Mike Witt, NASA's Senior Agency Information Security Officer and Chief Information Security Officer for Cybersecurity and Privacy, has a long history of public service. In addition to serving 10 years in the U.S. Army, Mike was the director of the United States Computer Emergency Readiness Team (US-CERT) at the Department of Homeland Security and a key cybersecurity official at the IRS. Now, he’s leading NASA’s efforts to secure spaceflight centers nationwide and their missions to the final frontier.
Mike Witt, NASA's Senior Agency Information Security Officer and Chief Information Security Officer for Cybersecurity and Privacy, has a long history of public service. In addition to serving 10 years in the U.S. Army, Mike was the director of the United States Computer Emergency Readiness Team (US-CERT) at the Department of Homeland Security and a key cybersecurity official at the IRS. Now, he’s leading NASA’s efforts to secure spaceflight centers nationwide and their missions to the final frontier.
Tune in to the latest episode of WE’RE IN! to hear more about how NASA balances its out-of-this-world mission with real-world concerns about cybersecurity resulting from increased activity from other space agencies and commercial interests alike.
Listen to learn more about:
[00:00:00] Blake: Hello, and welcome to We're In, a podcast that gets inside the brightest minds in cybersecurity. I'm your host, Blake Thompson Hoyer, and I'm thrilled to be joined today by Mike Witt, NASA's Senior Agency Information Security Officer and Chief Information Security Officer for Cybersecurity and Privacy.
[00:00:16] Mike has an extensive public sector resume that includes a decade of military service and a stint as director of the U. S. Computer Emergency Readiness Team within the Department of Homeland Security. Before we hear the latest about Mike's work securing NASA's critical space technologies and personnel, here's a quick word from our sponsor.
[00:00:32] Blake: Well, Mike, thanks so much for joining me on the podcast. It's great to have you here.
[00:00:37] Mike: Blake, great to be here. Appreciate it.
[00:00:39] Blake: So, tell me what you do at NASA, a day in the life, if you will, and what is the difference between a senior agency information security officer and a chief information security officer for cybersecurity and privacy?
[00:00:52] Mike: Uh, I'll start with the second one first, uh, because I actually kind of get that one quite a bit. so, NASA, basically went forward with this position, and they're kind of following out of the Federal Information Security Management Act of 2014. This, uh, the word SESO, if you will, uh, was actually, uh, put into that law, so that's kind of where they got that language.
[00:01:12] And NASA is, you know, we probably, we have like, ten centers, right, when you start thinking about Kennedy Space Center, you know, and Johnson Space Center, and stuff like that. Each one of those centers also has a center Chief Information Security Officer at those centers that report directly to me, right?
[00:01:29] They're kind of my boots on the ground if you, if you think that they're at the center. So, to designate the difference so that, from my position to the center CISOs, uh, I'm referred to as the CISO for NASA. Right? And then we have CISOs at each of the centers. I'll say outside of NASA, I tend to use the word CISO because that's what people understand and stuff like that.
[00:01:50] But inside NASA, it was really used to designate, the agency level from the individual center levels so that there was no confusion.
[00:01:59] Blake: That makes a lot of sense, and I imagine each center has its own niceties and different little facets that a CISO needs to understand. And so,
[00:02:06] Mike: each center's a little different and got their own culture and their own missions and stuff, right? So, very, very different.
[00:02:13] Blake: Now, cybersecurity might not come to mind for most people when they think of NASA and its mission and its history, which obviously is a storied agency, really, incredible work throughout the decades, but how do you make sure that cybersecurity as an issue gets the attention that it deserves both within the agency and among external stakeholders,
[00:02:32] Mike: No, hey, great question. I will tell you, I had to tackle that on day one coming into the A& G. I joined NASA, almost exactly eight years ago, in coming in. The good thing about it was, is, uh, I had experience working at this level at other agencies before coming to NASA, so it wasn't my first rodeo, so to speak.
