top of page

Demystifying Cyber with Francesca Lockhart

TAYLOR: Hi Francesca, thank you so much for agreeing to be on this podcast with us today. So to start off, can you give us a little bit about your background, and how did you end up at the Strauss Center and at UT?

FRANCESCA: Sure. So I am a native Texan, grew up in Euless, TX, which is in the DFW Metroplex. Lifelong UT fan, so came here for undergrad. Studied Plan 2 and government for those native UT students who know what Plan 2 is. I don't often advertise that outside of the university, or sometimes frankly inside the university because it's not that well known, but Plan 2 and government undergrad and right after undergrad, went to work at the Texas Department of Public Safety as an intelligence analyst, which was a job and a connection partially brokered by connections with professionals that I made through undergraduate affiliation with the Strauss Center and with the Clement Center for National Security here on campus.

I worked at Texas DPS for about four years in a variety of roles, started as an intelligence analyst, working primarily on organized crime related issues right before or, I guess right when COVID first started, was in a promotional process and moved into a role supervising all criminal investigations for our particular region in Texas, so got a lot of exposure more to tactical level police work and intel work through 2020, which was a wild year for the world on all accounts, but also for policing and the role of civil protest and disobedience in our society. I'm sure you all remember 2020 being a very interesting and formative year for a lot of the current state of police work in America. And then after a year or so in that role, went to a role that was my true passion and my true goal at the department, which was managing our Homeland Security intelligence team.

So this was a strategic level intel role overseeing a variety of intelligence programs focused around the detection and prevention of mass attacks, counterterrorism, counterintelligence, and then cyber security and cyber threats to Texas. And in that role, I absolutely loved it. I had the opportunity to really grow and develop a lot of those programs, and I think hopefully grow and develop some amazing analysts and people who ran those intelligence programs at the department. But after a couple of years in that role, my friend Jenny Sharma was hired to work at the Strauss Center as our technology scholar in residence, and when she moved to Austin, I met up with her and we talked about all of our mutual interests, and she said, hey, we are actually hiring for this new Cyber clinic director role that I think you might be interested in, and it's actually housed out the Straw Center, which of course I was familiar with, so applied for that, super interested in it and of course, here I am now, so happy to be back.

TAYLOR: Well, welcome back to the Forty Acres. Could you give us a little bit of an intro for our listeners? What is the Strauss Center?

FRANCESCA: Sure. We are an academic center endowed at The University of Texas at Austin that offers a range of scholarship and student programs, advancing certain cutting-edge areas of national security and international security, law, and policy. So we bring not just existing faculty at UT, but representatives and experts from the public and private sector to offer different courses, sponsor fellowships and scholarships for students and host conferences, and just every manner of events in the areas of national security, law, cyber security. We have a space traffic management program. We have our intelligence studies program which is co-sponsored with our sister center, the Clements Center which I mentioned earlier. And many, many other distinguished programs besides that, essentially bringing areas of scholarship and areas of focus and international security to the university where they may not otherwise exist or be open to the student body here at UT.

TAYLOR: Interesting. So you studied government and Plan 2 at UT. How did you get involved with cyber? Did you always know you wanted to be involved in the industry, or did you discover that while at UT? Follow up to that, you also mentioned your passion is managing Homeland Security intelligence—did you find that passion at DPS or did you know that's what you wanted to do? And how do you continue to pursue that passion at the Strauss center?

FRANCESCA: Sure. So going back to our conversation about demystifying cyber, I definitely thought cyber was not in my reach when I was at UT, I thought it was this like highly technical thing that you had to have a comp sci degree for. Also I feel like cyber wasn't as like in vogue when I went here as it is now. So it was just not on my radar at all.

How I got into it was when I became manager of the Homeland Security Unit, one of the programs that I initially had under my purview was a critical infrastructure threat program, if you will, and increasingly threats to critical infrastructure in Texas are cyber in nature. We're not getting like a ton of people trying—well, okay, again, this is just my view, I won't speak…there's no statistical analysis on my part—but you don't hear about like a ton of people like shooting up power stations or posing some physical threat to critical infrastructure. It's always trying to steal credentials. It's always trying to get system information, something like that, right? It's always trying to use some Zero Day to get into the system and preposition whatever it is.

TAYLOR: What’s a Zero Day?

