The Real NCIS: An Interview With Thomas Betro

More than a decade after it originally premiered, CBS network’s “NCIS” is still one of the most watched television shows in the United States. To better understand the nonfictional Naval Criminal Investigative Service (NCIS), the DomPrep Journal’s Aaron Poynton spoke to Thomas Betro, former director of the NCIS and current vice president of national security with NTT Data (a data communications business), on 6 February 2014 in Washington, D.C.

Aaron Sean Poynton: What were your primary and most interesting responsibilities when you served as director of the Naval Criminal Investigative Service?

Thomas Betro: My primary mission was to ensure that the people within the organization had the resources, the training, the information, the environment, and the guidance needed to succeed. Secondary to that, my responsibilities were:

  • To make sure that our resource sponsors and our customers recognized and understood the great work that our people – be it special agents, intelligence analysts, or operational support personnel – were doing; and
  • To emphasize why this work was so important to the safety and security of sailors, Marines and their families, and the civilians they served.

The NCIS mission is to identify, investigate, and disrupt criminal, terrorist, and foreign intelligence threats to the U.S. Navy and Marine Corps – ashore, afloat, and in cyberspace. Each one of the operational disciplines, criminal investigations, counterintelligence, and counterterrorism is critical; and NCIS takes great pride in the work that they do and understand the relevance, importance, and value of that work. I had the pleasure over the course of my 27 years of service to participate in all of the different types of work that we did. Whatever assignment I had at any given time, I always considered that as the most important and critical to the mission, and to the organization.

In the end, I sat in a position where I could interact with and admire the work of all of the talented and dedicated people of NCIS on a daily basis. NCIS, in my opinion, would not be the same organization if we did not have the variety of missions along with a very diverse work force, and if all the people were not performing in harmony and at such a high level.

We had overarching strategic goals of preventing terrorism, protecting sensitive information, and reducing crime. Our leading priority during my tenure, however, was counterterrorism. After the terrorist attack on the USS Cole in October 2000, the Department of the Navy made force protection and counterterrorism a strategic priority, and so did NCIS. NCIS played a very important role in investigating that attack. We saw and experienced the impact of terrorism on the Navy firsthand. All of the other missions fed our ability to execute our counterterrorism mission. Day to day, we wanted everyone to understand that all of our missions were important but counterterrorism was the leading priority.

Poynton: When you were director, what specific efforts did you lead at NCIS that directly contributed to keeping the U.S. homeland safe?

Betro: My role was to assign strategic and mission priorities and, as I mentioned earlier, make sure our people were trained and equipped for success. With respect to supporting homeland security, we contributed several ways. Our overseas missions may have brought the greatest value to the country’s counterterrorism, antiterrorism, and homeland security efforts. We assisted in defending the homeland by taking the fight to the “bad guys” and disrupting them on their turf before they could get to U.S. soil. In addition to the thousands of NCIS personnel who deployed to Iraq and Afghanistan where they conducted counterterrorism operations and investigations, NCIS is a global law enforcement organization – and approximately one-third of NCIS special agents are located overseas at any time. NCIS has been operating daily in and around foreign ports for decades and has built not only a deep understanding of the maritime domain, but also strong relationships with foreign law enforcement and security organizations that operate in those areas.

In the early 2000s, after the attack on the USS Cole, we began to understand how these relationships that had served our local criminal investigative and counterintelligence missions for so many years could be leveraged to gather intelligence that could support not only NCIS’s counterterrorism mission, but the broader U.S. counterterrorism effort to defend the homeland as well. The maritime domain, in particular the international shipping that operates in it, represents a huge opportunity for terrorists to move contraband, money, and people around the world – including into the United States.

NCIS was and is well-positioned to gather critical intelligence and conduct counterterrorism operations in the maritime domain and overseas, all of which contributes to the security of the U.S. homeland. In the United States, we contributed to homeland security on a daily basis through our own investigations of suspected terrorists, and through our participation in FBI [Federal Bureau of Investigation] Joint Terrorism Task Forces, as well as numerous joint task forces at the state and local levels.

Poynton: How has the use of technology helped NCIS conduct its mission, especially when it comes to forward-deployed forensics and exploitation?

Betro: Technology has fundamentally changed the way that NCIS and most other law enforcement and intelligence organizations do business – from headquarters to the far ends of the world where “the rubber meets the road,” so to speak. Technology is woven into every process and every action that NCIS agents, analysts, and support personnel do everyday – from the front end on the operational side with evidence collection to computer software and hardware that analysts use to process information and conduct data analysis. This is particularly true in the area of forensics, cyber forensics, and digital forensics.

