Click here to watch the full discussion from the webinar, From open source to operational security: Integrating OSINT into cyber defense for global missions.
Adversaries are using open source intelligence to target federal missions. And that means agencies face three big challenges: There’s a surge in publicly available data, then there are tools that use artificial intelligence to make sense of that data much more quickly than ever, and finally, there are AI-fueled cyber attacks.
All of these things make it much more difficult for organizations to identify what cyber threats matter, and then validating that data quickly and turning it into actionable intelligence.
That leaves many public and private sector companies asking, how can cyber defenders turn that same data into a defensive advantage? Agencies need to move beyond standalone tools toward building connected intelligence capabilities, improve operational awareness, and strengthen decision making to support mission requirements.
Gharun Lacy, the deputy assistant secretary for cyber and technology security at the State Department, said cybersecurity is not just a technical issue anymore. State has expanded it to be more of an enterprise defense initiative that also is a collective departmentwide action.
“The adversaries right now live in the open. They live just beneath the noise floor and they hide in plain sight. From the cyber standpoint, they leverage public infrastructure. They leverage publicly available internet service providers, so where they are actually staging, prepping, building and doing their reconnaissance is all out in the open, and what they’re banking on is that there’s so much noise out there, as so many people become so reliant on technology, that those signals are going to sit just below that noise floor,” Lacy said on the discussion From Open Source to Operational Security: Integrating OSINT into Cyber Defense for Global Missions. “It’s the reason that the initiatives from DIA and others are so important. Those bread crumbs are there, and they exist, we just have to find them.”
Finding the bad actors is getting harder as the volume of data increases.
AI is not a ‘magic wand’
Kevin Fogarty, the senior vice president and chief technology officer for the intelligence sector at Leidos, said there are at least 10 terabytes of data a day being processed through media platforms, and his firm gets 61 individual OSINT feeds and 150,000 indicators of compromise per day that their cyber team analyzes.
“Artificial intelligence is not just a magic wand. How do you use it to augment the human analyst in what they’re doing and let them operate with the highest confidence so that when we’re executing our missions to protect assets, equities and the cyber infrastructure, we’re able to do that using modern tools and the broadest access to data that we can,” Fogarty said. “We’ve got the ability to orchestrate at a much, much greater scale and much higher velocity today. It’s not a single one-size-fits-all solution, but you’ll have to use certain models and certain harnesses, that is a technology around a model, to help cyber defenders do their jobs.”
Lacy said the State Department is getting better at understanding their data to protect their systems. But partnering with the private sector who already have “cracked the code” to use open source intelligence is an important piece of the puzzle.
“Where the automation comes in is we are extremely proficient at assessing our own vulnerability posture internally, cybersecurity vulnerabilities, physical security vulnerabilities and insider threats. We collect tremendous amounts of vulnerability data from inside our own environment, and I think the key where the technology really helps us,” he said. “But that ocean of open source intelligence without internal context is noise. That’s why we have to take that and enrich it with our own vulnerability information to understand where the actual risk is. Being able to tie that ocean of threat together with the vulnerability means that an attack chain that exists in another environment, in Commerce or Treasury or in another agency, that’s opened up by one vulnerability may produce a completely different attack chain specific to our environment. That’s where actionable comes not just for the defender, but for the disrupter who looks to break an attack chain before the chain is exploited.”
Bringing different disciplines to bear
Eric Miller, the senior advisor for open source intelligence at the Defense Intelligence Agency, said the agency recently established a cyber intelligence center to take more advantage of open source, and that’s something that the agency is just starting to build out as part of its Directorate of Analysis. Miller said the directorate is an all-source analytic element that is trying to get at cyber actors.
“They’re going to be taking an all-source approach to the topic because so much of cyber, writ large, is in the signals intelligence realm,” he said. “We’re trying to make sure we’re bringing all the different intelligence disciplines to inform that, and what we’re really trying to do is develop operationally-relevant information and products that are feeding into the foreign foundational military intelligence and scientific intelligence aspects of cyber actors that are out there. That’s really where we want to be, and where we want the center to be moving forward to the cyber and intel center.”
Like State and Leidos, Miller said DIA is leaning into AI to help address the volume, velocity and veracity of data coming at them.
DIA launched its Digital Modernization Accelerator in March to better understand AI and how to take advantage of it across the entire agency.
“What we’re trying to do, in the trenches if you will, is we’re looking at innovation to leverage AI. We talked about the ocean of data, so how do we sift through tens of thousands of pieces of data or tens of millions?” he said. “We’re trying to leverage AI to help make sense of that. Once we do that, then we now have to get that report out, and that’s another automated process that we need to do, because if we’re creating more products, we need to get it out even quicker.”
Resiliency is what matters
Fogarty said AI can be a great enabler of data context and relationships.
“Things that you would not be looking at normally and that just aren’t a national priority can become a national priority. One small exploit in an open source package propagates through all of our infrastructures at lightning speed, and so using artificial intelligence to monitor those things, to establish the relationships and connectivity, and then alert and potentially act on it,” he said. “In this day and age of automatic patching of vulnerabilities or alerting and tipping and queuing to either kinetic action or defensive cyber action is super important. Even with AI, analysts will be inundated with more and more information. The spigot will only get bigger and bigger. The idea is to quantify that information for them, get it in a format that they can quickly, through their trade craft, professionally understand and synthesize it in order to disseminate the reports and the alerts that need to go out.”
State’s Lacy said giving analysts AI capabilities to make sense of the data and find where adversaries are hiding equates to resiliency of networks and systems.
“We look at AI in terms of decision support for that analyst to identify trends or identify broken trends to point the analyst to the spot where they need to actually put their work in, combine that with automation to automate tickets, automate information flow, automate the conduit between tier one, tier two and tier three analysts, so that that data flows and frees up each one of those analysts to do more actual human analysis,” Lacy said. “That’s how we define resilience, and internally, that’s particularly how we’re looking to deploy both AI and automation to free up our human capital, who are absolutely good at this, and let them do what they do.”
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

