- Welcome to Cyber5, where security experts and leaders answer five burning questions on one hot topic and actionable intelligence enterprise. Topics include adversary research and attribution, digital executive protection, supply chain risk, brand reputation and protection, disinformation, and cyber threat intelligence. I'm your host Landon Winkelvoss, co-founder of Nisos Managed Intelligence Company. In this episode, I talk with Grist Mill Exchange CEO, Kristin Wood. We discuss open-source intelligence use in the US public sector, not only with national security, but also with the emergency response sectors. We talk about how open-source intelligence has evolved in the last 10 years, and talk about how adversaries use open-source intelligence against us. We also discuss how the US needs to catch up with not only how to operationalize OSINT in meaningful ways, but how the US government can procure bleeding-edge technologies in a more time-sensitive manner to meet mission requirements. Stay with us. Kristin, welcome to the show. Would you mind sharing a little bit of background with our listeners please? - Absolutely Landon. Thank you so much for having me today. It's great to be on. My name's Kristen Wood, and I have a 20-year career at CIA that wrapped up in 2015. I spent about 11 years of my time doing analysis, either imagery analysis, military analysis, terrorism analysis, and then a number of years in operations, and then a significant amount of time in open source. And during the course of my career, I worked five wars and saw crisis environments in ways that were remarkable and I really evolved over time in terms of how the US government responded to them as technology and capabilities changed. So I'm really honored to have been able to serve. My last role at CIA was the Deputy Director of Innovation and Technology for the Open Source Center, where I really saw, in a firsthand way, the capabilities that open source can bring to mission. So I'm very happy to be here to talk to you today about all things open source and wherever else you wanna go. - Do you wanna give a little bit about Grist Mill and what you guys are doing there? - So Grist Mill is a commercial platform for data for national security missions. And so our reason for being is that we believe to win the future, it needs to be fueled by commercial data and open source data at volume and at the speed of mission. And that can't happen now because there's a huge acquisition limit. So if you think about buying one company's data and having to go through an 18 to 24-month cycle to bring them into mission, and then having to do that company by company, by company, and sometimes data set by data set, given the volume of data that's already coming in and what's coming ahead of us the next few years, it just doesn't work. And so all on one contract, government can look at data sets that apply to current mission. They can look at data sets that apply to new mission, and government contractors or the national labs or URS, we can work with them to provide data to support their government contracts. So we are really looking to provide as much data as we can. Most of our data providers have never sold their data to government, the vast majority, and about half of those have never sold their data before. So we think we're bringing in a diversity of data that hasn't been seen before that really will help broaden and deepen what's available currently to government. So we're really excited to be able to support government in this new way. One of the things about leaving the agency that's so hard is we're also mission-driven, and I miss that every day. It's like a sore tooth. I mean, I miss it deeply, but I want that fixed. And what I realized is there's so much more to do in the private sector to support those who are still primary on the mission. And I think all of us, I mean, I know you and your company feel this way. We do too. It's what can we do to enable those folks on the front lines to be more successful? And I had no idea how much opportunity there was until I actually came out to the private sector. So looking forward to doing this through Grist Mill and hopefully, partnerships with many others, both on this call and with government. - Oh, that's fantastic! Again, thank you for your service. I'm looking forward certainly to digging into this 'cause I'm sure you saw open-source intelligence really evolve over the last 5 to 10 years. And we're gonna be talking today about open source's role in national security and the broader public sector. I think a lot of our listeners are used to listening to private sector mentality of how intelligence supports cyber threats, physical security threats, fraud, but there's certainly a bigger platform to be used in the public sector and provided a little bit of background of how national security customers use open source information, and really how has this evolved in the last 5 to 10 years? - I think evolved over the last five years is important, but I wanna go back just to the beginning, right? When open source really was newspapers and the daily news broadcasts from nations around the world. And at that point, open source already had an important role to play in terms of what our adversaries were looking to convey to us and how our allies were thinking about things. So fast forward all of these years to maybe 10, 15 years ago when media changed to have so much more, both in print, online, and then, of course, the evolution of social media. Those again, transformed how government used it to get a much better understanding of what populations were thinking about things. And then, moving to that five year period, it has been remarkable to see the change. I mean, we've always used open source in crisis. You see it now, right? A bomb exploded or there's some horrific incident that happens or even in climate or weather disasters. So