Blog
/

3 Things I Learned From Charlie Phalen About the Past, Present & Future of Security

Content
John Dillard
Published
May 27, 2021

Every month ThreatSwitch hosts a webinar on a topic of interest to the security and compliance community. Thousands of security leaders and practitioners have attended these webinars, but not everyone has an hour to spare. That's why we'll be sharing our CEO's lessons-learned each month right here on the ThreatSwitch blog.

“Keep your eye out and keep asking questions.” -Charlie Phalen

Security – in all its forms – has come a long way, but my conversation with former acting director of DCSA, Charlie Phalen, reminds us that there’s still a lot of work to be done – and that we’ll never be perfect.

Charlie knows both sides: industry and government. Few people have seen as much as he has in security, personnel security, and how that has evolved into where we are now, a period of significant and dynamic change.

Here are three things I picked up from our conversation.

1. The Threat and the Solution Begin With Humans

Attacks are devised and at least initiated by humans.

Some are intentionally out to cause harm and others are careless and make unfortunate mistakes.

A recent Federal News Network article states that the number of insiders who have caused data leaks could be as high at 80%. Whether it’s done with malice isn’t necessarily the point – information is still at risk.

And that’s one of the biggest challenges.

In fact, one of the most pressing threats to industrial security today is people.

But people are also a significant part of the solution. As professionals, we all need to have a working knowledge of the concepts and tactics in all areas of security.

One important aspect of this is to build relationships with colleagues in other industries BEFORE a crisis comes. Trying to build it after the proverbial “bomb” drops is too late.

As Charlie stated, “You’re not just the first line of defense, you’re on all the defense.”

2. You’re Never Going to Be Perfect

The ball is placed squarely in the court of humans once again. People make things work, but they also, sometimes, drop the ball.

Charlie shared this story that took place soon after he had joined the FBI:

At a long ago senate hearing, Paul Redmond was finishing up raising the Senate Select Committee on Intelligence on the enhanced damage assessment. Senator Rockefeller, after hearing all of this, leaned over and said, ‘So, Mr. Redmond, do you think there are any other spies in the U.S. government?’ Paul looked up and said, ‘Sir, I’ve been doing this for 40 years. It’s a statistical certainty.’

The bottom line is that things will happen. Threats will be realized – it’s statistically certain that they will.

But our goal is to mitigate as much as possible, and prevent as much as possible, while knowing that you’re never going to be perfect.

3. Don’t Be Afraid to Take the Lead

This ties back to #1: Humans have the ultimate responsibility. Never be too intimidated or scared to step up and say what needs to be said.

It doesn’t matter whether you’re a junior employee or a senior executive. If you see something wrong or something that needs to be fixed, you don’t have the option of raising your hand and saying something. You have an obligation to do it.

Take a Note From Charlie

There’s a lot more that Charlie had to say and it’s worth it to check out the webinar, if you haven’t already.

But the points that stuck out to me include the idea that humans are ultimately responsible for enforcing security protocols and managing safety, we’re never going to be perfect, and that we should never be afraid to take the lead and speak up when it’s necessary.

If you missed the webinar, you can catch it here. You can find the full transcript of the webinar below.

Transcript

SPEAKERS

Charlie Phalen, John Dillard

John Dillard  00:05

Okay, I think we're about at the starting time. Good afternoon, everyone. Thank you so much for joining us for another thread switch webinar. I am absolutely delighted to welcome Charlie phailin, former Acting Director of the of the defense counterintelligence and security agency, now principal of C.S. Phalen and associates, to have a conversation with us about what he has learned in his career and what we ought to be thinking about. I know we have a mix of industry and government today. So it should be a free ranging conversation I'm certainly looking forward to this is this is gonna be a fun one. Before we get started, just a few housekeeping items that are mentioned. Those of you have been here before, you know some of the drill but certainly want to make sure we get questions answered. So the most important thing now is locate the q&a button in the zoom webinar, which should be in the bottom of your screen or on the top of your screen, depending on where it is right in the middle, labeled q&a. Put your questions in there, and we will answer, we'll tee them up and get through them. And we get to the q&a section of the conversation, we'll make sure we get those answered. We do have lots of ground to cover. So my guess is we'll get a lot of questions answered, but probably not every single one. If we don't, we will do our best to get you follow up answers after the webinar. And as a reminder, everybody always asks, well, will we get a recording when we get the slides? Yes, we don't have a lot of slides today, because it's gonna be mostly conversation. But we will certainly share the recording and slides with everybody after the webinar. So with that, I want to provide the best introduction I possibly can I start I don't think I'll do it justice. But I'm gonna I'm gonna try to Charlie failing. Now most of us know, Charlie, from his time at dcsa, most recently, but also was director of the National background investigations bureau be ended and spent time in industry to so Charlie was former vice president of corporate security at Northrop Grumman. So he seen both sides of these issues in industry and in government. And Charlie has been incredible, 30 years in enrolls in the government, ranging from director of security to CIA, on top of the FBI, and really in our own for a time, and really few people have seen as much as Charlie has in in security, personnel security, and how that's evolved into where we are now, which is a period of significant and dynamic change. So I couldn't be happier to have Charlie here. And really, I'm gonna, I'm gonna turn it off screen share, and just start a conversation with Charlie and Charlie, first of all, thank you for coming. Welcome. My pleasure, man. I guess my first question having given that overview is, how did you get there, as you showed up in this job in the first place, how did you end up in security? What what's the background story?