[00:02:51] But coming into NASA, it was a different challenge, right? Because, as you kind of mentioned, NASA's all about, you know, like science and space and aeronautics and stuff like that, right? They're not here for the cyber security, right? They're here for, for the, I'll call it the fun stuff, right?
[00:03:05] And so But, but going in to make sure that, cybersecurity was integrated, uh, as part of, those missions, uh, especially from a risk stand, standpoint, I really had to go out and engage the, the leadership at each one of those centers, lean into the leadership, across the various missions.
[00:03:24] But I also had to get in at the leadership level of NASA, right, that's the administrator, the deputy administrator, the associate administrator level, so that they understood the importance of cyber security and, I'll just say when I joined NASA about a years ago, of what we had to kind of change, kind of some of the ways we're doing because they were still very much operating from the standpoint of space and I'll say at the internet, it was friendly, right? And it's like the threats have changed, right? And so it was really just kind of, I'll say an education part of that. But that also included me doing, and I still do it today, town halls across every center. I've done town halls at every center in NASA where I bring the entire population of people that work there in and brief them of what's going on, educate them, answer questions. Honestly, some of them are hard questions. They're pushing back, right? Because they don't want me stopping them from doing what they need to do in their passion. And so that's kind of where I help educate them.
[00:04:28] I'm part of the team just like you. I'm here to make sure that what you're doing, it's done securely so that, your data is protected, your science is protected and stuff like that. So it's really, it was just really an education along the way to, to make sure that, one, we're partners in this.
[00:04:43] I'm not here to stop you. I'm here to help educate you. And, and honestly, this is about doing risk management. So I've even kind of went so far as whatever it is, the craziest things you want to do in the world, I'm your biggest fan. But, we've got to make sure whatever risk you're taking on, that risk is contained within your environment, and you don't accidentally impact another mission or another part of NASA because of the amount of risk that you take on. And so that's kind of the way I've approached it.
[00:05:12] Blake: I'm sure for any other chief information security officers listening to the podcast, they can relate, even if it's just at the stakes of like an app. Developers want to go build fancy things and do cool things and not have cybersecurity looking over their shoulder being like, wait a minute, you don't do this. Or, that's not secure. So that sounds like that communication and that town hall strategy. And maybe you can replicate that a little bit here for our listeners. What are some of the biggest cyber threats that you're seeing in space these days?
[00:05:39] Mike: Part of the challenge that, especially that we've kind of had to tackle, is the mindset of Oh, well once you, I'll call it, leave planet Earth, you're secure. And everything is good, and again, old mindset from
[00:05:52] Blake: I don't know if I would think that I'd be pretty scared if I left planet earth, but I get what you're saying.
[00:05:56] Mike: Right, but with the communications and stuff like that, kind of the older days of like, Ah, we don't need to encrypt any of this communications, and you don't have to worry about patching anything, or doing any updates or whatever.
[00:06:08] Those days are over. Those threats have changed and stuff like that. We're no longer in space by ourselves, right? There's other spacecraft up there, and, they may reach out. And, Touch you, let's just say, right, from a, from an electronic standpoint. So it's really kind of coming at this from, from the standpoint of really working with our mission stakeholders.
[00:06:28] So they, they understand when you build to go to space, because you're, you're not going up for 90 days. We're sending things in that's going into space and it, let's just say it even goes up with a, a five or 10 year mission. We've got things that, you know, once that mission life, kind of planned life, ends, there's still good data to bring down where, so then we go into those plus years, so it's really trying to make sure that they understand you've got to build in the resiliency, of that mission, plus beyond that mission life because we tend to always take, I'll say, advantage of bonus years. That's the one thing that we kind of really see a lot at NASA.
[00:07:08] Blake: Absolutely. You mentioned patching in your response there, and I covered a couple of those really cool hack a sat competitions back when I was a A journalist reporting for, for E& E News and Politico. And I learned from those, some of the hackers that were taking a crack at these really, replica satellite pieces of equipment, it really highlighted just how difficult it can be to patch something once it's up in space.
[00:07:29] How do you navigate some of those mission critical updates when you're not, not necessarily going to be able to just go on a spacewalk and plug something in.