crises can be very useful. And then mostly, it's additive to mission. I mean, we have the core capabilities of the US government National Technical Means as it's known. And it has been additive to them for a long time. I think in this era where we're in the internet of things driven fourth industrial revolution where it's all about the interconnectivity of devices, this part of the information flow into government is only going to become more important as it grows in this exponential way. Some of your listeners may know that when they're talking about information in the zettabyte. So one zettabyte is the equivalent of 300 million copies of everything in the Library of Congress. So this is rough numbers, right? But they're talking about us being at five or six zettabytes right now in terms of what the world produces driven IoT and other things. By 2025, so I think two and a half years ago, they're talking about it being 35 zettabytes. So the volume challenge, the speed challenge, all of that is teeing up for what I really think is a transformational moment for the United States government, as well as for the commercial sector. - We'll kind of get into that transformation here, but at a core level, When I see like to your point about open source, we see a lot of open source, as you say, like translating articles of foreign media to use for crises situations. We've done that well. When I hear open source, I almost think it's kind of like the new all source intelligence in a lot of ways. When you talk to threat actors online, I mean that is human intelligence just not face to face, but in terms of like what you actually receive, it's very similar if you have all the vetting that is done on the other side. When I think of net flow, when I think of ad tech data, when I think of mobile data, when I think of all the different types of telemetry, that's very similar to signals intelligence in the commercial sense of GEOINT taking social media pictures, putting them to a location, and all this is really on open source. I mean, even some of the breach data sets that I saw, I mean, back in the classified environments, I mean, those would be classified in many different ways and all that's available from an open source perspective, particularly what's going on in the Russia-Ukraine crisis. Like Russia's getting, you know There's certainly a lot of people targeting Russia and a lot of open source, a lot of breach datasets out there. I mean, am I thinking about that right in terms of how the national security customers are using it? Do they still have other ways to go? My other part to that is what other us public sector entities could be leveraging and what are they doing in this space? - Landon, you've pose some really interesting way of thinking about this. And in some ways for our industry, for a large part of our national security community that is private sector, open source is all source, right? They don't have access to classified data. So it is all source, right? And as you say, there's geospatial intelligence, there's signals that's coming from the sensors everywhere. There's media, social media, breach data, all of that is available now publicly, right? And the hackers that are targeting Russia are making all of those hacks available. That used to be something that had to be collected in a very sensitive way with the right authorities in government, and that isn't the case anymore. So I really do think your characterization is fair. It is becoming an all source capability with remarkable ability to contribute to the mission because of its depth and breadth of information. And if you think about a sensor-driven answer versus a human source-driven answer, if that human source is the chief of staff to one of our important adversaries, they're going to have better information most likely. But if it's sensor-driven, you aren't looking at the same source qualification statements, right? It's data driven by millions and billions of sensors. So in some ways, while the credibility isn't impeccable, it's certainly very, very high quality. So in some ways, I think this is that transformational moment where government can think about open source as information of first resort, right? Let's go see what's available from this readily available, either because you can find it, collect it, or buy it. Let's go find out what's available there first before we send a human into harm's way, whether that's military, someone in the military or someone in the Clandestine Services of various organizations, or building a collection system, right? If we can find it already, let's do it because the economy of scale is really, really there now in the private sector. And let's save our national technical means and our exquisite acumen assets for the problems that can't be solved. I think that's where we go. We're not the yet. In terms of public sector entities doing this really well, I think NGA does a terrific job. They have their own capabilities, and they've done a lot to partner with industry on the commercial industry partners on all sorts of things related to natural disasters, situations that are evolving regarding threats. I'm imagining they do tremendous work on Russia-Ukraine, but also, you know what? FEMA does a terrific job out of necessity. I mean, to look at the scale of floods or the scale of hurricane damage, they really do a great job of pulling in all sorts of information to bring capabilities to bear, and open-source intelligence helps them do it even more intelligently because they can see what's happening. - And I think that frames well the discussion around transformation. Let's talk about our adversaries first. Are our adversaries doing open-source intelligence better than the United States? Like talk through the capabilities. I mean, there's certainly no shortage of nation state, on really Russia, China, what we're really talking