Charlie Phalen  02:55

Okay, yeah, thanks. Thanks, everybody joining us today, a little bit of this is back in the future, if you roll backwards and take a look at me as a junior in high school growing up in Metropolitan Washington, DC, and thinking about college and beyond, the streets in this town looked an awful lot like they looked in the past year or so here. Lots of people protesting lots of police, lots of National Guardsmen. And this either then or now wasn't confined to this deep sea, it was all over the country. And this went on for a couple of years, dropped off for most of the next few years till we got in more recent times here. So anyway, finished high school went off to the Ohio State University in the fall of 1969. With dreams of being an architect, by the spring of 1970, my hand reached two important moments. Number one, I discovered a weird rule. In the architecture program at this university, no one can pick up a pencil and begin to draw or design it until their junior year, which to me seems to be sort of an intangible deterrent to the business. And then secondly, and more relevantly, the Ohio National Guard arrived on campus in that spring to deal with some student protests and those who are old enough to be keeping track of things Yes, at the same time as Kent State. Ultimately, the school shut down for most that spring quarter. And then after ruminating on both the Dell pencil and we fix bayonets, and we're walking around this, I eventually decided to try this direction. So although one of the Maxim's architecture that has stuck with me and it's still stuck in my brain is form follows function. We'll talk a little more about that later. But transferred to the University of Maryland, poked around a bit and was attracted to the law enforcement and criminology curriculum. I also needed to make a little bit of money and so not much later than that I'd had a part time job working security at a local DC Baltimore department store chain. You need to remember when we had more department stores, I worked with them for eight years. I learned an awful lot about the criminal justice system of the district. Columbia and Virginia and Maryland heard a lot about employee and will say insider threat, even weren't smart enough to call it that back then. That's my employees and what a huge problem it was. And, and a lot of other related security experiences. And parenthetically, I met my wife there. So it all turned out pretty good. So now what I have my degree, I have lots of experience, and I applied two places. One is an organization in the news today, the US Capitol Police, not because of what I saw happening in DC, but actually, my roommate had recently joined encouraged me to apply. And then there was the CIA, and you guys know which way like, so much of the next 40 years was covered in that short bio. But I would highlight one some seminal assignment back in the 90s. I was detailed to the National Reconnaissance Office Security Center as the chief of facilities and Information Security Division. And those of you familiar with that program, realize that no, it's pretty much a parallel to what was in defense Investigative Service. More recently, BSS today dcsa. reason I point this out, is that up into that point, well, I had a pretty good basis and understanding the tenets of security, often the global basis of travel. This is what my first introduction to declare industry built an awful lot of relationships with folks and industry during that time, and many of those relationships are still firmly in place today. I would say more than point, the value of those partnerships is a measure where you just want to be a little bit later and Marvel's CIA, FBI. Even more so when I retired from the government joined north of Grumman and began looking back down the other end of the telescope at the impact of all the rules and policies out there to handle making noise in the government. And so then I retired.

John Dillard  06:46

That's not too bad for a department store to NRA. I'm tempted to ask you what you learned about insider threat from working in department store, but I'll save that for the end.

Charlie Phalen  07:00

But your other questions of how you handle the end of the dcsa. Good. That's it Next. Next. Exactly. And so we're going to take a little bit of a step back to 2016. To get to that point. It's not we're after I retired from Northrop Grumman, and I got to do some consulting discussions with a some folks about solving the challenges that had dropped on the OPM federal Investigative Service and 2014 and 2015, non renewal of one of the best primary investigative contracts and data breach. This ended up as a request to take on the role as director of this newly created national background Investigation Bureau. I will spare you all the details in the conversation. But the bottom line is I spoke today and glad that I took advantage that opportunity. A key to this thing was just being exciting new, this was a true team of government, pretty much all of government and the private sector. And they wanted collectivity effects and get it done correctly. In short, they and I were unified in the commitment to build the investigative capacity, question and improve the process and play a role in reviewing and developing the policies that drive this mission. most visible piece during that time, and it's still ongoing is the advent of the trusted workforce. 2.0 edition. As a little bit of a sidebar, Margaret weikert, who was the director for management of the White House was also our role was he the leader of the pack performance accountability, council principles, three for people that actually read the driver's license, she pulled me aside at one point, witnessing first going she said when was drafted work was one point out. And I looked at her with a straight face said I'm making 47. Sort of laugh anyway. But at the same time, all this is going on, there was a there was pressure, followed by some very specific legislation to move much of this investigating mission back to the Department of Defense, specifically to DSS from which they moved in the early 2000s. A lot of back and forth, but in the end, in a minute and understanding that mentioned the investigations and recovery activity, and the trusted workforce, 2.0 initiation. Creating that parallel universe does not seem like a good idea at the time. So the administration directed that the movement of the entire NBA idea organization to the department offense and merge it with DSS and consolidated adjudication. So creating pcsa right under those circumstances that are very happily, Director dcsa throughout the country, I would say the same marriage is easy. It's a simple word 12345 letters. There's a lot of parts, an issue to think about when you do that. Just a couple of points on my approach to that. One, try hard to avoid disturbing very positive momentum that was already in play. Number two, a successful merger does not really need to provide the band's playing banner. Fine. In fact, if it's done properly, the merger and some subsequent modifications will simply happen. And everybody will wake up later and say sure what was emerging. And we move on. And then back to my early architectural experience, form follows function. A new organization chart should be almost the last thing you do not the first image. Here we go. Now, 18 months later, even more has been added to the dcsa portfolio. And in my view, all it really is good. Today, bcsa is a full service security agency that provides some or all of its set of services for the great majority of the federal government declared industry covers the landscape for trusted people. Real and trusted, real and virtual operating provides critical services like data system training, and I would say very importantly, account intelligence is critical in this business. You might ask, how important is that CIA activity? Well, all the things that vcsa or any security, they're done for a reason. Or put differently? What you do like the process of investigations or facility is important. The first you have to ask why. And so what, what the CI programs, there's no answer those questions, it can show you attacks can show what that attacks will look like. It can show when and where it will happen, if lucky. It will show you with the erosion of a protection activity, and more. So this knowledge has to permeate the entire security agency and others like industry, where it's appropriate to share that information. And I know that's a bit of a challenge these days, but also part of the group is working hard to get that expanded as well. Collecting my view of collecting intelligence is very, very important. But more importantly, it's of no value. Just share it with us. It's short, everything I mentioned above has to work in a symbiotic fashion.