FRANCESCA: A vulnerability that has been undiscovered and undisclosed before it's used in an active exploit, so the company has no fix for it. So like solar winds was a Zero Day vulnerability with huge, far reaching consequences for the US government and critical infrastructure and many others beside, but more and more as I oversaw that program, which was again focused on kind of every manner of threats to critical infrastructure, cyber was becoming the biggest and biggest piece of that pie, and looking at the clinic and the clients that we serve, I felt like there were organizations in Texas being targeted by cyber threat actors that were not being served by that intel program. So school districts, municipal governments, they also need forward leaning threat intelligence to learn how to bolster their systems against things like Zero Day vulnerabilities.

So we started the cyber threats to Texas program to fill that gap, where we're pulling on the information that our amazing analysts on our critical infrastructure protection team were getting, but also doing kind of a wraparound intelligence gathering mission for all the other types of organizations in Texas. And then distilling that into a clear threat picture that was cyber threats against any organization, kind of who is targeting what in Texas, why and how and who needs this information? How do we train them to be more resilient?

So I learned cyber more and more through standing up that program. It was again increasingly a huge chunk of my day and my time and my thought. And when I saw the clinic opportunity, I guess I kind of worked backward, where I had this great strategic understanding of the threat actors and the policies and the who's who and like what in the United States government apparatus is being done about cyber. And then I channeled it into learning the technical piece, becoming a little bit more of a practitioner and putting together what I hope is a more—like a pretty well-rounded curriculum around policy, around strategy, around the technical part of cyber, around the soft skills that you need to be successful in the career, and so on and so forth. So I had an unconventional path, which is why I said there's no one path into cyber.

As far as the Homeland Security piece, I do feel like UT Clements, Strauss did an amazing job exposing me to federal intel counterterrorism. Again was like, more of a hot topic. I feel like we, we're like having whiplash right now with what's going on in Israel, and the very unfortunate war happening there because counterterrorism was like a huge focus all through college. And like, I'm, you know, we're all probably products of the 9/11 generation that was like, everyone was working on counterterrorism, Middle East politics, and like that was certainly my focus as well. And then after I started DPS and particularly during COVID as cyber-attacks were on the rise and ransomware was becoming the hot new thing. And you know, the with the defeat, essentially, of Isis and its ability to attack America, we transitioned into an era of more great power competition. And that's just interesting because now we're like, oh, we actually have a need for both. We need people who understand counterterrorism. We need people who understand Middle East and Hamas, and not that anyone was saying we didn't, but I feel like the pendulum is like landing somewhere in the middle between great power and counterterrorism.

Anyway, all that to say, you didn't ask my opinion. When I was here, the pendulum was much more on the counterterrorism side. And I feel like UT did an amazing job piping students into counterterrorism as a career, counterterrorism as an intel analyst, or as a lawyer, or as a national security practitioner of any sort. And that was certainly the path that I took. That was really what the passion I developed in college was and what carried me through my position at DPS. And I see this being kind of the natural next iteration of my career, where I'm focusing on cybersecurity resilience against any threat, but particularly, you know, threats posed by smaller, maybe not nation state level, but cyber-crime groups and cyber threat actors against low resource organizations that have valuable data that they need to protect.

MISHA: And could you tell us about the cybersecurity clinic that you lead, and how does it prepare students for future in cyber security careers?

FRANCESCA: Sure. So this program that I was hired to start, and I'm currently teaching in, is the latest installment in our Cybersecurity Scholarship program here at the Strauss Center. So we looked at other clinics like this that exist in the United States, which essentially have adopted the law school and the medical school clinic model to cybersecurity, wherein some population of students, in our case for the moment, undergraduate students from all majors and disciplines at UT, can apply to this two course sequence, where first in the first course, I teach them basic to intermediate level cybersecurity defense skills. So think, for those familiar with the industry, security plus level kind of entry to mid-level skills, and then in their second semester we partner them with a nonprofit, a small business, a K12 School District, a municipal government, some sort of under resourced—or the term I prefer is target rich, resource poor—organization in Central Texas, and they work with that organization to first design and pitch a cyber security improvement project plan based on that organization's risks, based on their business critical functions, and then they implement that plan over the remainder of the semester.

So it teaches students fundamental cyber skills, which of course is important for anyone looking to get into the trade. But then it actually has them practice it while simultaneously bolstering their clients’ defenses and doing cyber security capacity building for free. Which I should mention: this is a completely free service that we offer our client organizations. So it really is intended at plugging the cyber security workforce gap, which is very large in the United States, while also focusing on some resources, providing some resources to organizations that would otherwise be unable to access or afford them.