[00:07:38] Mike: Yeah, it's a lot of it's coordination and stuff like that. We do absolutely do the patching in space. I'll just put it that way, the International Space Station comes to mind. We've got people up there, but we've got to make sure that those systems stay up and they stay secure around that. I will share with the audience, if they're not aware, I'll share a little story with you.
[00:07:58] Everybody's heard of the James Webb Space Telescope, one of the greatest creations we've had. It's really cool. The images work any facts.
[00:08:05] Blake: Google it, if you haven't, it's, you'll be amazed.
[00:08:08] Mike: About 96 hours before it's launch in French Guiana, there was a vulnerability that came out around log4j that was impacting the internet. Guess what we had running as part of the infrastructure around James Webb, right?
[00:08:23] Log4j, we had to work with that team, and this is literally like, Days before Christmas, right? And we had to work with that team. Luckily, that team had done a phenomenal job working with my team and their own cyber security team over the previous few years and we had a lot of really good security built into around that system stuff and we were able to I'll just say put in some mitigations that allowed us to accept that risk of not doing some immediate patching. We built in some mitigations around that, working with the James Webb team. And we were able to launch on time, so there was no delay of launch or anything like that. And then what we ended up doing was, launch plus, uh, 60 days, that's when we actually started to apply the patching around the James Webb infrastructure and stuff like that.
[00:09:17] But, really what saved that launch, from not being delayed, was the due diligence of the James Webb team around security. What they did, honestly, the two years prior. That's really what made it a success. And, again Internet, nobody knew anything about it. We were good to go, everything went off good, and we were able to do all of what we needed to do from a security standpoint, launch plus 60 days.
[00:09:45] Blake: That's the thing with these previously unknown vulnerabilities. They can crop up at the most inopportune times. We often complain in the cyber industry of like, Oh yeah, it always seems to happen around the holiday. Well, we're not thinking about launches. So that's a whole different, adds a whole nother wrinkle into the mix.
[00:10:00] What does mean to the space mission? Kind of an open ended question.
[00:10:05] Mike: No, it means a lot different things these days, right? I mean, when you go back to, you know, honestly, like 10, just even 10 plus years ago with NASA, right? The but NASA did everything for, I'll say it from cradle to grave, right? But now we're using a lot of commercial technology, commercial industry, SpaceX, uh, it comes to mind, stuff like that. But also, when you start thinking about the Artemis program that we're developing, right? We're not doing this alone, right? We have the European Space Agency that's involved, we've got JaXA, Japanese, we've got the Canadian Space Agency.
[00:10:40] We have partners now that we're doing this. So when you start thinking about, you know, Gateway that'll go up that's kind of going to be that central point where we send astronauts up to and the shuttle will go down, uh, you know, down to the, to the planet and stuff.
[00:10:54] We've got to be able to have that because other, other organizations are building a lot of these different vehicles. And if we don't get it right, we've got to make sure that things, when they land and connect and they dock and they communicate, All of that interoperability that you're talking about, it's gotta work. Again, this isn't NASA doing everything cradle to grave, it's us with our partners, and we have to work together to make sure that we have that interoperability connecting between us.
[00:11:25] Blake: The flip side of that is of course, you are working with a lot of essentially third party entities, whether that's commercial, other governments, how can How does your risk appetite change with that? And how do you assess risk across such a vast landscape of tech stacks, which you can't possibly go under the hood and peek at every one. How do you go about doing that?
[00:11:45] Mike: Uh, a lot of it really gets into, just like what we do with our own systems, right? We have what's called an authority to operate. So there's system security plans, there's stuff that's built along like that. And then we bring in an independent third party assessment of those systems to make sure that all of the appropriate security controls are in place.
[00:12:04] Or if something is not going to be implemented, right? Because again, we have to, in some cases, accept risk. But it's what mitigations are in place to mitigate or minimize in some cases, that level of risk, so it's those independent third party assessments that we rely on, that help us understand what our, I'm going to call it our initial risk is going into that.