There is not one single investigation that NCIS works today that does not have a digital component – not one; whether it is a computer, tablet, cell phone, camera, or email. In every instance, there is a need to understand the digital environment and the digital trail of evidence available through the use of modern technology, and to take advantage of all that information in a legal and productive way.

One good example of how technology affected operations when I was director was how it enhanced our ability to safely and effectively accomplish the mission in combat and combat-contingency environments. For example, in Iraq and Afghanistan, there would be crime scenes that were in hostile environments off base. Because of the dangerous nature of the environment, a security detail of Marines or soldiers would have to escort our personnel to and from the scene, and would stand guard while our people were at the scene.

Obviously, due to the threat of attack, we did not have the same amount of time as we would in noncombat environments to conduct crime-scene examination. We could not put up the crime scene tape and secure the scene and possible evidence for days. In these cases, we would put a mission plan together that would determine the amount of time on scene; sometimes we were lucky to get only a few hours. This does not mean the investigation, collection, and processing was any less important; rather, we relied on the technology and it enabled us to develop procedures that allowed us to get to those scenes, document and process the scenes quickly, and get out safely, without sacrificing the quality of the examination.

When I look at what gaps exist and where the potential is for industry, it is in the area of “big data.” Technology has allowed us to gather more information, in more different forms, than ever before. It is becoming harder to find the important bits of information, rapidly, in that large reservoir of data that is collected. Synthesizing all of that data and processing the data into a form that is searchable and analyzable are challenging. We have made great strides, but there is more room to grow solutions in that area.

Poynton: In 2008, the U.S. Department of Defense suffered the worst breach of cybersecurity in history. As a result, the Department of Defense dramatically increased focus on cybersecurity. Cyber is now one of several core mission areas of NCIS. What is NCIS’s role in cybersecurity?

Betro: People use the term “cybersecurity” broadly, but there are many components to cybersecurity. NCIS is not directly responsible for cybersecurity. By that I mean, NCIS is not responsible for information assurance. We are not responsible for hardening the networks; we are not responsible for software being secure and clean; and we are not responsible for ensuring that firewalls were in place. NCIS operates in cyberspace while fulfilling its primary missions of law enforcement, counterintelligence, and counterterrorism.

Under its criminal investigative hat, NCIS investigates actual or attempted hacks into DON [Department Of Navy] Networks and crimes conducted in cyberspace. From a counterintelligence perspective, NCIS was responsible for investigating suspicious and/or illegal activities occurring on DON Networks that might be attributed to foreign intelligence services. We endeavored to find out: Who was behind the activity? What tools and techniques facilitated their activities? What were the networks and/or the information they were interested in and why?

Poynton: Edward Snowden, Robert Patrick Hoffman, Nidal Hasan, and Aaron Alexis are recent notable examples that demonstrate how some of the United States’ most significant threats come from within. How do you assess the insider threat and what efforts did you undertake at NCIS to mitigate this threat?

Betro: The concept of insider threats is not a new phenomenon. Use espionage as a great historic example. Go all the way back to the revolutionary war and Benedict Arnold. George Washington himself was certainly aware of the harm that could be caused by a trusted insider. More recently, Robert Hanssen and Aldrich Ames are notable examples of the damage insiders with authorized access to information and IT [information technology] systems can do to harm national security.

The wide adoption of the term “insider threat” was initially driven, in my opinion, primarily by a concern about the harm that a trusted insider could do to national security in the digital Internet era. The horrible tragedies at Fort Hood [Texas, 5 November 2009] and the Washington Navy Yard [D.C., 16 September 2013] have opened our eyes to the physical harm that can be perpetrated by a so-called insider. As a result, people who were not thinking about an insider threat before are thinking about it now, and they are thinking about it in different ways than just espionage, which is a good thing.

There have been procedures in place at select agencies for decades to try to prevent insider threats. Procedures such as polygraph examinations and background investigations have been geared toward preventing insider threats. Although, it should be noted that Ames, Hanssen, and even Snowden all had background investigations and polygraph examinations. Now, many organizations have software tools that enable automated monitoring of computer activity by employees and alerts to anomalous activity. Of course, a balance needs to be struck between security and privacy. Even though in most instances, in both the government and in the private sector, employees agree to be monitored as a condition of employment, the minute an agency actually does that and the employees find out about it, they usually are not very happy.

The concerns about insider threats have driven high-level policy changes as well, such as the requirement for federal departments and agencies to establish formal insider threat programs. The intent of these programs is to ensure there is a concerted effort to understand the environment in order to be able to reasonably detect indications of a possible insider threat.