John Dillard  12:03

You know, I think the thing that is often lost on industry is just how enormous that undertaking was to merge those organizations. I mean, really, the biggest organizational merger and the government since the stand up of DHS, a ton of people involved a ton of money. And those two insights are are fantastic. So thank you for sharing that. I want to I want to pick up on one thing you mentioned and that's trusted people, which some of us have heard of is, you know, trusted workforce 2.0, which, you know, the 1947 1.0, I was wondering if you could dig into trusted trusted people a little bit and what your thinking is on that how that evolved? And the biggest changes that that spawned, while in your topic crossing both InfiniBand and dcsa? Sure. But actually, it goes back to you asked the question about the insider threat a tech company, a lot of this thinking goes back to them because people betray trust them to do it for a long time. But an eternal question here is, can I trust you? That simple? said of course it is what does it mean to be trusted? How will I know I can trust you. So leaping forward to today 2021 trusted workforce 2.0 that activity is going to cover the waterfront on government trust determinations, both national security suitability public trust.

Charlie Phalen  13:21

Those of you familiar with the tiers, tiers one through five investigations, actually, we'll get through that, realize if somebody said similarities to 1232, and three look alike alike. And three and 445 look a lot alike. So let's make it simple. It's affirming the importance of a solid job on injury, as we've always tried to do. Biggest challenge with these changes, really, don't wait to keep checking the trust. periodicity of five years ago or five years is too long. Maybe have five every five minutes realistically somebody collect that relevant information on a near real time basis, and reaffirm or refute that basic decision. That whole idea of doing that first adoption, perhaps informally happened in a handful of agencies, probably guess which three letter agencies they were a lot of it using user activity monitoring other sources that were available to them. A lot of early adaption in industry before we change to when it came out really fortunate to be canned and some effective programs really came out even better as it as the policy has been involved in forming change to tacitly acknowledges that all industries is built in built in room for big and small companies, each of which will have a different answer to the to the questions and what am I looking for working to find it? I can pull it together to assess mitigate, take appropriate action. And the whole goal again is to get to finding the problem early before they go bad. So it goes back to the life issue. One more point on this, I guess, there are no magic bullets. And I can't use that phrase a lot in describing things, but there are no magic bullets. The question is very simple. The answer The answer is as variable as there are people, human behavior exists on a continuum. I've used this example enough in the past Mother Teresa on one end of the spectrum, Charles Manson spectrum, most of us are in between there, and we kind of move in and out of that one continuous time zone. One last thought, and this ended up its momentum. And the government, there's no ended instructions. And there are times when the change of administration results in the drop off or focus of an important program such as this. I worried about that really badly about four years ago, when the ministration shows most of the principal officials moved on. Because they were political appointees. But interestingly, the security program did not lose his mind. In fact, he grew the attention from both the executive branch and Congress was continuous in bad news, depending on the field. So far, the same thing this time interested not almost daily, its interaction.

John Dillard  16:14

That's a fascinating observation, I think surprising for certainly for me, and for many of us, when you think of changes in administration's is a bit of a whipsaw, sometimes, but I mean, if there's anything that I have heard from the speakers we've had on these webinars, it's that look, this this pace of change that we have seen over the last four, six years, insecurity is not going to slow down, it doesn't matter who's in charge. Because the threat environments changing, the technology is changing. So that's it's the new norm. I would add parenthetically, I spent more than a fair share my third time, a fair share of my time is in front of different committees down the hill. And typically, we are members from both parties in the hearings in the closed and open sessions.

Charlie Phalen  16:57

I couldn't you couldn't tell by the questions being asked.

John Dillard  17:02

But you could tell us we're very interested to get this done. Right. That is actually extremely comforting. Probably when I was wonder if we could talk for a second about lots of themes that we hear, especially on the industry side, deliver on compromises and supply chain. It has been a word that is used a lot. The how that shows up in policy, and what we need to do in our programs is maybe a little fuzzier and I was wondering if you could share your perspective on that particular theme of supply chain, deliver and compromise. Where do you think we're headed? Maybe one industry might need to be challenged? Good question. Yeah. So looking backwards, Bill Stevens, some of you may know him later. dcsa is gone. Now. Alan prison Team Leader NSA. I came up with his characterization delivered compromise several years ago. It was picked up

Charlie Phalen  17:58

in excuse me in the famous mitre study back in 2018, with Bob Metzger and Barbie, Rushkoff and Christianism when they raised that concept and put it into the into the document, widely distributed. There's some interesting parallels between that and the trusted workflows and enhancements, including improving the process, really reevaluating what the threat looks like, what the vulnerability looks like, and what is the ultimate risk picture. A lot of that is already underway. I know abilities been pretty vocal in before he retired and a lot of venues talking about what that threat looks like outside here. Clearly, we have a better grasp on threat vulnerabilities we had some years ago, and more interested in dcsa has a huge role to play with clear industry of missingness during the traditional facility clearances and folk guided determinations, emergence and the growth of new approaches, Mike cmmc, my all time favorites UI and the greater involvement of procurement organizations, particularly DMD in this. And I think that's really, really important because there were if that requirement is not appropriately or even existed in the contract, it's not going to happen. And so having the procurement people engaged is really important. For everybody, this is an evolving world and the growth experience, both in terms of knowledge in terms of tactics, like trusted workforce, the question is simple. Do I trusted that chip, that code that hardware has not been compromised? The answer really calls for constant attention, lifecycle evaluation and manufacturing process, an awful lot in motion, both in process and problem settings, not necessarily easy either for the government oversight or for industry execution. But we really do that to do that.