MISHA: And what kind of backgrounds do cybersecurity people usually tend to come from, and how does their educational or professional background help them in the job? Can they relearn their skills, for instance, to apply to that field?

FRANCESCA: Sure. That's a great question. So one of my common refrains in the class is that there's no one path into cybersecurity. And increasingly, I think the students in the course are learning that cybersecurity is a trade rather than like a degree program or an area of like academic specialty. That's why there's not necessarily a degree program in cybersecurity at every university. Because the certifying bodies and cyber securities if cybersecurity, if you will, are kind of independent corporations and organizations that offer you these professional credentials, that you can take a test to get like the security us credential that I mentioned our clinic curriculum is based on.

So the students come from all backgrounds and majors. We have informatics students, computer science students, international relations students that might be interested in going to law school and focusing on cybersecurity law and policy. We have communications and leadership students. We have business students who might manage cyber risk or want to become a SISO. Oh my gosh, why am I blanking on what says O stands for? We're so acronym heavy. I'm like, I don't remember what this acronym is.

MISHA: Security officer?

FRANCESCA: Chief Information Security Officer. Thank you. Well, I kept—C usually stands for cyber. So I kept trying to jam that in there somewhere.

TAYLOR: Same thing with law, like it's acronym heavy.

FRANCESCA: And that's the funny thing about cyber, too, is once you like, stop gatekeeping these acronyms, you realize it's like actually fairly easy to understand a lot of cyber security skills and techniques and tactics. It's just so… It takes so much work to kind of demystify what all of these terms mean. Anyway, I’ll get off my soapbox, but yeah, there there's no one path into cyber and anyone can really learn this. We just provide a more accessible and frankly, I would argue, equitable pipeline to learning these skills, because you don't have to pay for a certification course or exam to be in the clinic. There's no pre rec. This is just an elective course. You're already paying tuition to come here. Like if you want to learn this, apply and if you meet the requirements of the clinic, which are nothing too cumbersome, you can you can join it.

TAYLOR: This is a little bit of a geopolitical pivot, but I feel, at least in my experience, when I'm thinking of geopolitical cyber threats, it's a very national perspective. I'm thinking, what is our federal government doing to stop this? And you have experience with the Texas Department of Public Safety, which is a state level organization. Who are the largest cyber threat actors in the world today, and what role do state and local police enforcement agencies play in addressing those actors?

FRANCESCA: Sure. So I should clarify that my like views and the sweeping generalizations I'm about to talk and don't reflect necessarily like the views or he stance of Texas DPS or the Strauss Center just so we get any kind of liability out of the way. You all are law students, after all.

One thing I just need to establish is like Texas is nation sized. I think that we forget that sometimes, like, this state has every critical infrastructure sector. It is…the range of threats facing Texans is like cut paste the range of threats facing the United States, just given the size and the scale and the scope of Texas's economy, Texas's infrastructure, so on and so forth. So I think it surprises a lot of people, and it certainly surprised me when I went to DPS that we have, you know, such a huge—I think we're the largest depending on how you define California's Highway Patrol—we’re the largest state law enforcement agency. And we have, I would guess, I don't know for certain, but the largest kind of intel shop, if you will, at any state law enforcement agency.

We have the Texas Fusion Center, which covers statewide threats and then all of the strategic programs and things that I mentioned earlier kind of branch off of the Texas Fusion Center as intelligence functions specifically run by the Department of Public Safetly. So the major threat actors in the cyberspace, the major kind of cyber threats to Texas from a nation state perspective are, you know, the same as on the national level. We have China, Russia, North Korea and Iran, right. And all of their goals, their tactics, their targets in Texas are going to be reflective of their broader strategic aims as it pertains to, you know, undercutting U.S. economic superiority and development. In some cases, pre-positioning for some kind of cyber warfare or cyber-attack, financially motivated in the case of North Korea, right, they are committing cyber-crime against Texans for the purpose of getting money to fund the government, so on and so forth.

So I'll stop there just at risk of belaboring things that have already kind of been discussed and talked about on the podcast. But the other big threat actor group, or all of the little, little ones, if you will, that are not nation state and they actually together pose a very large threat to Texans, so you have cyber-crime groups, right, which are like ransomware groups, those maybe that are state loyal or state sponsored or just unaffiliated with any nation state that are committing fraud, are committing identity theft, are, you know, doing XYZ to get at people’s data and use it in malicious ways. I mean, there are thousands of Texans being victimized by cybercrime every day, and then you also have hacktivist organizations, right? That might seek to take down the Texas government website specifically or target, the University of Texas specifically, which is a state agency as well for various political, you know, motives and means.  And the state of Texas really encompasses working on all of those threats on the Texas level and coordinating very closely with our federal partners, primarily at FBI and CISA, to coordinate threat investigation, or threat intelligence information and coordinate investigations across our agencies.