Poynton: An NCIS agent was the first to respond to the September 2013 mass shootings inside the Navy Yard’s Building 197. Are NCIS agents adequately prepared, trained, and equipped to respond to such attacks?

Betro: First, let me say, from what I have been told, the NCIS agents on scene did a fabulous job and I give them tremendous credit for the courage they displayed to go in there – in that huge building, with no sense of where the suspect was or how he was armed. These agents were not part of an active-shooter response team or a SWAT [Special Weapons And Tactics] team, they were, more or less, just first responders who wanted to try to save people’s lives at the risk of their own. They could have waited for the arrival of the heavily trained, armed, and equipped active-shooter teams, but they knew every minute could possibly result in the death of another innocent victim. So, they went into the building. They exhibited tremendous courage.

Most NCIS agents have a certain degree of tactical training, but they do not go through specialized SWAT or active-shooter training; typically, while carrying out their day-to-day duties, they wear a suit and carry only a handgun and handcuffs. All special agents are issued bulletproof vests, but they normally are not worn unless the agent expects, in advance, that he or she might find themselves in a tactical situation. NCIS special agents go through rigorous firearms and unarmed self-defense training at the Federal Law Enforcement Training Center [Ga.]. Much of NCIS’s tactical training is geared toward effecting high-risk apprehensions or executing search warrants in dangerous situations. In many of these cases, NCIS plans ahead of time and executes that activity when they are prepared for the mission – they are equipped and armed properly, and have conducted dry runs. This base level of tactical training is consistent with most federal law enforcement organizations.

Teams that are specifically trained in active-shooter or SWAT tactics are best to respond to these incidents. I think it is important to note that NCIS is not a traditional first responder law enforcement agency. NCIS special agents are investigators who generally respond to scenes that have already been secured by responding uniformed police officers or military personnel. However, as you can see from this event, everyone has to be prepared to become a first responder to an active-shooter incident. It is a mindset change now. The agents involved will likely tell you they never expected to be engaged in such an incident.

I believe the current director, Andrew Traver, has already begun to take steps to change the way agents and the organization are prepared to respond to events such as this. I believe there are new training courses that the director is pursuing to advance that level of tactical training. The director is widely examining equipment, training, and policy, and there will likely be some changes to enhance readiness posture. After a rare and tragic event like this, you review, assess, and make changes; you also strengthen and sustain what has been validated and worked well.

Poynton: International maritime piracy remains a significant threat on the open seas. One of the most noteworthy cases is the April 2009 hijacking of MV Maersk Alabama, which occurred during your time as NCIS director and was recently dramatized in the film “Captain Phillips.” What role did NCIS play in that incident?

Betro: NCIS plays a major role in collecting intelligence against pirates, investigating acts of piracy, and supporting prosecutions of pirates. Special agents work aboard U.S. Navy ships that are tasked with defending the shipping and the maritime industry against pirates.

With MV Maersk Alabama specifically, we went to the crime scene of the lifeboat where Captain Phillips was held and the pirates were subdued. We did a full crime-scene investigation and gathered evidence to support prosecution – forensics, interviews, and interrogations. We also had to assist in determining legal jurisdiction – where would a case be prosecuted? Many factors were considered, but the surviving pirate, Abduwali Muse, was ultimately brought to New York for prosecution. The charge of piracy carries a mandatory life sentence without parole but, in a plea deal to lesser charges, Muse received a 33-year sentence and is currently serving time in a U.S. federal prison.

NCIS also recently supported the FBI and members of the Joint Terrorism Task Force in the investigation and prosecution of Somali pirates for acts of piracy [in April 2010] against the USS Ashland. This represented the first conviction for piracy in Norfolk [Va.] in more than 150 years. Although there have not been enough prosecutions of pirates to build a dataset to determine if these prosecutions deter piracy, pirates should be warned – if you commit an act of piracy, NCIS will investigate and support prosecution against you.

Poynton: In addition to your work as vice president at NTT Data, I understand that you recently became an advisor to Governor Thomas Ridge’s Flag Bridge Team. What does that role entail and what do you see as the best opportunities for the maritime industry to enhance security?

