June 4, 2019
Editor’s Note: Despite spending nearly 30 years in the U.S. Army and the Federal Bureau of Investigation, James Gagliano has never been busier. Since retiring from the FBI where he served as a criminal investigator, SWAT team leader, Hostage Rescue Team member and Chief of Staff to the Assistant Director-in-Charge of the FBI’s New York City office, the West Point graduate and former U.S. Army officer is now an Adjunct Assistant Professor of Homeland Security, Criminal Justice, Military History and Leadership at St. John’s University. Additionally, he appears on CNN as its Law Enforcement Analyst, commenting on terrorism events and high-profile criminal investigations in the news. He is a frequent contributor to CNN Opinion, The Hill, Newsmax and the Havok Journal. In his spare time he is working on his doctorate. He sat down recently with ISC News Editor-in-Chief D.J. Murphy to talk about top security threats and how a better relationship between government agencies and the private sector can make people safer.
ISCN: In your mind, what is the single most important trend facing security professionals today?
JG: I have 25 years in the business as a practitioner, but some of the things I am learning now as an academic and a theorist—it’s almost more frightening than when you’re in the business responding to crime scenes. When you get into the theoretical there are a whole host of things to consider that you don’t have the bandwidth to consider when doing the job.
Even when you move up the ranks, you’re focused on a particular criminal enterprise or a particular terrorist threat. But looking from the broader perspective, there is a lot more to consider. Considering Homeland Security’s mandate to keep the homeland safe, secure and resilient, what I see, and having looked at this from a critical infrastructure perspective, it’s the cybersecurity threat.
I look at cyber in the same way we look at counter-narcotics in the FBI. The FBI tried to get out of counter-narcotics in the late 1990s and after 9/11 because our focus was on preventing another terror attack on U.S. soil. But the problem with divorcing that from an agency that’s looking at criminal threats, is that narcotics are the currency for every illicit scheme and enterprise you have out there.
I’m going to say the same thing about cyber. You can’t divorce it from anything because everything is part of the IoT and as that touches so many things—healthcare, transportation, security—the attack surface has expanded exponentially. As soon as we figure out how to stop something, the bad guys figure something else out. Because the attack surface is so broad and all encompassing, it’s like trying to police the whole internet.
So, what I sense as the thing that concerns homeland security, law enforcement and security professionals going forward most, it has to cybersecurity.
ISCN: Do you have an impression about the overall state of readiness in the public and private sector for threats that are targeting the convergence point between the physical and digital?
JG: You have to break those threats down into their separate silos and still look at it as a macro. Even a casual observer understands state-level cyber threats—Russia’s a threat, North Korea’s a threat, China’s a threat, Iran’s a threat. But the next layer that includes hacktivists like Wikileaks and Guccifer are out there with different mindset, different purpose and some of the same skill sets and abilities. It makes it very difficult when we live in a country that cherishes its civil liberties and privacy protections. At the same time folks here demand and deserve to be kept safe. How do you make that happen in an age where technological advances happen so rapidly?
During the San Bernadino shootings in 2015, Apple did not work with us at first to unlock the terrorists’ phone because they would be giving us proprietary information and they did not want to expose their customers’ privacy. In the end we hired a young hacker to break into the phone and that brought Apple to the table.
We want people to be able to have privacy, but we have to be able to see and sense the threat out there and a technology like end-to-end encryption makes that difficult. So our readiness is dependent sometimes on the rate of technological advancement being weighed against privacy and civil liberty concerns. That is the 21st century issue law enforcement, homeland security professionals and the security industry are grappling with and is going to have to figure out.
In the end, I think Congress is going to have to come up with legislation that tries to strike that balance.
ISCN: Speaking of Congress, given the political climate in the U.S. right now, is the job of security professionals harder now than it has been in the past?
JG: In a country right now where we can’t agree that Mother’s Day is a good thing, it makes it exponentially more difficult that everything is viewed through a partisan lens. I’m in the media, so I see and sense and am hyper-aware of the political aspect of just about everything today.
Look at the security issue of the 2,000-mile border we share with Mexico. It should be a no-brainer. We should be able to talk and debate intelligently over whether and where funds should be expended, what kinds of fortifications should be used where. But we can’t. It has become the third rail of political discourse. If one party is for it, the other party has to be against it.
There are serious matters of security that we cannot have measured debate about: Do we need ICE? Are sanctuary cities something we should be encouraging? The wall. Those things are so politically charged now, you can’t have a debate without shouting people down.
Yes, I think it’s a huge impediment to getting anything done.
ISCN: There is so much new technology to assist with the protection of people and property. But with evolving threats, are we safer now or not?
JG: I won’t identify any specific products, but I’ve seen things at ISC West and elsewhere that have made me very optimistic about where we are headed. Many of the technologies being developed now by private companies will be force multipliers when utilized by the FBI, DHS, local law enforcement and other agencies.
One of the most critical aspects of security in the 21st century is joint working—the partnerships between the public and private sectors, the FBI working with the security industry to figure out what works best to keep people safe and private industry having a stake in it. It’s the customers of hotels, financial centers, schools, churches and consumer products that are endangered by criminal and terrorist threats.
I’m encouraged by joint working, which was anathema to me and other law enforcement professionals in the early days of my career. We didn’t see value in working with the media or with private industry, we felt we would stay focused better without that. But it’s impossible to do.
9/11 was the catalyst that finally got us talking to others. First other agencies, then private companies. We realized we should be talking to the hotel industry in New York City to find out what they’re seeing and hearing. We realized we should be sharing information not just with the CIA or local law enforcement, but with the security industry, the sports industry, the hotel industry.
I’ve really become a huge proponent of how, in addition to just using the technology developed by private industry, actually consulting with them also is a force multiplier. It’s value added to the security equation for private industry to be briefed on things and be brought in to e bpart of the fight. It has to be done.
ISCN: Are there certain categories of technology that are must-haves?
JG: Any mix of products has to be tailored to the needs of the client. And the client could be a specific business, an industry or the American people. Even though I’m the last guy that could recommend a certain system in this area, I go back to having sound cybersecurity. Whether an end user is in healthcare, transportation, or any industry, they have to have a robust plan, a system and well-compensated people actively performing countermeasures and searching for intrusions and fighting unintended spillage of sensitive information.
When your systems are breached, personal information, intellectual property, trade secrets and even state secrets are in peril.