And then the last really important point I'll make is that when we're talking about a lot of like cyber-crime or cyber threat actors, the landscape is so vast and so diverse that of course, the FBI is doing, you know, everything it can right, but they're going to be limited to, okay, like, you know, this sweet grandmother in Euless, TX, got, you know, $50,000 stolen from a cyber-crime, a cyber threat actor, like that's not gonna rise to the level of an FBI investigation, she can maybe report that to the FBI. But who—grandma is probably going to pick up the phone and call as her local law enforcement. And if they don't have the tools or the knowledge and the cybersecurity space to understand how to actually investigate something like that, the next people they're going to call might be the FBI. But I kind of doubt it. They're going to call the Texas Department of Public Safety, which is their version of the FBI, right. We take a lot of local cases on the state level that rise to kind of the threat level that that we investigate and are in charge of and have jurisdiction over. And then if those cases become big enough, we pass them to the FBI and vice versa. Does that make sense?

TAYLOR: Yeah. That makes a lot of sense. So kind of a follow up to that. The US does have a federalist system, so the federal government and state governments play a very unique role. And my question to you is, how does DPS, specifically but more broadly state enforcement agencies, how do they collaborate at the federal level, and how do they collaborate with municipal or county policing? So state agencies seem to be kind of in this intermediary position where they're handling the things that are more important for the—than the local police force can handle. And yet they still aren't exactly on the big international crime scene like the FBI, for example. So what role did they have in collaborating with both of those other segments of the intelligence agencies?

FRANCESCA: Sure. So it's gonna vary widely depending on like, you know, who, what agency, and like where you are and who you're talking about. But I wanna start specifically with going back to the idea of fusion centers, which were established after 9-11 to de-SILO, if that's a word, and promote so much more cross coordination, not just between local law enforcement and maybe state law enforcement agencies, but also state law enforcement and the federal criminal justice agencies and intel agencies. So these are—DHS sponsored these fusion centers, right? And they're set up all across the country. Texas has the most fusion centers of any state. We have 8 and these are essentially co-ops, if you will, of representatives from all of the local law enforcement agencies within the region that the fusion center covers. Typically there will be some state law enforcement representation within the fusion centers as well, so that they can coordinate. And then there's also, in many cases, particularly for fusion centers that are statewide, like the Texas Fusion Center, there are federal partners from DHS, DEA, FBI, Customs and Border Protection. You know, whatever the threat landscape looks like.

Federal agencies will also staff representatives of those agencies at the fusion centers. So what this results in, just kind of broadly speaking, is a lot more insight into different investigated—investigations and investigative priorities that each of these agencies, you have somebody that you can pick up the phone and call to see if, like, hey, is DHS interested in this? Like, here's a new angle that we just introduced into our investigation that seems like this takes it from a state jurisdiction to a federal jurisdiction, or from a state charge to a federal charge? Is this something FBI wants to pick up? And vice versa, if FBI has, let's say, looking at someone to use the turn of phrase vaguely enough, they might be able to go to, not just their state law enforcement partners, but the local law enforcement partners within that fusion center at which they're staffed, and say, can you pull any investigative records you may have had on this person from the past that can help firm up an investigation and establish a pattern of behavior, or in many cases, deconflict investigations that would have otherwise crossed each other, resulting in, you know, wasted effort on an agency's behalf at best, or what we used to call kind of “blue on blue” at worst, where, let's say, two agencies try to go search—serve a search warrant at the same place at the same time in plain clothes. You don't know that that's an FBI agent also in that house or also knocking on that door. Or something like that. That's obviously a worst case scenario, but in general, fusion centers have been established to and in most cases, particularly within the statewide ones, like I said, proven to be really critical in facilitating a lot of that interagency dialogue, collaboration and partnership, because, you know, I see you every day. I trust you. I know that you, my assigned FBI representative at this fusion center, have my back. You're not just going to swoop in and take all the cool stuff, and I'm never going to hear what happens to it.