John Dillard  19:49

Thanks ton of sense, and really, I think most of us have just seen it from the security side and are in companies the procurement teams are not necessarily involved either. They might never even heard of the liberal, uncompromised. So it's challenged that that's useful. Another topic that we obviously are talking about a lot right now is information technology, cyber, which, you know, there are a lot of topics in there that we could we could pull that. And I was wondering if you could pick a couple that you think are particularly interesting or important for security professionals, when it comes to it and cyber, both technically and organizationally. How should we be thinking about those issues? Yeah, that's a fair,

Charlie Phalen  20:29

short answer, although I could probably get a little longer on this. It IT security, cyber security, and that's a really tricky name, Michael anyway, has to be part of today's security, great experience. None of the elements of security of a comprehensive security program can be mutually exclusive. Strategy can't planning and countermeasures build can't, execution can't. A trust factor ebbs and flows, tack methodologies evolve technology, and people grow old to keep refreshing. And it goes on from there. But the both the threat and the solution starts with humans. The attacks are plan devised and at least initiated by humans. insiders do evil. And insider do really dumb things, mostly the latter. In fact, if you check the new federal news network site, there's another study published this week talks about zero trust and in risky acceptance, much longer article, but very good when I recommend finding it, pointing out that roughly 80% of insiders have caused data exfiltration. And that doesn't get malicious that we're doing it unconsciously or expeditiously. It still puts information at risk. And that's the challenge we get. And so on the other hand committed and determined humans, most of the people on this call, if not all of the people on this call, have to keep watching this entire ecosystem, devising, coordinating, revising protection strategies to and ensuring that integrity. If it was done in concert, a roll the camera back a little bit early 2000s, I make a trip down to the Hoover building downtown and struggling to a short interview, which turns out to be a job interview for a rotational assignment down there with the director. And you think about all the challenges that they're faced with that 911 has happened. But anthem has happened, anthrax attacks have happened. And I could go on and on and on. Dr. Mohler had one question. What do you know about information security? And that was the question. The news is, I think I answered it correctly, because I got the job. But the bottom line is, he knew at the time and probably still knows, I know that I know. And all of you out here on this call know, the importance of both in a world wonders constantly hit by threats, and have to deal with them. The importance of both sharing and protecting critical information, and the challenges and the trade offs that have to happen. When sure short, we just don't need to be experts in all aspects of this. And I can't wait to cope with fixing stuff. But as a professional, we all need to have a working knowledge of concepts, tactics, and solutions and all of the areas of security. Critical and you know, matches the themes that are almost in parallel with supply chain problem is that even security? You can't work on it alone. It's got to involve the other side of the house. And let me add a sort of snapshot here on this thing. So what is it about today's picture? A couple of thoughts about it. Certainly more and more of the attacks come from afar. That benefits an enemy because unless you're a capture if they're trying to hack into something from their basement in Beijing, as opposed to breaking into a building in California. It doesn't always have to start with as much today as it used to be with a new group. That said, there's still a steady stream of volunteers, and no, they're not going to be turned down at the show productivity information. And if you leave the door open either reality or metaphorically, they will go. And another another piece of that is actually an overtime problem. We build our countermeasure strategies based on how we value information, top secret gets as much protection secret gets as much protection, punishment tests and SEO I get something because I believe it is. And we base our protection strategies on that. That guys don't care. They're going to take with everything get their hands on and we know from most recently, what is happening out there in areas not covered by any of that stuff, whether it's top secret or cure. In fact, sort of a truism here is it pretty much everything that is a high, high degree of technology collection system that is helping the federal government that right now started its life as an unclassified how you

25:01

That's really continuing to gel. And all the things I just talked about will be.

John Dillard  25:07

Excellent. Alright, so next question. And we're going to tread into an area that's a little bit more current, possibly fraught with peril, but I'm going to ask you anyway. And that is the current environment. You know, most people think of it as triggered, but the events of January 6, whatever you want to call that, and how that is affecting our perceptions of the threat environment, domestically and internationally, how that might change behavior security, how we might overcorrect are under correct. I would love to hear your thoughts on everybody laid on what your perception is of how that changes things if they do at all, or whether they should know. Well, I noted the beginning, I did not join the Capitol Police. But my, in my years in government, and particularly my tours, as the head of security, CIA, and a couple jobs, and today, as long as well as the FBI. Each of those is embedded with a Federal Law Enforcement Unit. And that agency, very similar protection responsibilities to Capitol Police have a lot of understanding and familiarity with those tactics are. And I am I was then I'm still sure that the officers and all those organizations and other federalism, federal spirit,

Charlie Phalen  26:22

GSA folks are dedicated to that mission. My reaction is I watched what was happening? How could they have been left in a situation where they were so undermanned, and initially unsupported, despite what was literally on the horizon? I have a lot more to say over a beer over that. But in short, this is a significant failure that won't stop. Let's take a second right here. This event and I would argue, I think you've mentioned with john that other reason, violent protests as well, are already driving efforts to find out how the personnel security clearance process, both conditional and continuous vetting can identify individuals who are participating in or planning to participate in violent acts that will be disruptive. We found out after this period of capital, that some of those folks already are affiliated with the government some of logic, some of the rest will probably aspire to join the government. So how do you find a lot of solutions are being offered. But once again, one member of Congress has changed sF 86, particularly section 29. has to deal with these decisions. Hey, I don't think that needs to be changed. Right now to get to the heart of it. I think it's sufficient to get to those questions. More importantly, it's not going to change very quickly. You look at how relatively relatively simple change two questions What do you want mental health question, which took literally years to get codified on the DSM 86. We don't have time to wait for that. publicly available information on the internet, often touted as the magic bullet will possibly provide leads, but it is more effective. It's more effective uses not in screening more effective uses on focus. There's gonna be a lot happening in this area in the coming months in the course, literally this week, we have a reminder of yet another challenge. lone gunman, then guided missile. How am I going to get an early warning about something that happened with the giant food?

