After 34 years in the Marine Corps and a short stint in the private sector, Kevin Nally still wanted to serve his country. As the former Marine Corps chief information officer, leading the U.S. Secret Service's IT management was a perfect fit.
Nally — who was named Secret Service CIO in November 2015 — sat down with Federal Times Editor Aaron Boyd to talk about the immediate changes he made to set up the Office of the CIO for success, his goals for the future, and how IT and cybersecurity are integral to keeping our nation's leaders safe.
Q. What's been your main priority since you became CIO?
A. The first priority when I got here on Monday the 16th of November was to take some time to assess the current situation within the Office of the CIO. I talked to some key stakeholders — probably about 22 individuals within the headquarters. I got some guidance from [Director Joseph] Clancy, [Deputy Director Craig] Magaw, [Chief Operating Officer George] Mulligan and then made the recommendation to move Information Resources Management Division, which was under [the Technical Security Division] TSD and not under the Office of the CIO.
Mr. Clancy basically said: "Tell me what you need to do to be successful as a CIO." I prepared a brief — probably in the December time frame — I briefed Mr. Clancy and the deputy and Mr. Mulligan and came up with a recommendation to move IRM underneath the CIO. In order to be a CIO, I needed the resources to do that and they concurred.
Q. Why was reorganizing IRM under the OCIO so important?
A. The reason it was an issue is because the Office of the CIO had approximately eight to 10 people that worked within and they had not had a CIO for probably eight to nine months. To be an effective CIO you need the people and the resources to be a CIO, otherwise I had no control over it.
That's why the director said: "Tell me what you need to do to be a good CIO for the Secret Service and how can we get things better organized." And since they've done quite a bit of realignment within the headquarters previously to me getting here, that was the one thing I really needed to do to be a CIO.
Q. Was it just about headcount?
A. It was about budget — the IT budget — the people and the assets. Part of that deal was that I needed complete oversight of all IT spending within the Secret Service, so [Clancy] granted me that. Then I recommended that you need one designated approving authority for all the FISMA systems within the Secret Service and he granted me that. So I had complete control over all the IT spending and I was the only DAA [designated approving authority] for the Secret Service and I had the people and the resources to be a CIO for Mr. Clancy.
The mission here is protection, investigations and national special security events, or as we refer to them, SSEs. To properly support those missions, I needed the assets and the people to better support those missions.
I'll give you a great example. I [had] just got back from New York and … the United Nations General Assembly start[ed] next week. My folks have been up in New York since early September and will be there probably until Oct. 4 setting in what I would refer to as a four-star joint task force headquarters. I look at Mr. Clancy as the four-star in charge of the Secret Service and this joint task force goes up there and supports this mission to support the United Nations General Assembly.
The Secret Service is in charge; I'm responsible for the communications and command and control aspect of the United Nations General Assembly. The reason we're in charge is because of the protection. But to put it in context, everyone that comes up to support the SSE works for the Secret Service. So we have the FBI, members from the Department of Defense, we have New York State Police, New York law enforcement, NYPD, New York Fire Department, Coast Guard, port authorities and various other components within DHS, for example Customs and Border Protection and ICE [Immigration and Customs Enforcement] and Homeland Security investigators.
It's just a huge effort behind the scenes to support this SSE. And it feels good to go up there because 50 percent of my job is actually operational. The rest is policy and directives and strategic planning, etc., to support those missions of protection, investigations and the SSEs.
Q. Your position seems like a dual hat, where you are worried about internal operations here at the Secret Service but you also have to worry about the security of those IT networks wherever you go, at those events. As someone who has been in the tech world, how does your work at the Secret Service differ from other CIOs?
A. Because we're operational. I would compare it to me being the Marine Corps CIO for the past five years. I had a saying in my office that there's nothing more important, 24/7, than taking a call from the field.
I get calls — which is part of my job and I enjoyed it — nights, weekends, etc., to either solve issues or provide guidance on the communications IT/cybersecurity concerns and issues. Easily 50 percent of my job is operational because, not only for the SSEs, but we're responsible for the national capital region, the vice president's residence, what we call the 18 acres for the uniformed division officers who protect the 18 acres around the White House. So communications has to be up, obviously, 24/7 and we do have a joint operations center in this building which I am responsible for as well for the communications and the IT infrastructure.
And cybersecurity plays 24/7 into that. We've got great people. We just finished an assessment of the network that — knock on wood — we're good. We're very conscious to include cybersecurity awareness and training and we have various programs to ensure and encourage people to do that.
This is why I feel it's a really great place to work for men and women — and to include men and women transitioning from the military. To me it's a paramilitary organization: It's operational, you get to deploy, as I call it — I've got 76 men and women deployed right now to New York and some additional to that preparing for the debates. It's just a great place to work because of the mission. And the people here, I'm extremely fascinated with because they're extremely mission focused.