And the other note I wanted to touch on from your question is that state law enforcement is in a really unique position, particularly within the context of DPS, I won't speak for every state, where DPS was established to help augment and bolster a lot of these rural areas of Texas where the local law enforcement in these cities are often very small forces. So they might rely on their county sheriff's offices for policing kind of the broader unincorporated county area, which also might be a very small force, and DPS kind of is, was established to be partners with local law enforcement and bolster patrol, do more specialized investigations within a lot of these modern rural far-flung areas of the state. And as the state has grown, expanded, DPS has expanded. We've really tried—or I shouldn't say we anymore. I again, I don't speak for the department—but DPS in my opinion really tries to maintain a good open dialogue and partnership with all of their local police forces, all of their local counterparts.

And that results in many cases in good connections with people in the community, which the FBI might not have, right. There's not enough FBI agent in Euless, probably where I'm from, right, but there is a state trooper, right? That's probably assigned to that area, so they have relationships within the local community that are really beneficial for promoting not just a community idea of policing, but also furthering investigations in many cases. With local collaboration, and then they also in many cases have partnerships with private industry, and particularly when we're thinking about cyber threats to critical infrastructure, critical infrastructure providers aren't exactly going to be super forthcoming with like cyber threats and incidents that have faced their organization because that could impact shareholder value, that could be proprietary information, that could reveal intellectual property. So having that relationship with a local or state law enforcement representative on the ground working kind of a public private partnership with some of these very critical industries in Texas, facilitates and spins up into the broader national goals for cybersecurity resilience that FBI and CISA lead on.

MISHA: And could you define counterintelligence for our listeners, because I'm sure people are familiar with intelligence and what it does, but like counterintelligence is always considered like to be, well, it's just countering intelligence. So many people don't have a firm grasp on it, I think.

FRANCESCA: Sure. So yeah, my first role at the Department of Public Safety was working on counterintelligence issues for the department, so intel is gathering, you know information and typically trying to be proactive about what your adversaries are doing, what tactics, techniques, and procedures are they using, what are they planning, etcetera. Now, they also are trying to gain intelligence on you, right. So you want to make sure you have the protections in place and have shored up your own operation to be as resistant to and difficult for like counterintelligence agents from adversaries, from enemies, etcetera, or intelligence agents to gather information on your organization.

So interestingly, there's like, we, when we think about counterintelligence or thinking about nation states, which right, like we have the FBI counterintelligence squad, let's say dedicated to rooting out Chinese spies in America who are trying to gather information on, you know, American government policies and recruit spies of their own within the American government or what have you. And typically the term has been used on that kind of broader geopolitical competition level. But one other aspect of counterintelligence is what are criminals trying to do to gain information on law enforcement operations. So the program I ran kind of had both focuses of like, how do we shore up Texas DPS as a major target for a lot of you know, enemy organizations? How do we bolster the department's resilience against, kind, of nation state adversaries or competitors looking for an in into the broader federal government into the fusion center, into policing in Texas, into critical infrastructure in Texas.

But a gang member right standing on the corner of the street, whistling or giving some signal when a state trooper is about to drive into that neighborhood? That's a form of counterintelligence. They're gathering information on law enforcement operations and sharing it. It doesn't have to be something like major, sophisticated nation state operation to be counterintelligence. Organized crime groups trying to get gang members, or get people with cartel affiliations to become state troopers, right? We need to be resilient against that kind of threat and you know, work a counterintelligence program from the criminal angle as well. So it can be multifaceted, is really—that's just my long way of explaining, like, when we think about counterintelligence, it's the method of protecting any, you know, manner of your operations against any threats from an intel perspective to it, and that can include not just what we typically think of as counterintelligence. Nation state adversaries and kind of these high level mysterious adversaries, but can also be very low level crime groups, criminal syndicates, gangs, cartels, etcetera, trying to be better at smuggling drugs or smuggling humans or human trafficking or whatever it is that they're up to, right. And they do that by compromising the police force. It's the same concept.

TAYLOR: Kind of jumping back to something that you mentioned, this pendulum swinging from counterterrorism to great power competition. You mentioned the need for Middle Eastern scholars, and we do on campus here, have a Middle Eastern Studies Department, and SlavX is affiliated with CREEES, the Center for Russian, East European, and Eurasian studies. Do you see a role or have an opinion on the role of area studies departments in developing this kind of side of the pendulum swing for the counterterrorism and having that expertise in the region?