about here. They're going after us pretty aggressively, have been for the past 10 years. I have to assume that they're leveraging that in various ways that we are talk through those capabilities of what our adversaries are doing in this space. Are they doing it better than us? - The short answer is there are some places they are absolutely doing it better than we are, and there are some places they are not. China is remarkable in this space. I think in terms of their multi-year plans, where they just move forward methodically to gather information, I think they've seen the value of this data for a very long time. We have in speaking with a Senior Data Officer in the state of New York, a former, he said that the three largest collectors of new York state's open source data in this order were China, Russia, and Zillow. And so for free, we're giving them all of this information about what's happening because we have all these open data programs. And so they're scooping it up and taking advantage of it, and the breaches and the attacks on infrastructure, they're pulling all the information and they can because they do understand its value. There are things they do we don't do. The disinformation, misinformation campaigns, China and Russia are wildly sophisticated about this. I don't have access to current capabilities. I'm not in access as we refer to it, but just what I can see on the outside and watching the scope of these disinformation campaigns, they're very sophisticated and they're different. The Chinese focus on different things. The Russians, we have to say the North Koreans and the Iranians too. And what they're aiming to do is to reframe the United States for the rest of the world in terms of who we are as a nation, and they're having some success doing that. They're not just coming at us, they're coming at the rest of the world. And they're also aiming to reframe how Americans see themselves and each other. And we've seen in these disinformation campaigns over the last five, six, seven years in particular, how they're having some remarkable success taking the schisms we have in our country or the disagreements we have in our country and amplifying them. So is that better? Or is that us doing They don't have the limitations on doing things honorably the way that we do. We're limited by, driven by democratic values. And so that makes us unwilling to do some of the things we talk about at least publicly. And I don't think we don't wanna live in a nation where it was different, but I do think in defending ourselves and defending who we are as a nation, we could definitely do a much better job. And one of the limitations we have is they can respond instantly and at the speed of the internet. And we are just not doing that at a scale and volume that we need to to beat back this redefinition. - Let's dig into that a little. Russia, China, these are autocracies. They don't live in four-year election cycles. For instance, China has a 5 and 10-year plan. The United States doesn't have a 5 or 10-year plan. We live in four-year election cycles. Is it fair to say, and of course, they obviously use this information to their prowess very well, is it fair to say that like at a very tactical level, when China goes and takes information from a breach, when they have a professor who provides information of sensitive research from a university and they funnel that back to China, are they at a scale where they're gobbling all that up together and provide that to all of the China public sector for use? Are they doing it at that scale? I have to assume that the US government, and we've both been in public sector lives, sometimes the information sharing isn't there. One national security agency collects is very different than the other national security agency collects. There's a lot of overlap. Sometimes that's a good thing and a bad thing. What do we need to do to improve? And are we at the same scale as what our adversaries are doing right now? - Well, the short answer is no. The long answer is, I mean, they call it the Chinese century, right? The 100-year plan. And they want to see this century be dominated geoeconomically and geopolitically by China. And their discipline in focusing on that is remarkable. And what you've described, right? The IP theft has been happening for decades, right? And having so many. Because we are an open society, there are so many Chinese nationals who are being trained here or educated here and not all of them are intelligence officers, right? And there's Chinese laws in place that requires any Chinese citizen to work with in intelligence organizations. And that's law, right? So it creates a huge vulnerability for us. So they have a systematic approach. That's not to make them 100 feet tall, but they've been executing very successfully against it. And you're right. We're governed by four-year election cycles that actually, they only rest for, it feels like six months before the next cycle's underway. And then in parts of the Hill, it's two years, right? So we tend to think much more here and now, and the here and now decisions we make related to infrastructure, related to ability to respond long-term to threats and risks to American leadership in the world, like the Belt and Road Initiative that China has underway, right? They're just simply going through and you can see what they've done around the world. So their systematic way of approaching this is definitely very powerful. And it's something that we as a nation need to address and not just the national security community, but the whole of the US government, as well as our state and local. So we do need to have voices that start talking like this. And the only thing is, it's not really rewarding if I'm someone up for election next year or two years from now, that's not to say I'm not a patriot and I don't see it, but do I have a bandwidth to work