[00:12:28] And then, we do risk assessments going forward. We have those same requirements, uh, on our partners. As part of that, we require those partners to provide us with those third party assessments so that we understand what those risks are and those risks are acceptable. And when you start talking about some of our space partners, that's no different to the way that, the FedRAMP works under GSA with our cloud providers, right?
[00:12:51] We use our cloud providers, whether it's Microsoft, Google, AWS, others, they're bringing in the independent assessors To, uh, independently assess that risk so that we can understand what risk we're taking on, and that's kind of how it works across the board.
[00:13:06] Blake: That's a really good answer. And, it makes sense. Yeah. You can't do everything, but you can. There, there are ways that we've developed to mitigate some of those risks and assess them as, as best we can. And now I would be curious to hear how your position at NASA, you mentioned, you know, this wasn't your first rodeo coming on board.
[00:13:21] How does it compare to your previous InfoSec roles? And I'd be especially interested to hear about your time at the Consumer Financial Protection Bureau, which was essentially. Brand new when you joined. So you were really starting up a cyber program from scratch. What was that like?
[00:13:35] Mike: So, um, it was funny, uh, so I was actually working at the Internal Revenue Service at the time, and I got a call from the Federal CIO at the time, and it was like, hey, I want to talk to you about an opportunity. I went down to the White House, uh, the next day, and and met with the, uh, the federal CIO and was like, Hey, so we're standing up this brand new federal agency out of thin air called, uh, you know, CFPB, right?
[00:13:59] Consumer Financial Prediction Bureau, and we'd like for you to help us stand it up as, uh, the first CISO, if you will, for the agency and stuff, right? And so, first I, I asked him, you know, well, how'd you get my name, right? And stuff like that, and it was, it was, a lot of it was when I had, uh, joined the Department of Homeland Security for the first time for standing up the U. S. CERT, United States Computer Emergency Readiness Team, when I walked in, it was two people and a stand alone computer at U. S. CERT, right? So, stood U. S. CERT up out of thin air as well, so that was kind of how my name came up. I agreed to do it, and, uh, went in for the first year to help them, uh, get everything stood up.
[00:14:36] And there was already some people that were already working to stand up the, the organization and stuff like this. And so when I walked in the door on day one, to CFPB, I was the information security team. That was it. It was me and no one else. Really like you said, I just, it was standing everything up out of thin air.
[00:14:57] It was going in and understanding what we needed there, how we needed to do things. Justifying the budget, justifying how many people we needed, right? Whether they needed to be go actual government employees versus to maybe do could these positions, some of these positions be contract support. This all ties to to to money, which is the agency's budget and stuff like that. So, having to work with, a brand new CIO, if you will, that's trying to figure this out as well. By the way, during my, I will tell you, during my, my one year there of helping to stand up the agency, I went through five CIOs, right?
[00:15:31] So, while we're basically trying to, we're, we're dealing with the, with even the churn of a new agency standing up and, and even retaining its own people and stuff like that, recruitment, and everything, and trying to, you know, recruit in talent and the right talent. And by the way, while we're trying to do this and recruit talent to come in, this means also there is a brand new HR organization being stood up. We're begging for the HR of, Hey, I need vacancy announcements. They're like, we're, we don't have anybody to do that. So we're working to stand up. So it wasn't just, I'll call it my team or even the CIO team. It was every team within CFPB and stuff like this to stand up. But the good thing about it was everybody came in and just.
[00:16:12] Running full speed ahead and it was really good. At the end of my one year, they offered me to stay on full time, to continue and stuff like that. As I do everything, before I take any gig full time, I have a conversation with the actual boss, and that's my wife.
[00:16:28] So we sat down and talked about it. Yeah, we talked about it and a lot of it was, I mean, as you can imagine, standing up a brand new agency out of thin air, that's not a Monday through Friday, eight to four job. I will just tell you that entire, one year run, I had no days off and I typically worked anywhere from 12 to 16 hours a day, that entire year.
