Sharing information horizontally to increase resilience

Earlier this year, before all conferences and events were interrupted by the COVID-19 pandemic, Naval Postgraduate School Center for Homeland Defense and Security (CHDS) master’s alumnus (0905/0906) Gustavo Rodriguez served as a panelist at the RSA Conference Emerging Threats Seminar. Alongside fellow panelist Timothy Lee, Chief Information Security Officer for the City of Los Angeles, he discussed the topic of “Lessons from America’s Two Largest Cities on Preparing for Cyberattacks.” Rodriguez noted that there have been over 140 cyber-attacks on municipalities since the beginning of 2019.

Rodriguez and Timothy Lee discuss “Lessons from America’s Two Largest Cities on Preparing for Cyberattacks” at the RSA Conference Emerging Threats Seminar.

Oftentimes it’s ransomware that cripples public infrastructure and forces a city to succumb to the hacker’s demands or suffer the consequences. What’s at stake for New York City? As an example, and as stated during the RSA panel, the New York Police Department (NYPD) typically responds to approximately 25,000 emergency 911 calls per day and they’re usually able to provide response within three minutes. It requires communication between multiple sectors of infrastructure to pull that off. If any of the links in this chain of infrastructure is compromised, it could create a major problem for public safety.

While cyber-attacks on municipalities might seem like a newly emerging threat to the general public, investigating cybercrime has been part of Gus’ daily life since being assigned to complete a Cyber Fellowship at the FBI National Cyber Investigative Joint Task Force (NCIJTF) in 2013. However, it has been a topic of interest for him for much longer, exemplified by the impact his master’s thesis on DOMESTIPOL is still having 10 years later. “When I first received the opportunity to go to CHDS, I already knew that there were 800,000 officers and 18,000 police departments in America, but I didn’t know how they exchanged information or how I could help improve communication across different agencies,” he shared.

Rodriguez’s first Year (1998) with NYPD in the South Bronx 41 PCT.

Lieutenant Rodriguez joined the NYPD in 1998. While working in the 41st, 20th, 19th precincts, Intelligence Bureau, and Police Commissioner’s Office, he has held uniformed and investigative posts throughout his career. Rodriguez was accepted to the CHDS master’s program in 2009 and completed his thesis on “Creating Domestipol: Increasing National Resilience by Reflecting on the NYPD Counter Terrorism Model.” It examines the challenges of information sharing between police departments in the 50 largest cities of the US and advocates the formation of a DOMESTIPOL. The DOMESTIPOL model is similar to INTERPOL (International Criminal Police Organization), but on an inter-state level. INTERPOL has been sharing information since 1923 with 188 different countries. But the difference is most other countries have one national police force compared to the US where there are 18,000.

The overarching theme of his thesis promotes an increased emphasis on horizontal communication (between different police departments around the country) in addition to vertical communication (between local, state, and federal levels). In 2011, Rodriguez explained, “DOMESTIPOL is a national system of police coordination that takes into account the 50 largest urban areas and asks the question, ‘How are we leveraging the burgeoning banks of information that reside within these agencies and speaking horizontally—instead of the vertical stovepipes—to increase national resilience by mitigating homegrown terrorism?” His thesis research used a combination of open source information and direct exchanges with various departments.

Rodriguez at the 2010 INSA Award Ceremony with Congressman Peter King.

The second part of his thesis is a prescriptive case study of policies drafted by NYPD to mitigate terrorism in New York City. It is a case study that can be used by other jurisdictions across the nation because it’s easily scalable and can be replicated. “While there may be some agencies using a similar structure right now, there isn’t existing literature that gives a police chief (whether they are in Texas or California or Washington) the ability to easily refer to a blueprint that could be used to mitigate any types of threats in their municipality,” he explained. Since 2001, the NYPD has drafted many innovative policies that are being applied as best practices throughout the nation. Rodriguez was awarded the Senator John Warner Homeland Security award from the Intelligence and National Security Association (INSA) in December of 2010 for his work on DOMESTIPOL.