Betro: The maritime industry today is so critical to the world economy, especially in the era of just-in-time shipping and globalization. Threats and vulnerabilities to the industry are both internal and external. Like all logistics businesses, there is an emphasis and a business need to keep things moving. In that busy environment, shippers are subject to a lot of criminal activity and fraud. Companies are not always equipped to deal with those things and the tendency is to write them off. Hundreds of millions of dollars each year are lost because of criminal activity and fraud. The other set of threats is external, such as piracy or terrorism. Pirates and terrorists will prey on the vulnerable open waters and exploit the maritime industry for financial gains, such as ransoms or ideological advancement using terrorism.

There is help available from industry experts; companies do not have to be distracted from their core competencies. There are proactive ways to reduce the criminal threat and save money while continuing to run the business smoothly and uninterrupted. I agreed to be an advisor to Governor Ridge in maritime investigation and security because I recognized that some of the resources available to help solve this problem could be former NCIS experts who spent their entire lives in the maritime domain conducting investigations and performing security and antiterrorism operations; they understand that domain and the environment. Governor Ridge also recognized this and added that capability to his maritime bridge to enhance his offering to the maritime industry to prevent terrorism and reduce crime with the industry’s leading professionals.

Poynton: Lastly, while serving as Director of NCIS you made a cameo appearance as “Agent Betro” on Season 5, Episode 4 of CBS television’s show NCIS. How much is the show like the real thing?

Betro: I am a big fan and I think it is a great show. You are right – I did a cameo scene, but my role only entailed fetching coffee for Mark Harmon. The show is often based on real cases but, on the other hand, it is entertainment. Like most entertainment, it reflects real life but many aspects of the show are fictionalized and dramatized. The television show does a good job in taking the real types of investigations that NCIS works and spinning them into a very entertaining portrayal of real life. Sometimes this includes accelerating the ability to do certain things that take a lot of time in real life. The things they do in an hour to solve a crime, such as cyber investigations and laboratory analysis, can take days or weeks; it is a more drawn out process to collect and analyze the evidence and report the results.

My other observation is that the television show has individuals that do everything. The real-life NCIS has a lot of talented agents, but many of the functions performed on the show are performed by several different people – specialized professions with tons of education, experience, and credentials. Lastly, and I am asked about this frequently, we do not have our own morgue at NCIS. We use the city and federal facilities and external resources. The ability to go to the basement and have an autopsy done is not real. We do attend autopsies frequently, but not in the basement of the NCIS office.

I can tell you first hand, the show cast and crew are great people and strive to keep the episodes as realistic as possible. They spend time with real NCIS agents and are in close communication with the NCIS communications director. The television show has certain agents and former agents they have worked with over time to add realism in the way the show describes and says things – using much of the actual jargon that you would hear on a typical day at the real NCIS. Either way, real or dramatized, I am glad that the U.S. public gets to see and understand the hard and sometimes dangerous work our agents perform on a regular basis to keep the Navy, Marine Corps, and the citizens of the United States safe.

Thomas A. Betro served as the director of the Naval Criminal Investigative Service from January 2006 to September 2009. Since joining the NCIS in 1982, his assignments have included such unique missions as “Special Agent Afloat” during deployments of the aircraft carriers USS John F. Kennedy and USS Enterprise. Following an appointment as the acting national counterintelligence executive, he returned to the NCIS as assistant director for counterintelligence and was subsequently promoted to deputy director for operations. He holds a BA from Colby College and an MA from the Naval War College. His numerous honors include the Presidential Meritorious Executive Rank Award. Today, he serves as vice president at NTT DATA and advisor to Ridge Global’s Flag Bridge strategic maritime team.

Aaron Sean Poynton (pictured at the beginning of the article) is a guest writer for the DomPrep Journal and the director of global safety and security business at Thermo Fisher Scientific. Previously, he served as a director at Smiths Detection, a global technology company in the defense and homeland security markets. Before his civilian career, he served in the U.S. Army Chemical Corps and Special Operations. He is a graduate of the Johns Hopkins University Army ROTC program and holds a bachelor’s degree in economics from the University of Maryland UMBC, a master’s degree from the George Washington University School of Business, and a doctorate in public administration from the University of Baltimore. 

Aaron Sean Poynton

Aaron Sean Poynton is the director of global safety and security business at Thermo Fisher Scientific. He has served in various leadership positions with companies in the defense and homeland security markets over the past 10 years. Before his civilian career, he served in U.S. Army Special Operations and as a CBRN Officer. He is currently enrolled at Duke University’s Fuqua School of Business Global Executive MBA program. He’s a graduate of the Johns Hopkins University Army ROTC program and holds a bachelor’s degree in economics from the University of Maryland UMBC, a master’s degree from the George Washington University, and a doctorate in public administration from the University of Baltimore.



No tags to display


Translate »