FRANCESCA: Oh sure. Absolutely. I mean, I think these departments are so wonderful at bringing speakers and scholars who can really contextualize and distill some of the recent events within their respective areas for students, and provide not just a scholarly view, but probably, you know, a very forward leaning view on, this is how conflicts in this region have, you know, gone in the past. Here are the players in this region. Their different equities, their different goals, their different cultural, like, influences when it comes to managing their affairs and their motives and their conflicts and so on and so forth.

So here's where I think that we should go. Or here's where I think you all, as you know, aspiring national security leaders or counterterrorism analysts or whatever you want to go into, could play a role in this region. So I mean, having that deep regional knowledge is something that the intelligence community has always valued, no matter if it's applied to counterterrorism or applied to great power competition. And that comes out of regionally focused departments, regionally focused scholarship programs and developing experts in those areas, yeah, I don't know. I feel like everyone who studied Russian in, like, the 1990s, after the dissolution of the Soviet Union, was like biding their time during the 2000s and 2010s, right, as the focus was more on Arabic and Mideast conflict and media studies, and now like their time, has come, like that study paid off, for better or for worse, and they are able to contribute so much to the campus culture, to the broader body of knowledge and of work on very dicey issues. So that would just be one example I can think of very easily, of like nobody studied Russian when I went to UT, I bet a lot of us wish we had. You know what I mean.

MISHA: And Francesca, do you think there's enough attention being paid to local counterintelligence efforts, like against the state of Texas or against the local counties or small kind of tracts of population. And what was the state of local counterintelligence before establishment of Department of Homeland Security?

FRANCESCA: Yeah, I mean to be honest and again, it's just my opinion, I think this concept is very new that like, you as Bernie PD, have information that people want to get, I think—I mean, frankly, policing is an industry that can be slow to adapt. So thinking about proactive kind of intel threats when—and this is due to nobody's, you know, fault, right? It's just the way it is when you're used to just like everybody likes the police. I go in, I investigate. Here's like my process. And then I leave and we solve the crime and everyone's happy and I move on to the next case. Teaching that there's potential, like, intricacies from an intelligence and counter intelligence perspective, and that process can be very difficult because you have to unlearn a lot of the conceptions that you might have about the good intentions of the people in your community.

Oh, this person who just came up to me as a cop, asking a million questions about when I do a commercial vehicle inspection. What am I looking for? Am I looking for locks on the trailer? Am I looking for driving records? Am I looking for, you know, something in the wheel wells? And they seem genuinely interested. Well, that person actually might be probing me for very sensitive information that they're then going to share with the criminal organization that smuggles something in commercial vehicles. That's very hard. Human nature is to assume that people are always well-intentioned and, you know, are very welcoming and accepting of police presence in their communities. And I just, I just don't think that that's the case in a lot of local contacts. So. I won't say it's an uphill battle. I don't think that this is the Super Bowl, but I think having more police training involve and implement some counterintelligence training would be extremely beneficial to shoring up defense against those kinds of threats.

Yeah, I feel like I faced a lot of hurdles sometimes going into smaller organizations and giving them examples of like, hey, this person that applied to your police force, you know, actually has this in their background that we did a more, you know, advanced background check on, than maybe you did at the local level and that's okay, that's what we're here for. But they actually don't want to become a cop. This is what they're trying to get from your organization to give to, you know, X person, X threat actor, X group. It's very hard for people to swallow. So I think a lot more work could be done, and I would love to see the counterintelligence program at DPS kind of proliferate across fusion centers. I again, I haven't worked through some time, so I'm not sure, kind of what the state of that effort is. But it's an uphill battle to unlearn some of some of that training, but I think it can be done.

TAYLOR: Absolutely. And in your opinion, what is the proper balance of security versus liberty? This is kind of a.

FRANCESCA: Wow, heavy question.

TAYLOR: It's a very heavy question, but this is a kind of a—twofer, I supose. Does this dichotomy actually exist? Is it possible to have both and then the role of technology in local police enforcement? I've heard of AI being used as a surveillance tool that automatically gathers facial data from pedestrians walking across, and supposedly for benign and positive reasons, but this American intuition that we have is to be a little bit skeptical of technology that can take our information. So what do you think that balance, if it needs to be struck at all, is between security and liberty, how does technology play a role, and what should local and state level police enforcement agencies do to strike that proper balance?