John Dillard  28:27

Probably Whoa.

Charlie Phalen  28:30

That's a short answer to a much longer question. But there's gonna be a lot of effort in trying to find out how to find these folks that are looking deep into violence. It's going to be an extension of the work that is already in process. How do you upfront get a clear understanding of individual? And how do you keep track of where they're going? Rather insensitive?

John Dillard  28:54

That's extremely helpful. And it sounds, you know, like, it feels like common sense to say we have to execute the fundamentals. Well, yes. But that that seems to be the underlying issue here. And, you know, especially those who are in companies who, you know, are not sure how to deal with with with people who are hiring, who might be doing things that are on our radar now that were on radar before, but the basic blocking and tackling doesn't change. Right. Excellent. Great. Well, we are close to halfway. So what I wanted to reserve most of our time, for the second half to just take questions from the audience. So I will remind everybody on the call that press that q&a button, we have several great questions already. I like to pause and give everybody a chance to submit additional questions. And while we do that, as we as we do in our webinars, we're going to provide a brief poll question and leave it up for about 30 seconds. You can take this time to responsible let us know if you want to hear from threads which directly about what we do. As most of you know, we're provide a software product that tackles some of these problems. If you don't, that's fine. too. And once you've done that, think of a good question for Charlie to type it into the q&a box. So I'll give you about 30 seconds. I will not hum the Jeopardy too, although I've been asked on several occasions to do that. And take a second and then we'll jump right in. And there's some good ones, Charlie, I can show you to nominate you for the guest host next week, then. No, not gonna happen. Okay. And I haven't getting some feedback that maybe my audio is hard to understand is that can somebody let me know whether it's getting better or not? That would be helpful. You're okay to me. You just have a center as a voice. I think if you are having a hard time hearing, Charlie, I turn my volume up a little bit, sometimes on webinars, because it's always a little bit different. But I think you're okay. I haven't seen a ton of feedback. All right, I think we are wrapped up with the poll question. So I'm gonna jump in Charlie and and tackle the first question. Really interesting one that that they came up first, actually this one I haven't heard of. And that involves green vehicles in fleets, and what security issues they may present. I mean, a lot of us if you follow the news, you know, the Tesla have cameras all over, it does all kinds of stuff. This, I absolutely can understand how that's an offset problem, where you know, some other third party either could compromise those vehicles, or quite frankly, shouldn't have that data in the first place if they're driving around government facilities. I'm curious, and this is this is a great one on what are your thoughts on those kinds of technologies, especially on vehicles and fleet vehicles? Is that something that you've heard before? Well, good question. And not only a great vehicle, I have a Jeep, I haven't had to deal too much with that. But the, to me, it's an extension of the Internet of Things challenge we have almost everywhere in our lives. These days, whether you install a refrigerator is keeping track of what you're telling your children and your spouse.

Charlie Phalen  31:59

It just takes it out into the field, it's probably less of a problem in this country. As long as it's the vehicle being used for transportation only, where it would be I would see as being a huge problem, it's going to be frank kind of operational purposes. And showing up not too dissimilar, by the way to your cell phone, which can be tracked, showing up in a zip code that you probably shouldn't be showing up at an address you probably should. So almost to me is sort of an extension of the of the whole Internet of Things, you know, the challenges of cell phones, I don't have a perfect answer for you might not normally, would it be appropriate to say hello with green vehicles? But this is this is a challenge for the green vehicles or anything else to discuss. Excellent, good question. That's that that was a new one for me. Well, there's there's a question here, we always get a question about technology and technology that's going to be deployed. given everything that's going on. I mean, really, in deploying technology, government in general is always tough. And there are lots of stories insecurity about that. Now, any thoughts on in this development, and when you think that might fully roll out in terms of the next generation stuff, I go back and look at some some of the presentations of Bill Gates out there. In the meantime, one of the major things that has slowed some of that down was a recognition that there needed to be every baselining of the requirements and some of the trusted workforce, things started to evolve. And so bill took a reasonable positiveness and we baseline at all, and is now back back on track, but not exactly the same track that was on before. So some of the things that we're going to be first out the door may not be first out the door. Some of you may recall, I made a promise in some earlier lives that this would be up and running, at least for two or three cases for quite some time in the fall of 2018. I missed everything. But I know that they're working really hard to get this thing up and running. And and, and not only to support the investigations mission, but to support the continuous vetting mission. And, and at the same time, it's going to be LinkedIn with the other major changes shifting with the it stuff there too, which is a transition from tear gas to disk. All that becomes sort of intertwined. And it adds a level of complexity. This is delayed. I don't have a good handle on when the actual delivery date is I would probably what I would defer to folks at UTSA. And obviously it's not right around the corner, but it is within reach.

John Dillard  34:35

That's super helpful. It seems like you've been in the mix on almost all the hardest things that this community has ever tried. All compressed within about a two year time frame. And as a as a follow up to that one. Another question is on policy development. I mean really, systems are one part of it, but the you know, the seeds that were have been released over the last few years. The ISS tells the shift from, you know, this bomb to CFR insider threat before we change to I mean, there's so many things I was wondering, I think in industry, we under appreciate how difficult it is to actually move these things through the government. And I was wondering if you could share your insights on why that is, and help us learn a little bit more patients with you guys, which I think is not extended quite as often.