[00:16:49] So I will tell you when my detail ended, I went back to, uh, the IRS, I actually took two weeks vacation
[00:16:55] Blake: I was going to say, I hope so. I mean, it's sounds like you're describing like bootstrapping a cybersecurity startup almost really. And
[00:17:02] Mike: It's what it was, yeah.
[00:17:03] Blake: I'm glad you kind of mentioned attracting and retaining cyber talent, cause I meant to ask about that. I imagine it's a, was probably particularly challenging at an agency CFPB where you have, the competition is fierce for that kind of talent that has that specialized knowledge perhaps, or, you know, are able to work in a financial context, but how does your team at NASA attract and retain cyber talent?
[00:17:24] Mike: I will say I'm very fortunate at NASA, because I'm just going to say, NASA's brand and reputation is probably like no other federal agency that I've ever worked for, as far as just, the amount of buzz that it generates, the positivity, the excitement, really,
[00:17:43] Blake: all, we all wanted to work there when we were kids, right?
[00:17:45] Mike: right? Especially of our youth, right?
[00:17:47] I mean, there's not a whole, when you start thinking about Federal agencies or even departments, that gets the youth right jazzed up, right? NASA is really kind of in a class by itself. So Even competing I'll say against other agencies that can even pay more or private sector and stuff like that NASA's brand really comes a lot and stuff like that.
[00:18:09] So that that's where I've been fortunate I will just tell you whenever I put vacancy announcements out I absolutely have no problem with people applying. And it is just really kind of rooting through those to, to identify, you know, who we're gonna actually interview and then who we're actually gonna kind of retain on full-time, through, the selection process and stuff like that. It's been much easier with NASA because of their brand and reputation.
[00:18:32] Blake: That makes a lot of sense. And staying on the career point, you served for a decade in the army. What would you say to former members of the armed services? Who may be considering a career change into cyber security, even those with, without direct cyber experience.
[00:18:46] Mike: no. I will just say, you know, during my time in the Army, and just so people know, you know, I did IT in the Army, so I just want to put that out there from that standpoint. And, as I was transitioning out of the Army, I actually landed early into a cyber security role. If you will, And I, that's where I just fell in love with cyber security.
[00:19:06] I already had the IT, I'll say I was already in love with IT, just in general. But that's where I fell in love with with cyber security and stuff like that. The DOD, uh, does have a program called, uh, SkillBridge. Soldiers are coming up to transition out of the military. They can join other federal agencies to start.
[00:19:26] Learning and honing their, their talent before they actually, fully get out of the military, to actually find their way into private sector or their next career from that standpoint. Our OCI organization, NASA as a whole, but I will say specifically my team, we participate widely in that program.
[00:19:46] I actually have a couple of active duty soldiers right now that are actually working on my team as part of that program around that. But I would just say for anyone that's currently in the armed forces, whatever your passion is, whether it's cyber security, whether it's IT, whether it's something else or whatever, find your passion and follow that passion.
[00:20:08] But I would just say, even from my standpoint, I started about a good year or two before I knew I was going to transition out. to start thinking about that transition, you definitely don't want to wait last minute and just go, yeah, I'm going to get out of the military and just find it. Where you've really need to start 6, 12, even 18 months out, start thinking about that transition itself and stuff like that.
[00:20:29] So that you land on your feet.
[00:20:31] Blake: Well, it's interesting. NASA carries out a lot of important national security supporting military objectives as well, which I think maybe not everybody realizes, even when doing some of the research for this interview, I was kind of surprised by how much, you know, a lot of the research arms of NASA, especially can assist with some of that.
[00:20:47] How do you collaborate with. Some of those other, military stakeholders will say, or even US Space Force on shared threats and challenges.
[00:20:57] Mike: So we've got a really good relationship with us based forces. You probably can imagine stuff like that. We do routinely share information back with that. We do routinely just even work with them. On general things to just to learn from each other and stuff like that. They're them being a newer organization. They did early on work with us from the standpoint of leveraging policies that we had so that they could look at them to see how they could transition them into, I'll say, DOD language, because of that, you know, NASA's different than DOD, very different than DOD. Our policies are definitely not a one for one the way the DOD would do business, but we absolutely share where, what we needed to share with them, whatever they asked for, so that they could take a look and try to learn from that standpoint or whatever.