systematically with other parts of government to create the 100-year plan, the 20-year plan, the 10 year plan, and hope that the person who replaces me, if they're from another party, will keep it? So it's one of the tremendous disadvantages of having a democratic system where you don't have authoritarian rule to keep things on track. I wouldn't trade it, right? But we do have to find a way to do this because our system really was built for 1947, the way it needed to function for 1947's challenges. It's not built for 2022's challenges and beyond. And there are a lot of people in government who recognize that, but it's hard within an organization to make changes across the whole. So I don't know if that answers your question, but it's the world in which we find ourselves and the really serious thinkers working on this, I do hope the collection can get some traction to make the changes we need to compete. - You made a key observation there in that private sector-public sector partnerships in China doesn't even make any sense. If you would go to any average person in China, they say, well, I don't know what that means. Of course, everything that we do, the government's gonna have access to. So name any type of data that Alibaba or Tencent or Baidu are working on, the government can call that type of data anytime. Like there is not a whole lot of separation between the public and private sector and that perspectives there are here. So a lot of people say public sector partnerships work well. I think that that's still a slow-moving process. We've seen some work coming out of the administration, certainly around data breaches is just one example, things that need to be shared with the government more reactively. From that perspective, does the public sector have more to learn from the private sector and the need? How does the public sector work better with the private sector? I mean, you and I have been part of discussions where public sector officials are just flat out saying that we need to adjust the procurement processes, that the public sector needs to start buying like the private sector. What are your thoughts holistically on this subject matter? And is this actually realistic to move away from that 1947 mentality to kind of get where we need to go? - I worry about this a lot. There are thought leaders and early adopters in government who have been pushing this for years. You stated at one place on acquisition. It's a problem. If it takes 18 months to get something on contract in a crisis situation that doesn't work, but 18 months from now, there may be a new capability because technology is changing so much. So the private sector is often much more agile than the public sector is on this. Public sector has the limitations of all of regulatory responsibilities, right? So their speed of acquisition is probably one of the most critical legs in the stool that can change, could evolve to transform how government operates. And we're seeing some of that happen in various places in government that there's a recognition that this needs to change. I mean, the first time ever I saw in LinkedIn, the CIA announced BAA, a Broad Agency Announcement about what they're looking for in terms of innovation and technology. They publish it out in the open world, right? So that's an enormous change for them to move to a model that actually brings things on contract more quickly. But if your characterization earlier of this really is all source now, that it's certainly all sourced for the private sector 'cause that's all they have had access to. And it's becoming a richer and richer source of information and it's all they there available to use. So a lot of the experts on what data is useful, how to process and transform it, how to analyze it, how to use AI tools, ML tools, NLP, all of it, and then deal with compute speed. It's all the reality of industry because Amazon has to move the speed of their mission, so does Google, so do McDonald's and private equity firms, Bank of America. They've all had to use these kinds of capabilities because it's existential for them. If you cannot move fast enough, you will not succeed. And so there are a lot of messages and a lot of capabilities they develop the government absolutely could take advantage of. I think of pipeline for bringing in supplies. Supply chain management is a huge one. Just that simple. The government is really, really good at moving things, and learning, I think, how to use AI and ML to track devices, to track systems. But I bet you McDonald's has that just in spades or Starbucks, right? Because it all gets to how do we compete? How do we keep our prices down? So there is a lot to be learned here and we are seeing some places in government do this. We see FBI and CSUN, for example, they've stepped a lot towards industry on cyber and how to support them. But I also think thinking of private industry as a place to learn from how you handle this new open-source world from open-source information and commercial information, there's a lot of learning that private sector could offer how to operate at speed and volume because this is all they've been living with as IoT has grown up over the last 5 or 10 years. - You're clearly passionate about this. If you were, not necessarily a startup, let's say you're a little bit more further along and you had to go target, let's say the national security apparatus, what's best case scenario? Like right now, you gotta go partner with bigger companies, you'll be a sub to a larger prime. What's an ideal state you would love to see smaller tech companies that have brilliant technology, what's the best end state you would love to see in the future? - Thanks for asking that, first of all, because thinking about not how we adapt from where we are, but what do we want to be at? I mean, where do we want to be at such an important way of thinking? Where do we want to be? I