Charlie Phalen  35:28

Know that advice out there, even for patients? And maybe the short answer is, it's the government Where are you going to ask me this question. But it is a both by design. And by reality, it's a bureaucracy and the net, the net product that comes out of the back end is better when everybody who is going to be affected is involved in that conversation in that discussion. And there have been continuous attempts to make sure that everybody's engaged. And so when we think about talking about the performance accountability Council, there are four principles on that. Pretty much every agency that has it does trust determinations, and that's with 100 or so has a seat at the table, and has a view of what's going on instead of trying to coordinate all of that in terms of views and making sure that the policies are going to meet those requirements takes a while. And it just is. It's a slow progress. It's a little bit like legislation. It just takes a while to get down the pike. What I find truly gratifying. I mean, it's no sincerity is as I've lived through, I'm trying to think back to making a long story a minute I want to go back to 1970 1970s really had a review of security 1980s, I had a review as the 1990s, a whole lot came out of these things, they made a much of a difference. I even discovered that book, my father was given security bits to quote from a book my dad left behind that was printed in 1964 was lamenting the fact that a study done in 1957 by Congress about the problems with industrial security, nothing had changed. And so what I find seriously gratifying, but trusted workforce 2.0 is the willingness and the continuing willingness of all of the government to to get this done and get this done right and make those real differences, real changes will make a difference in how we think about and again, the biggest changes, don't fall asleep for five or 10 years between clearances, keep your eye on this people. So find the problem. And that was never really

John Dillard  37:32

great stuff. Um, you touched on it briefly in your in our initial conversation. But given the departure of key champions and pieces of especially around the vetting, transformation, continuous vetting, which which happens, right, these people will leave they transition away. The question that has been submitted is, how do you feel about that moment? Do you specifically on the vetting questions, you feel like there's a good momentum is can be maintained there? That are there issues that we need to be concerned about? So that the left where your questions in terms of Are there additional concerns that we should have about them a minimum of the transformation and vetting?

Charlie Phalen  38:13

Other keep your eye out and keep asking the question. And industry does have a couple of representatives that are sitting in the leadership group for trusted workforce 2.0 out them here. It's john Hildebrand, and Doug Thomas. And those folks you can talk with to get your thoughts in with them. The panel is still very much active. And a couple of places that the the performance accountability counselor PMO Program Management Office met and is still very, very, very much engaged with. And that's the, that's where the work is actually getting done to get this to beat up to people to make decisions. I haven't seen a shortfall of people willing to make the decisions. Getting it up there and getting the two neighbors reports. I'm not concerned about momentum. There's some new faces here. Clearly. There's still some old faces around. And, again, one of my views on is it if I if I've done my job correctly in a transition program, and I get hit by a bus. Nobody knows this and yet they keep on going. And good news bill Leto 11. He knows that hit by bus, Mike Regan limited by bus they all left. But people have followed in the footsteps and good stuff.

John Dillard  39:25

Good. Good to hear. Charlie, when are we getting a couple more comments on audio quality? So my suggestion is if you could possibly slot a little closer to the mic, and we'll see if that helps a little bit. That helps.

Charlie Phalen  39:37

Wash my eyes. Okay, yeah, well, you combed your hair, if you get that close due to hair.

John Dillard  39:46

Alright, next question we have is a really good one and one that we hear often what's the most pressing threat right now? What, what should we just release security especially be concerned about and in terms of the entire threat in mind and there are lots of choices.

Charlie Phalen  40:00

As we go on, yeah. So I would talk about the eternal threat, which is, there are people in organizations that are going to be triggered for us. It doesn't matter what decade I'm talking about what generation I'm talking about, they are there. And we've got to keep track of that, and they betray that trust to is different. Sometimes, then the fact that there'll be training, a lot of the things that lead to that betrayal look the same, no matter what environment I'm in or whatever. So that's a number one, continuing number one. Number two is clearly the the emphasis is less on, can I although they wouldn't forget, if I can I break into the top secret system is still nuclear launch codes, it's how can I find the plans for actually building that rocket, or something that will launch that thing itself? And so the two major players, obviously, you guys don't realize that we are maybe three major players that are digging into this stuff. They are active and will continue to be active. And I don't know what's going to stop them. So we've got to keep our eyes on those technical attacks or attacks from afar. Certainly protecting the information technology, which is the way we get things around around our systems these days, is is equally as critical as making sure that people that are on that system were people that we can trust. And we get one of those threats, and another questioner specifically brought up disinformation. I mean, our adversaries have been doing this for a very long time. It's not disinformation is not new. It certainly feels like it, it feels like they're better at and there's more on it. And the question here is, what your thoughts are on the impacts of, of disinformation, misinformation, and how we assess security risk, it feels like it's it's difficult to keep up with, especially if you're a company, you have necessarily a ton of resources, to to identify those, what are your thoughts on that particular threat, I could take this information in its larger sense of who is creating memes on the internet to give me false information about UFOs flying into your house and, and such. That sort of the avenues for people to disseminate that information and get that out there are far broader than they've ever been in anybody's lifetime. And so that, how to keep track of that as more and more problematic. And I think if you think back 20 years or so people were predicting this kind of stuff for the future. Well, it's kind of here. So the only way you can really counter disinformation is with the truth. And so the ability of I get down tactical now for industry is stuck with some of these things is until the government can actually get the truth about a problem and abide by the threat by risk to the industry that is dealing with it. It's not going to be helpful if that information has to be made available to industry to deal with that stuff. Otherwise, it's going to be disinformation, or just people answering quit coming up with their own answers to questions and nobody's giving them the right information. And so then, and then part of it's going to have to be the I don't know exactly how you do this. But people receiving the information industry in the case I just mentioned have to feel like they can trust the information that they're getting from the government.