FRANCESCA: Great question. One, I mean, I think it absolutely needs to be struck and I appreciate you presenting it as a spectrum because I certainly think it is a spectrum. And I think at different points in American history we have altered between different endpoints on that spectrum. But increasingly, when it comes to law enforcement, I think we have to keep in mind that this is, you know, a centuries old profession. And I certainly won't say it has it all figured out. But I think in my experience and again, this is just my opinion, the constitutional protections in place for American citizens and the role of state government and, kind of, bolstering and adding to constitutional protections by merit of restricting law enforcement use of AI tools and investigations. Maybe for example, or requiring kind of an additional level of training for anybody who is going to run like a suspicious activity reporting program, for example, which can be very kind of boogie man. Like “I see something I say something” programs are, you know, notoriously questionable when it comes to respecting the privacy of not only the people reporting suspicious activity, but the people being reported on.

I think all this, I think the layers that we have in place are very effective, particularly at larger law enforcement organizations, like everybody has great training, we have great policies in place, we regularly visit and update the policies in accordance with requirements put on us by the state legislature in the case of Texas DPS. And I mean, the fear of God is put into you if you, if you violate those policies, which I think is a wonderful thing. So I mean, I do think it needs to be struck, I think we're at a good place, particularly in a post 9-11 kind of environment where we can, like, really breathe and assess some of the events of the 2000s where maybe we errred a little bit too closely to the security endpoint and away from the privacy endpoint.

But on the local level, I'm not as sure. I think local police departments often take signals from their state police departments, from federal police departments, but there's not as much training. There's not as much revisiting of policies because of the nature of some of these smaller organizations. And so I think again, there's a responsibility on behalf of some of the larger criminal justice agencies in this country to work with and train and operate in a usion center environment with local law enforcement to ensure all of their practices from a civil liberties and privacy standpoint are above board. And that often includes, like in the fusion center network, rolling suspicious activity reporting programs that local law enforcement agencies might have been operating into state programs, which are much more tightly controlled, tightly regulated and so on, and there was a third part of your question I don't think I'm answering.

TAYLOR: I think you answered it all. Oh, actually the role of technology. But I think that that kind of ties in to what you were just saying about the training.

FRANCESCA: You know, I'm not like, a huge technology skeptic, like this isn't something that necessarily keeps me up at night again because I have seen and kind of believe in the guard rails that we have in place. I—that's certainly not to say that there aren't going to be individual bad actors and insider threats within criminal justice and law enforcement agencies that break policies. But I also think there are consequences in place for dealing with those sorts of people. And so with each new technology you know, provided that policies are being revisited and updated and trained on accordingly—and frankly, I mean, a lot of these technologies cost money, which local law enforcement doesn't have anyway, like they're not blowing thousands of dollars on Clearview AI licenses to begin with. I think…I think the oversight mechanisms are in place. And as long as you have dedicated privacy officers and, you know, legal compliance officers in place at kind of the broader levels that everything is brought into alignment for the most part. That’s not to say there aren't challenges. But I'm not. I don't have some, like, crazy paranoid view on this front. I think we actually do a pretty good job from my experience.

MISHA: And Francesca, maybe is the last question of our great discussion. What role does local law enforcement, local counterintelligence play in federal elections? Because that pertains to cybersecurity and is always a hot topic in the nation, but also in the world, and as we head into 2024 elections, that's already been on the radar for news. So like how does Texas and DPS in particular address those threats, if they do at all?

FRANCESCA: Sure. So yeah, election security is mostly handled within the state of Texas. One kind of first and foremost, the first line of defense within the local county elections administrator's office would be about a county clerk's office in some counties, or a literal election administrator who's appointed to oversee the security of, like, polling sites and ballot boxes, and so on and so forth. And then if there are any kind of election security concerns, those are escalated to the Texas Secretary of State's office, who overseas voter registration and election administration on the state level. So in my impression, my experience, law enforcement has not been super involved in election security, at least in this state in the past, but I don't think that that's necessarily prohibitive of a more involved role, and where I think that could come, is particularly on the local level, like we were just talking about counterintelligence in general. People tend to trust their local law enforcement, particularly in Texas, just given the politics of this state. So having a local law enforcement officer present at a polling place, if you are having any kind of second doubts about the security of the election that you're voting in, that can be very helpful. That can be very soothing to know that an officer that you recognize from your local community is at the, you know, polling place or voted there himself. Or something like that to make sure that there's no funny business.