The impact of Rodriguez’s thesis continues to resonate 10 years later. More recently, at this year’s INSA Achievement Awards, he was cited as a prime example of past award winners by the keynote speaker, the Honorable Ellen E. McCarthy, Assistant Secretary of Intelligence and Research Bureau at the Department of State. McCarthy was the President of INSA when Rodriguez won in 2010 and played a large role in the creation of the INSA Achievement Awards.

The INSA Award, based on his thesis research, also vaulted him into position to serve in the NYPD’s International Liaison Program (ILP) as the department representative with the Singapore Police Force from 2011-2013, covering Asia from Tokyo to Sydney, Sri-Lanka to Manila. He’ll tell you “I got lucky” when discussing his opportunity with the ILP, but in reality, it was partially due to the hard work he already put into his DOMESTIPOL thesis. As the saying goes, ‘Luck is what happens when preparation meets opportunity.’

Upon his return from Singapore in June of 2013, Rodriguez “got lucky again” when the FBI called the NYPD and asked them to send someone to complete a fellowship at the FBI’s National Cyber Investigative Joint Task Force (NCIJTF) in Washington, D.C.

[In 2008, President Bush mandated the NCIJTF to be the focal point for all government agencies to coordinate, integrate, and share information related to all domestic cyber-threat investigations. The FBI is responsible for developing and supporting the joint task force, which includes 19 intelligence agencies and law enforcement, working in tandem to mitigate cyber terrorism.]

“The NYPD has a robust cyber program,” Rodriguez said, “but the department thought it would be wise to see how the NCIJTF collectively addresses the cyber intrusion threat.” Now as an NYPD Lieutenant Commander, deputized as a U.S. Marshal, he got a chance to learn how they do it and “it was eye opening.” It was also the first time anyone from NYPD had been assigned to the cyber side of the FBI, so they ran him through rigorous training. “At first, in 2013, the discipline of cyber-security, sounded very foreign but after a few months of training it all started coming together,” he joked. “What helped, was already having an investigative background: identifying suspects, evidence collection, building cases for prosecution and then applying those skills to cyber intrusion investigations—the same investigative acumen applies in cyber.” Rodriguez also noted that he’s been blessed to have the tremendous support and guidance from his boss, NYPD Deputy Commissioner of Intelligence and Counter Terrorism, John Miller. “DC Miller has been an absolutely amazing leader/mentor during the last seven years and has been very supportive with our cyber initiatives.”

Rodriguez signing an MOU between the NYPD and the Philippine National Police in Manila, 2012.

As Rodriguez mentioned during his RSA presentation, an initiative the NYPD began to study in January of 2015, with help from their LAPD counterparts, was the Los Angeles Cyber Intrusion Command Center. After corresponding with LAPD, learning more, and sharing findings, NYC Mayor DeBlasio signed an executive order to create NYC Cyber Command in 2017. Rodriguez went back to FBI NY in 2015 and is now working on the FBI Cyber Task Force, focusing on critical infrastructure protection. “The more we work with our federal counterparts, the better we are able to capture that 360-degree investigative cyber view of what the threats are, to help us continuously refine our cybersecurity strategies.”

That experience led the team to identify somewhat of a grey area in the horizontal communication network between the 17 sectors of critical infrastructure in NYC. In July 2017, the team researched how those sectors speak to each other. For example, how is the transportation department communicating with emergency services or how is the water agency speaking with the power company? It seemed like it wasn’t happening as much as it should. Due to this, a public-private sector partnership to protect critical infrastructure, NYC Cyber Critical Services and Infrastructure (CCSI), was formed in July 2017, spearheaded by the NYPD, Manhattan District Attorney’s Office, NYC Cyber Command, and the Global Cyber Alliance. The first time they convened, they gathered all 17 sectors of critical infrastructure and briefed them on cyber threats as a group, with the mission of sharing real time information horizontally, training for the cyber fight as a group, and responding if needed to a cyber-attack in NYC as a volunteer team. “We are getting NYC local Digital First Responders together and training them on how to proactively share information to protect our NYC power, transportation, emergency services, finance, water, etc. The mission is share, train, and respond together,” Gus noted. If it sounds familiar, that’s because the group’s concept is reflective of his thesis that advocates for sharing information horizontally to increase resilience.