John Dillard  43:13

It's excellent. And in fact, you just gave me the best quote of the of the of the webinar. So I'm going to write that down and bring it back up. But specifically related to the industry Government Partnership on things like this. I mean, this, you just raised a good example. We had a question on information sharing between government and industry. It often comes up on insider threat. And, you know, companies are trying to build insider threat programs, but they don't necessarily get threat indicator information from their government partners. supply chain is another area where that seems to be an area of concern. What are your thoughts on how we can do better between industry and government and sharing information, especially on threats, but also on operations?

Charlie Phalen  43:55

In better is literally finding that more avenues and more opportunities to be to be able to share relevant information with trusted people in the industry who can do something with it that will help help mitigate that threat. It's it is that somebody, actually it's it's that simple. But it's also that complicated, because there are both sort of a history and some still not really well defined set of rules about what can be passed and what can't be passed. And it's actually a bit of a two way street because there's also concern in government that industry may not be passing along to government concerns they have about employees in their in their care. I think that's an easier problem to solve. And just we've got to sort of pass that on. But the government again has to be able to go back to industry and provide industry with information about threats, whether it's specific to an individual or, or more broadly by an attack scenario. That will tell you that There are efforts underway to try it at various levels, not just within industry or within the executive branch. But even Congress is involved in some of these questions right now about how can we better facilitate the cross sharing of information to the benefit of all parties?

John Dillard  45:17

Excellent advice. Now, the other one on supply chain, they came up and this one's a question of degrees. A lot of frogs especially are wondering how far down their supply chain or should they feel responsibility. I mean, especially bigger programs, f 35. Being a great example, we have 1000s of suppliers, second, third, fourth tier suppliers. What are your thoughts on prom prom contract are really means your contractors, rush responsibilities and obligations to extend security visibility, as I said, so get away from the policy into this thing because it mutates a little bit. I'm not sure precisely where it is right now. But I'll put my fake lawyers bet on here. I'm a prime, and I'm providing a product to my customer. I don't know that it's fair for me to say, oops, I didn't know that supplier had done something to that ship five generations earlier into this supply chain,

Charlie Phalen  46:13

I would hope I would believe I would want to be able to go back and verify where it is if you can get government programs that worry about where the minerals came from that made that shift. If we can go back in and figure that out, we got to be able to figure out what happened in the intervening steps between it was just a piece of ore in the ground. And now it's a chip that's been shipped to me from Hong Kong. Yep, it's a tough one. And the information sharing question that I asked you is also a pause between promises itself, they're still figuring out how much they can and should share with each other. Do you have any observations on that particular challenge, which admittedly is a legal one, where you have prime a asking prime me to share insider threat data on people on the project? And the and the other company simply says, No, we don't have to do that. Sure. So somebody's got to make a rule that they have to do that. And there is a rule, they have to do it quickly. If they're if they're in the current industry world, they have to deliver at least to the government if they don't deliver to the product. And the trick is, is the prime ever find out? Does the government ever turn around, say a prime or your son just called and said Bob's got a problem?

John Dillard  47:24

Yep, yep. Well, a question on this is a sort of a policy detail. But you know, I think it's easy to overlook, went from this bomb, to 32 CFR. And I think there are a lot of questions from folks on whether that was just a labeling change, or there are material changes that that take effect with that transition that we need to be aware of object confesses was going on after I left, and I don't have a lot of detail on that. So probably not a good source for that question. But again, assuming that there are folks from dcsa, listening on this call, john ESCO. Sam will be one of them. Maybe we could help answer the question. We will send it out. There's some good nuggets that Heather Sam shared last month on that.

Charlie Phalen  48:11

I think the short answer is yes. You need to get read it. Okay, start with that.

John Dillard  48:19

So, China specifically is a question we got one on and recognizing the sensitivities of information that you may not be able to share. I'll preface it with that. Do you have thoughts on China's efforts, particularly as a threat actor in our environment, how that's changing how we think about security, and whether we should be spending any outside, you know, anything other than the normal course of blocking and tackling on China than we already are?

Charlie Phalen  48:48

It certainly over the last few years has changed our approach to thinking more and more recognized the threat that China breached. And although it's limited, it's been there for a long time, it just it just didn't really see seep into the understanding of what impact it has on its supply chain. Over time it grew. And I think we're we've reached critical mass on that front. We got to build into basic blocking and tackling strategies and the countermeasures help counter I'll probably say more in sort of a final topic, I'll say, but I'll say it now. We're never going to be perfect on this. And we've got to do our damnedest to get that to prevent this stuff from happening. Because some of the things that have snuck out the door I just been too simple to even get to got to make it at least hard if not impossible, to get to this stuff. But it's got to be built into the basic sort of paying attention to things. And part of it goes back to what I said before is, things are sitting out there as unclassified. Nobody needed to protect it, is what they snatch. And that take a look at their version of the F 35. looks suspiciously like ours, but

John Dillard  49:58

good stuff and you know Specifically, we have another question related here is Soloway attack, which, you know, of course, is pretty fresh in everyone's mind.

Charlie Phalen  50:09

Supply Chain vulnerability to nation state actors in particular, recognizing that this one happened to me, or at least reported in Russian.

John Dillard  50:18

But what are your thoughts on the activity of nation states? And especially on the supply chain? This happened to be in it supply chain or it could be elsewhere? And whether is illustrating is the focus that are placed on nation state threats or on on criminal threats? Or what what are your perspectives on on the importance of the nation state threat for supply chain?