think we end up recognizing and taking advantage of the ecosystem we're all in. So companies like yours, like mine at Grist Mill, we're part of this open source ecosystem, right? My company just does data. Yours has data and analytics, right? And other capabilities. And there are companies that do AI focused on video. There are some companies that do AI focused on computer vision. There are companies that do NLP or machine learning or data processing, data prep. And I think we're all in this ecosystem and the smalls can work together, and teaming on some of these big procurements from government. And I think we can be very competitive because what we have is agility, and really define niches that are wildly important right now. So the model of partnering with a bigger company is where we are. But I think over the next even two or three years, I think that changes. There will always be the Lockheeds and the Raytheons and these massive companies doing remarkable work for government. But I think this space is really optimal for the smaller companies in this space who have massive tech to offer. They have open source or commercial source to offer. And it's a matter of partnering together on some of these vehicles so that we bring all those voices to mission. I think that is one of the ways we go, but it's the future. I mean, if we win this, if the United States wins this in the fourth industrial revolution we're in, it will be because we did that. We did really well in first three. The West drove all of that, but you know what? Right now China is making this a very competitive race and there's some places they're well ahead. So I think what I just spoke about is this taking advantage of the open source ecosystem now is one of the ways that we can be competitive in the coming decades and over the next 100 years. - In government, do you fundamentally, and an honest question, educate me a little bit here, do you need to make buyers out of GS-14s and GS-15s? We don't need to get into big government procurement vehicles and defining those. But I mean, if you're a GS-14 or GS-15, you're a branch chief and you have an urgent need and you wanna go out there and make a purchase, how do you make that easier fundamentally? - So I would argue that they're already buyers. They've always been buyers, but they've been buying a human. I mean, I need a person in the President's Office in this country. I need this question answered. And so whether that's answered by imagery, signals intelligence, human intelligence, whatever, they've always been buyers. It's just it hasn't been a monetary transaction, right? National Technical Means are wildly expensive for very good reasons. But now you're talking about physical transaction of money and somehow it's different. There should be requirements the same way there are the NIPF, National Priorities Framework. Here's our top 10. What are the commercial and open source? That could be a task order on a BAA, right? So that GS-14 or GS-15 needs a contract officer and a system to do this efficiently. So if there's a contract vehicle already, this is easy. There's a mechanism for approval that I need this, we've got the ceiling on the contract. Yeah, go order it. You can have it tomorrow. So we have to figure this piece out because you don't want every GS-14 to 15 on Zappos placing orders for shoes, the same shoes, right? You want the data, you wanna collect it once, the tool you wanna buy at once or maybe you don't, but you don't want everyone buying the same thing all at once. So I think this is one of the biggest challenge. The biggest challenges government will have going forward is it's the individual analyst, the individual targeter, the individual operations officer who best knows what's needed, but you have people in the process for approval who are focused more on the contractual pieces of it, not the mission need. And there are really great, talented, experienced people on both sides of this equation. But there are a lot of folks who have to get into a room, both on the government side and the commercial side to figure out how do we do this so that it can happen at the speed of mission so that targeter, that military unit, that whatever has what they need in time to inform what action they're going to take or what piece they're going to write? So I don't know that I have the answer on this, but I do know this is a big piece of what we're focusing on going forward. INSA, the Intelligence and National Security Alliance has a tech and innovation council, and they've just created a data subcommittee to deal with this piece, but a big part of both the council and the data subcommittee is dealing with this, how can we make recommendations for the way industry works to support government to help with at least our side of the equation so that when governments got their answer, that we can execute very quickly. So a lot to be done in this space. And the good news is that people are starting to think about it. - Kristen, this is a fascinating conversation. I can't thank you enough for coming on the show. Congratulations on starting Grist Mill. I love what you guys are doing and would love to have you back to really kind of even expand this conversation quite a bit. Thank you. For the latest subject matter expertise around managed intelligence, please visit us at www.nisos.com. There we feature all the latest content from Nisos experts on solutions ranging from supply chain risk, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection and disinformation, as well as cyber threat intelligence. A special thank you to all Nisos teammates who engage with our clients to conduct some of the world's most challenging security problems on the digital plane, and conduct high state security investigations. Without the value the team provides day in day out, this podcast would not be possible. Thank you for listening.