options of going into government service or seeking other opportunities? What would you say to them to advocate for joining your mission?
I’m just so proud to serve. I raised my hand and said I will support and defend, I believe in our country, I believe in our Navy. I know the stronger we are, the more united we are, the better and stronger we will be. Sometimes we don’t do a good job of communicating the vast variety of opportunities you can find serving in the government. Some young people say, “When I look at government service monetarily, it seems like the money is greater over there in commercial than over here in government.” But when you look at it holistically, like I mentioned, you feel a tremendous sense of service. In addition, there are other substantial benefits that you do get and experiences you would otherwise never be exposed to. I’ve been all over the world. And the reason I’m still “moving along” in my career is because you do get to move some mountains that genuinely impact and influence the country at large.
From a macro point of view, a young person will have an opportunity to work in a diverse workplace with a wider variety of assignments. These will help make you a more well-rounded person and better servant of the people. In fact, I recently had a conversation with a young person who’s on the fence and asked me, “Tell me what’s in it for me, why government?” I replied that in some business organizations, you’re more tunneled. It takes more time to step up, to move up, to become exposed to new things. Serving with the government, you can be exposed to new knowledge and opportunities faster. You get to see a broader, bigger picture and do some good to protect our nation. All of us to need to be all in with that deep sense of service to—and pride in—our country. By far, that is most important.
We recently caught up with Enbal Shacham, Ph.D., a professor and associate dean of research in the college for public health and social justice at Saint Louis University and the Acting Associate Director of the Taylor Geospatial Institute, about her work, advice to students, and thoughts on the future of geospatial intelligence.
Letitia A. Long spoke with USGIF CEO Ronda Schrenk about her remarkable career, accomplishments, and advice for those entering the intelligence field.