But on the flip side of that role, that could look like intimidation of voters, right? If you don't have that innate trust in your local law enforcement or that local police officer in particular. So I think it's just going to have to be decided on like a local by local basis and a county by county basis depending on, you know, the will of the people that live in those counties and kind of what the general belief in election integrity is in some of these localities. Whether or not law enforcement ought to or should play a larger role in at least the perception of election security, because I certainly don't want to equivocate here, like the elections are secure, right? Like we've audited it, we've done it like there's no problems with Texas elections. But if there is a role for law enforcement to play in that public perception of that security then I think it ought to be on local law enforcement or county law enforcement, depending on their operating environment, to decide what that role looks like.

TAYLOR: Awesome. Well, to close out, do you have any parting words of advice for any of our listeners that are interested in getting involved with cyber counterintelligence security or just more situational awareness about what the world actually looks like in their counterintelligence space.

FRANCESCA: Hmm, great question. I don't know if I'm like, some bastion of great sage advice or anything like that, but when I think about kind of my experiences and my career so far, I would say two things jump out, which is 1. Read the news like every day, like you might think you're busy, you don't have time, like you're embroiled in your school work or your family life, and that's fine. You certainly are. But over the years when you are reading the news every day, you come to understand regional dynamics and technology issues and election security problems with the same level of expertise as any of the journalists who have been reporting on that issue, probably for several years, because especially if you've cultivated a diverse source of news for yourself that you are digesting and learning on every single day, you are getting so much exposure to those issues, whether you consciously know it or not, and you'll be able to have an intelligent conversation. Write an intelligent op-ed. Write an intelligent cover letter. Have an intelligent interview. Something on that issue. Whenever the opportunity might arise. And that's certainly the case with cyber threats. This is something that applies to everybody. You can learn cyber, and who the threat actors are, and what the equities are, and dealing with it, simply from reading the news, you don't have to take some kind of grand PhD program to learn some of that.

So that would be my first piece of advice is just like read, read the news. It will empower you so much in your life and your understanding of the government and then your career in government or cyber, should you choose to seek one. The second thing that comes to mind, and this seems fairly obvious, but we all are lucky to be living and working in a time where you can have multiple careers. Like technically, I left a career in intelligence to be, you know, a professor, technically, right? Or a clinical leader at a university. Those are very different career paths typically, but you can do it. And the way that you do it is by being a lifelong learner and trying to be as excellent as you can be in whatever you're currently doing, so that if the right opportunity or if a different opportunity in a different but related career field comes along, you are prepared for that opportunity.

You know, I didn't get any kind of cybersecurity credential or, again, go to any kind of masters program to take this job. I won't say simply. It certainly wasn't simple, and it's not like I have some silver bullet answer, but I was able to translate my understanding of state of Texas law enforcement and intelligence priorities and cyber security threats to the state into an academic curriculum and program that reaches a broad, you know, and diverse swath of students. And the only way you know, I really did that, was by trying as hard as I could in my previous jobs. And that sounds silly, but it's easy to phone it in, and so I encourage you not to phone it in because you know you never know what opportunity might come your way, and you will be prepared for that opportunity by merit of working as hard as you possibly could have to prepare in your previous role.

MISHA: A lot of people I know are dissuaded from going into anything like, when they hear the word cyber, they automatically think it's something technical or computer science related. So at LBJ school, but also on campus, why they're afraid of kind of even like stepping in and trying it out, you know? But, but thank you for, you know, dissuading those fears.

FRANCESCA: Yeah, I think a lot of people think cybersecurity is like akin to coding or like software development. That's the picture they have in their mind of like, hoodie, hands on keyboard all day. Right. But really, I would say cybersecurity as a profession, when I think of it, are people who are communicating with business leaders about risks, and it requires so many more soft skills or power skills, depending on the term that you prefer, to be successful in this profession. And in fact, I haven't coded anything real like a day in my life, right? Like it's so much more policy oriented. And it's so much more technical oriented, but in the sense of understanding how to properly configure tools. Which might involve a little coding, but it also might not depending on what tool you're picking. So yeah, we try to bring everybody in and show them that there is a cyber role, depending on what your interest, is that matches that interest and that you can pursue should you choose to, and we hope that they will.

TAYLOR: So great, thanks for, again, for sending this out some time to speak with us. And like I said earlier, welcome back to the Forty Acres.

FRANCESCA: Thank you. Thank you guys so much for having me and hopefully this was coherent and helpful to the listeners.

MISHA: But yes, this was fantastic, and I'm sure listeners would appreciate this diverse perspective on things. Because I certainly didn't know that local law enforcement agencies play such a role in cyber issues, or just in general like, that issues that we think are national security related are more locally based as well.


bottom of page