Q. What major initiatives are you carrying over from the last CIO?
There are three big projects: Joint Operations Center, or the JOC, upgrade to make it more modern; we're also upgrading the National Capital Region with new radios, antennae to be able to better collaborate with Metropolitan Police Department, FBI, Customs and Border Protection and various other governmental agencies within the National cCapital Region; and the last one would be what we call EC, enabling capabilities, which is where we're converging our networks’ voice, video and data over an IP infrastructure and also we're building a network operation security center, which will hopefully be manned 24/7 in the next year.
I'd also like to caveat: Our telephone system will not completely be voice-over IP. Call me old fashioned but I like to have an analog-type backup system in case the IP network goes down.
Those are the three big initiatives: the JOC, enabling capabilities and the National Capital Region upgrade.
Q. What new initiatives did you start when you became CIO?
When I first came on I didn't put any new initiatives in place. I wanted to assess what was going on, where the service was headed and also wanted to get a handle on, as a consultant, the state of the CIO Office. That's what I wanted to get an assessment on.
For the future, the big thing we're looking at is a different type of cellphone to better support agents and the officers out in the field. We're looking to provide more capabilities for mobile types of operations.
And when we say mobile and providing a seamless transition from the office to the field for the agents and the UD [uniform division] officers, that’s globally. So that includes when individuals that we're protecting travel worldwide that they have that capability wherever they are in the world.
Q. What's the next big program you want to place, the next thing you want to change looking forward?
One would be put in a virtual private network. Get rid of the desktops and laptops for everybody and have a virtual network. That's probably the long-term goal.
Part of it, too, is to get the right amount of money for a mission-based budget, to get the money that we actually need to accomplish the mission. The service has been really supportive, we just have to keep the day-to-day fight on — "I need the money to do this" — in order to provide protection to what we feel is not just adequate but meets the needs for the special agents and uniformed division officers out in the field.
And continually push toward a more automated environment. I'd like to take a lot of the paper processes out and make it automated for the service. That's another long-term project and goal: Just to continually improve on the mobile workforce.
We’re looking at a thin client, to include the virtual aspect of it. We are actually in the process of building a hybrid cloud [working with commercial vendors] but we're going to keep it here [on-premise]. We’re not at this time looking to move to a commercial cloud.
Q. How has technology and cyberspace changed the mission of the Secret Service?
Technology and cyberspace have not changed the mission of the Secret Service. I would say it's probably enhanced the mission of the Secret Service, especially in investigations with cybercrimes.
I am completely impressed with the men and women that actually do work cybercrimes and cyber forensics, of their intelligence and dedication to the mission, of what they are required to do. I don't know when they started to build out those cyber forensics types of capabilities but I do know that it's a very key focus of the director.
Before I got to the Secret Service, I was completely ignorant of all of the cybercrimes that go on, from fraud to credit card fraud to counterfeit to pornography. I just had no idea how much and how good the Secret Service is at doing that. In fact, the only ATM machine I use now is the one in this building.
Q. What is the Secret Service's role in cyberspace?
The mission is protection and investigations and cyber is intertwined within the mission and conducting investigations. I'm not going to sugarcoat it or put a fancy spiel on it. I call the 1811s — which are the agents and the uniformed division officers — I refer to them as the infantry and we're here supporting infantry, so whatever it takes to support them. If cybersecurity is intertwined in supporting their mission, to make sure that their IT assets work and providing the integrity of what they're looking at.
For example, if they're looking at a video screen or looking at something on their phone or their computer, whether it's a tablet, their mobile, etc., is that they can trust what they're looking at.
[We] accomplish that with very smart people and good tools.
Q. Are your tools bought or built in house?
Our tools are both in-house and commercial-off-the-shelf tools.
Q. Cybersecurity is becoming an integral part of the CIO's job. But at the Secret Service, security is the job. Do you have a different view of cybersecurity than your CIO counterparts elsewhere in government?
I don't know if I see it differently, but I look at cybersecurity as intertwined within the mission.
I put it in Marine Corps infantry terms: You set up a defense perimeter and it's a layered defense, but you also have a recon element, which they go out and probe or look with, like, say, a red team or blue team out into the area of operations or area that we're responsible for, and it's all part of the mission. But the mission is protection and investigations and SSEs, therefore the cybersecurity piece of providing the secure, confidential network where they have integrity and it's available is all part of the intertwined mission.
I wouldn’t say that my first mission is cybersecurity and then it's protection; protection and investigation and SSEs is the No. 1 mission.
Q. How much of the Secret Service is now dedicated technical issues
cybersecurity and the like?
I would say 100 percent, everything we do is focused on technology because my mission is to support the agents and the uniformed division officers out in the field. They need the IT assets and resources to support the mission. So we design things that go back to the basics I learned when I was a second lieutenant in the Marine Corps as a comms officer: redundant, reliable, secure and flexible. If one of those four key aspects are missing, then I have to look at myself and my staff and say: "How can we improve this?"
Q. When securing an event, what percentage of your field staff are focused solely on technology?
The agents, uniformed division officers, what we call APTs — administrative professional technical personnel, which I'm like an APT — we're all trained on how to use the devices and we're trained to be aware of, for example, spear-phishing or phishing attacks. But the 1811s in the field are focused on protection, they need the IT devices to conduct their protection in terms of collaboration with the other agencies and their other agents. So we are completely focused on IT in terms of support.