[00:21:39] When you start talking about, um, some of, uh, our centers out there, you might find some where we're either actually co located on a military installation, or we're adjacent to a military installation. In those cases, we work very closely with those, uh, Bases, if you will, to understand not only physical security challenges, right, that's, uh, you know, from, from, NASA, that's another organization that does physical security, but, uh, also out of my office, we work with them to make sure that we work together around any, I'll call cyber challenges and stuff like this, and this goes around drones, we've got, as you can imagine, we have drone programs and stuff like that, so we make sure that we, follow and we abide by any DOD.
[00:22:20] Policies or regulations, especially if we are co located onto a DOD base so that we don't upset them, right? We need to be respectful of their policies and stuff like that and make sure we abide by what they need to as well.
[00:22:35] Blake: I imagine, yeah, that kind of ups the ante a little bit if you're, if your neighbor's with somebody with a, with a particular military needs, but it makes sense, right? the location and down to even launch zones and whatnot, I'm sure there's a lot of overlap there. Now I have to ask. Do astronauts have to worry about two factor authentication?
[00:22:53] Mike: Absolutely. We pretty much really take two factor very seriously right now at NASA. We've really made a push over that. My entire time that I've been here leaning into that, even really very much so as you probably saw in the executive order 14028 that came out a couple of years ago, that the current administration really leaned into around multi factor authentication.
[00:23:14] Uh, so we have kind of done that due diligence as well to lean into that. I want to make sure your listeners don't think that we're actually sending, you know, because in the government we use PIV cards, right? It's like a credit card that you slide in that's got the chip on it. We're not sending astronauts up there, you know, with a PIV card that, you know, that breaks in space and it's like, Oh, you know, we need you to return back home to actually go to the help desk and get a new one.
[00:23:38] We've got other technologies that we've implemented along the way to kind of take advantage of that. Even some of the challenges that we do have around latency, right? So it's not just, you know, you gotta think about latency issues when you start talking about space and stuff like that. And that comes into place when you start thinking about two factor authentication as well.
[00:23:56] Blake: Oh, interesting. Yeah. Cause you're 250 miles plus up there. That's a big enough distance to get some communication gaps there. I didn't even think about that. This is why I'm not a, I'm not chief information security officer at NASA. Interesting. Well, this has been a really fascinating discussion.
[00:24:13] Really appreciate your insights. I'm sure our listeners will too. I love the Log4J anecdote. I can't believe that almost tripped up a launch. That's news to me. That's incredible. And kudos to the team who sounded like put in the legwork to make it possible to get that fixed on the fly. We do have one last thing that we ask all of our guests on the podcast, which is what's something we wouldn't know about you, Mike, just by looking at your LinkedIn profile.
[00:24:36] Mike: Probably the one thing you wouldn't know about me that you won't definitely see on my LinkedIn profile is, and I think this is something good for your listeners to hear, I'm from a small, small, small, small town in Oklahoma, three stoplights, right? Grew up, you know, in stuff, right?
[00:24:53] And where I'm kind of coming from this is, is, if a kid from a small town in Oklahoma, with three stoplights, can grow up to become, a CISO at NASA, to live out their dream and stuff like that this is anybody. You don't have to, you know, come from a big city, you know, big Ivy League college and stuff like this, right?
[00:25:14] I worked my way through the military and got out of the military and it's really about finding your passion, putting in the effort to hone your passion, and then basically just working your rear end off, to be quite frank, to do what you need to do. Around that and stuff like that, but again, it's, it's, anybody from anywhere can do anything as long as you put your passion into that and you focus around it.
[00:25:40] Blake: Really appreciate that. That's a great point. and thanks for sharing that, Mike. And thanks again for, for taking the time out of your busy schedule to join me on the podcast. I really appreciate it.
[00:25:48] Mike: Now, Blake, I really appreciate the invite.