Charlie Phalen  50:43

When the attack comes, I don't think distinction whether it's nation state or criminal, it gets lost sort of in the mass, it is setting yourself up is more of a understanding sort of motivations are corporate understanding techniques and approaches that whether you're a nation state or criminal enterprise, or in the case of some countries, they come in with a price working for the nation state? How how they are mounting this attack and what they're going to come back. And so although being able to say well, it was a nation state versus a criminal thing, maybe some comfort to some people, it's not. So again, it's I I worry about who the threat is coming from and how they're going to do it, but less about what their motivation for the nation state or criminal, criminal, or back to the to the lone gunman. It the fact that he did not have any political motivations. Again, 10 people in debt, that's no comfort to those people, families. Yep.

John Dillard  51:44

Well, that is a really good place to pause. We've gotten through almost all our questions are really good ones. But I wanted to make sure that I gave you the opportunity to wrap up with closing comments on now that you've heard some some questions from the audience, and you've had some chance to reflect. If you happen to have in the course of your response, I have only one thing that I'd like for you to touch on in your closing comments. And that is the most important thing you learn from being a security guard at department store.

Charlie Phalen  52:14

gov that that's a fantastic way. So I'll turn it over to you please share your closing thoughts with us and what what, what things you wants to walk away from? Okay, so I'll tackle the tech company thing first, because it's, it's you brought that up. If there's anything hit me between the eyes, it was the propensity for employees to commit that. And the the sheer volume of employees were willing to be trade, their company that they're working for, is is quite the same as me walking out with the plans for pick my favorite airplane and get it to get to the bad guys. No, but it is still betraying that trust. And the quick numbers piece is one of those eight years I was in charge of the internal internal investigations program. I will say I was no better or no worse than the person ahead of me and the person behind that role. Each of us in the year we were we were the time a year that we were in it determined that as much as 7% of the employee population was terminated, and in many cases prosecuted for employee theft. That's a company of 7500 some odd some people any year and repetitive. So it really sort of gets your understanding that it is more pervasive than you think. And people do a lot of a thoughtlessly without even really recognize the consequences. So back to my own work prepared finals, that's one instead of 40 will never be perfect. Whether it is protecting people protecting us against people or protecting us against an external threat. One quick quote, back in a Senate hearing a long time ago when I went in, just joined the FBI and Paul Redmond was finishing up raising the Senate Select Committee on Intelligence on the on the enhanced damage assessment. And you may have heard me put this before but I'll say it one more time here. The senator Rockefeller. After hearing all this leaned over and said so Mr. retina, do you think there's any other spies in the US government? And Paul looked up and said, Sir, I've been doing this for 40 years, it is a statistical certainty. All these things we're talking about our statistical certainties are going to happen. Our goal is to mitigate as much as possible, prevent as much as possible, but recognize that you're never going to be perfect. Secondly, restate again, build the relationships, better to build the relationships with the colleagues with other industries and whatever, before the crisis hits, because if you try to build that relationship after the bomb is dropped, it's just too late. Don't be afraid to take the lead. I have a weapon in my class each time I got here. I have a quick short story of being a fairly new limited gs 15 et CIE is often security back in the early 90s. They were going through some serious reorganization and to change that aren't you are for some good reason. And I found myself might be in one other 15, in a room full of senior executives, as I was trying to plot the future. And at one point, the most senior security executive without the director of security in response to a question about what the strategy should go sad, we're waiting for them to tell us. And my reaction inside my voice was completely visceral. It was, wait a minute, aren't we them. And so my admonition to everybody is you just don't be afraid to take a lead, no matter what what level you're at. And you if you see something wrong, something needs to get fixed, you do not have the option of raising your hand say something from you have an obligation to that. Last thing I'll share with you in my remaining two minutes here. I send a quick note out to my senior staff at dcsa. Literally in the last day, I was I was turning in my phone here. And and just last April, We're shutting down for COVID and everything else, and I wanted to characterize for them what the last few years have been like. And so basically, let me read it to you really quick. It's an interesting ride for the last few years. And I recognize we are in an adventure. In an exchange with one of your colleagues yesterday, I likened it to Disney's Space Mountain ride, you get on the ride, lots of ups and downs, twists and turns, banging noises, flashing lights, after a while a beautiful view of space loads in front of your eyes. And then you plunged into darkness and sensory deprivation. Good news, finally you pop out of a tunnel and you're just not in a place of normalcy. I'm confident we are going to get out of that tunnel, and to that station, both personally and professionally. And thank you from all my heart. And so two things to add to that. One is I thought we'd get to station seven now. But we're getting close to that safety. But more importantly, I want that thanks that I offered back then really goes out to the folks on this phone call. You're all the humans that are making this thing work. You're not just the first line of defense, you're on all the defense. Thank you very much for everything.

John Dillard  57:19

That fantastic parting thoughts. Thank you so much, Charlie. And I can tell you what we're allowed. I'm sure that would be a resounding applause. So I want to thank you sincerely from our team. And really everybody on the call for participating today and sharing your thoughts, which is a great one, one that remember and please do tell your friends if they missed it, that the recording will be available, as well as a few slides and transcripts. So if you missed it today in person, that's okay, you'll be able to get a copy. I will draw everybody's attention to we do these every month. And our next one is on April 22. We're going to dig into cloud technology and how that can solve some of these problems. So you're going to see a demo and then we're gonna dig through some of the themes that we've talked about in the last three months of webinars. So looking forward to that. With that, Charlie, again, thank you so much for participating today. Thank you everybody for coming, and enjoy the rest of your Thursday.

Charlie Phalen  58:16

Okay, thanks.

Keep Reading

Posts by Topic

Subscribe to our
Publications