I look at it as it has to be working. I think the agents and the uniform division officers demand or expect it to work to accomplish their mission.
Of the people I have working for me, it's probably close to 60 percent that leave here and actually go support [field operations]. But what we also do for IT/comms, cybersecurity professionals, we actually pull others from field offices throughout the globe to help support us, as well.
I may have someone in Chicago that I feel more comfortable with performing certain functions than maybe somebody else, so I will ask him or her to go to New York for six weeks and they do. It's a collaborative effort from throughout the whole Secret Service.
I would say probably 20 percent [of personnel at any given event are working on technical issues]. For example, in New York for the United Nations General Assembly, there's a coordination control center at one location, there's a multi-agency control center at another location, there's a joint tactical operation center at another location, there's operations going on at one of the airports and then there's another huge operation going on at another location down by one of the piers.
For example, the pier, I was down there yesterday and there's over 300 cars, SUVs, that have to be outfitted with radios. It's a huge effort.
Q. How does the CIO's Office and that mission support the overall mission: protecting the presidency?
I believe May 20 was the White House shooting — which there hadn't been one in a while — and I know it was a Friday and happened probably later on in the afternoon-ish time frame. Immediately, literally within seconds, the entire staff was up in the Director’s Crisis Center. We were there probably until [11 p.m.], and the communications: perfect.
The voice, video and data worked. We had local TVs on, covering and seeing what they were covering on the news; we had the JOC feeds, the video feeds that were pumped up to the [crisis center] so the deputy director could view what actually happened. The voice, video and data worked great.
It got back to feeling operational — unfortunate circumstance, but in terms of the staff coordination and staff communications and IT communications, not just within this building but throughout the National Capital Region, was a seamless effort.
Q. What would have happened if those things didn't work as they were supposed to?
I don't know. But I have great faith, trust and confidence in the people that work for me that they don’t fail. We don't fail.
I may have been sitting in the Director’s Crisis Center but I know for a fact I had over 30 people that stayed behind to make sure the mission was accomplished. I had radio personnel, I had video personnel, I had network personnel, I had cybersecurity personnel; they all stayed behind and I don't remember having to ask them, they just did it. That's the dedication of the people that I have.
Q. What lessons have the Secret Service learned from recent hacks and how has the agency adapted?
The visibility hasn't really changed the way we've operated. I firmly believe that we as a nation — and as DHS components — have to focus more on just IT and cybersecurity tools. You may implement Tool A today, the bad guys are going to figure out how to get into Tool A.
I think it gets back to a saying we had in the Marine Corps that the best trained cyber brain was a well-trained IT person. To me, focus on training education for the workforce and making sure that your back doors are closed and your patches are up to date and your techniques and tactics and procedures for making sure your network is secure are up to date. Just don't lax.
I put it in perspective with my folks: The special agent out there working 12-hour shifts, focused for 12 hours, we have to be just as focused on the network to make sure that our patches are up to date or configuration management pieces are up to date and well-coordinated or configuration management boards are synced together. I think that's the key.
Some people do disagree with me out there on this one subject. But I think we keep chasing the latest and greatest cybersecurity tool — gotta have it, gotta have it, put it in your network, etc. — I think that's good but again I put more time into the training, education and making sure that what we currently have is secure.
Q. How do you view the Secret Service from your position in the CIO's Office?
The way I see the Secret Service from the CIO’s perspective is I have openings and I don't just need IT professionals — I need IT professionals with good leadership skills and diverse skills.
The reason I say that gets back to these national special security events. We work with a multitude of outside agencies and organizations and I am just completely impressed with how the Secret Service brings everybody together to accomplish the mission. Wherever I go and introduce myself to people or get introduced to people that we work with from other agencies or organizations, we get nothing but accolades.
I’ll give you a couple examples. At the [Republican National Convention] in Cleveland, I go up a couple days or a week in advance just so I don't get in everybody's way to make sure things are going well. The gentleman that is the operations officer for the Cleveland Indians baseball stadium where we had a setup, I hadn't talked to him more than five minutes and he said: "I want to tell you that I am so impressed with the Secret Service and how you men and women operate." He continually said: "You’re mission focused, you're well respected and you work extremely well with others." And he said: "You're the finest organization that I've ever … come across or worked with," and that you hear that throughout.
Another example, when I was in Philadelphia for the [Democratic National Convention] and I was leaving outside, checking out of the hotel, the lady at the hotel said: "You know, I really hate to see the Secret Service leave here in a few days." I said: "Why?" She said: "Because you are the nicest men and women. You're such gentlemen and ladies. It's just a pleasure to have you stay here … and I've never felt more secure than the last couple weeks."
Part of it is a strict hiring process. But I think the men and women here take a lot of pride in what they do and who they represent. I think it's a calling, much like it is in the service; I think it's a calling like going to the priesthood or joining the Marine Corps. Joining the Secret Service is a calling and you take a lot of pride in what you do.
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.