CIA's Cyberdefense: Biggest Problem is Workforce Diversity?

As the CIA makes impressive gains in the cyber world, a top official admits that “diversity” is the DDI’s biggest problem.

Sean Roche is the Associate Deputy Director of Digital Innovation for the Directorate for Digital Innovation (DDI) – the CIA’s first new directorate in more than 50 years. As the digital world becomes more important, DDI is responsible for integrating digital and cyber capabilities throughout all aspects of the CIA. 

“You really need diversity of ideas on solving these problems,” said Roche in an interview with C4ISRNET. “When I look at the workforce we got…it does not represent yet the country that we are defending. There is an inherent danger in not having – especially for disruptive technologies – a very, very diverse workforce.” 

Roche points out that a Russian enemy will act differently than an Iranian, who will act different than someone who was raised in China. “In order to spot this, in order to keep ahead of it you have to have an incredibly diverse team.” 

This season marks DDI’s one-year anniversary, and Roche met with C4ISRNET to discuss the state of the program. Year one has been “nothing short of inspirational,” said Roche. “The teams have collected, enabled, and delivered the widest range of actual intelligence against highest priority threat issues we face as a nation – from counterterrorism, to cyber, to enduring strategic threats. The digital trade craft has increased our ability to execute planning, targeting, operations and analysis with the agility required to achieve results at the speed of mission.” 

Inadequate Cybersecurity 

The next World War, if there is one, will not be fought on the battlefield, but in cyberspace. Many worry that the task of protecting the vast amounts of information contained within the United States is nearly impossible.

The recent appointment of retired General Greg Touhill as Federal Chief Information Security Officer is good news, but leaving the task in the hands of the federal government is not a good idea.  

“I am fairly confident the government can create a strong cybersecurity plan, but I think it will take huge collaboration with the private and academic sectors to make it effective and sustainable,” explains GE Capital Americas’ IT risk leader James Beeson. 

“The biggest issue is the government is so large and so many parts are left to their own devices,” says Rapid7 threat intel lead Rebekah Brown. 

Vice President John Wethington of Ground Labs calls for a restructuring of the government’s current approach to cybersecurity. “The first step will be to take some lessons from the private sector.”

“We need the expertise of the private sector,” agrees Ted Lieu, a Democratic Rep. from California with a degree in cybersecurity. Lieu, who also serves as a colonel in the US Air Force Reserve, insists that “our defenses are not prepared for the world of cybersecurity.” 

Beeson predicts it will take “a major event traced back to a cyber failure that causes multiple people to die” to convince the feds to build a strong cyberdefense plan. 

“We are at war. Cyberwar. And there are real causalities, like the economy,” insists Wethington. 

The government has a lot of work to do, and it won’t be easy. One of the first steps should be to find out what exactly is located on federal servers and “ID the data,” says Brown. 

Beeson insists that we must “build out a team to do a complete and unbiased assessment of our existing capabilities and the maturity of each. This can be lined up against the new solution to determine where the gaps are and assist with prioritization.” 

Before we can proceed, we must first decide who will lead the effort. Should it be the DHS, the Department of Defense, the NSA, or a completely new agency? 

“What would be most effective would be to use a smaller agency that does not have a bad reputation and bring in a private [sector] leader to run it,” explains Wethington. “Technologies don’t trust the government, so it needs to wipe the slate clean with a leader that the tech community will have some immediate respect for.”

Editor’s note: As much as I respect the CIA, it would be nice if their leadership could express a focus on what has been identified as one of the toughest intelligence problems. These statements do not inspire confidence that the CIA understands the urgency of the problem.

As for who should lead this, NSA has the biggest and most expensive tools, however they historically have little regard for the Constitutional rights of American citizens. The CIA has a more mature outlook in this respect but based on the information contained herein, they are not yet fully engaged.  Any capability with FBI and Homeland will have to become very sophisticated, very quickly, something they have been unsuccessful with before. This is a potential trainwreck.