NYC CCSI at the IBM Cyber Range in 2018

Looking at the bigger picture, “The key is working with America’s 800,000 officers and 18,000 police departments to share what we have learned and mitigate how cyber-terrorism can manifest itself as a public safety threat. One way for Digital First Responders to ‘share, train, respond’ together is by conducting digital fire drills. Since forming, the CCSI group has grown exponentially and organized a number of exercises to see how critical infrastructure would hold up during a security breach. A key resource has been access to IBM’s Cyber Range—which runs scenarios for different agencies and companies. “We called an IBM partner, and asked if we can bring our NYC CCSI team to the Cyber Range located in Massachusetts, in December 2018 and they agreed,” Rodriguez detailed on stage at RSA, on how the partnership evolved. The Cyber Range had not yet hosted a city, so they had to create a new scenario and the CCSI Team looked at the past examples of attacks to draw up a new city-wide scenario. The group has repeated a number of similar exercises since then. The second visit to the Cyber Range in July 2019 was two days after Louisiana declared a state of emergency due to a massive cyber-attack, which was timely because the idea of the tabletop exercise was to create a makeshift scenario where a cyber-attack shuts down key infrastructure, causing anywhere from a loss of power to mass casualties. The test could expose blind spots for first responders and reiterate the need for leaders at the local level to meet and exchange information. “I’m so grateful for the partnership with IBM. Putting our NYC team through this real time cyber-attack simulation is critical,” Rodriguez beamed. “Getting them organized locally, briefing them on current threats, pushing the sharing of IOC’s (Indicators of Compromise) and bringing them to the range to collectively fight against multiple cyber scenarios has been a fruitful process. Due to us sitting on a Federal Cyber Task Force, we were lucky to include our federal partners as well. To train like you fight, we want to make the team always look like what game day would resemble.” Rodriguez is currently assigned to NYPD Intel and Counterterrorism and detailed to the FBI NY Cyber Task Force, as the NYPD Lead on a Cyber Terrorism Squad.

Rodriguez volunteering at the NY Ronald McDonald House with the FBI Cyber Canine in 2018.

CCSI isn’t just sharing information horizontally among their group. The key is to get the word out to all municipalities, villages, towns, counties, cities and states around the country, “so that we can learn from what they are doing too and hopefully, push for a CCSI in multiple municipalities around the country. Organizing the local officials that actually protect the critical infrastructure that we all use is key,” as Rodriguez puts it. The upside for NYC is that although no municipality is perfect, the building blocks for the cyber team have been laid down as they’re sharing critical information with all agencies, their federal counterparts, and the Digital First Responders who actually have hands on keyboards that protect the firewalls.

Rodriguez with CHDS instructor Dr. Kathleen Kiernan.

CCSI is fielding many requests to brief other agencies and the program always receives positive feedback. These types of interactions also benefit CCSI too, as they often learn from the other agencies they’re briefing as well. “We learn from each other.” Rodriguez compares it to the cross-pollination that occurs in the CHDS classroom and makes the program uniquely strong. So, it would make perfect sense that this model could benefit other members of the CHDS community in different jurisdictions. Reflecting back on his time at NPS and the influence the CHDS program had on his frame of thinking, he’s confident that “we can tackle any problem if we work together and share cyber information across all available pathways to protect our digital infrastructure that our families, friends, and community utilize every day. From the first day at NPS in September 2009, my professor and thesis advisor Dr. Kathleen Kiernan always told me, “You can change the world.” I sincerely thank her for that mentorship, and guidance, because that is exactly what we have been relentlessly trying to do in Cyber, with DOMESTIPOL as the base.