In this episode of Intelligence Matters, host Michael Morell speaks with Sean Roche, a recently retired senior CIA official who ran the agency's digital innovation arm. Roche, who spent nearly 30 years at the agency, discusses the early internal preparations the CIA made in anticipation of both technological challenges and new opportunities in the digital domain – including the creation of the CIA's first new directorate in more than 50 years. Roche also discusses evolving cyber threats from nation state and non-nation state actors.

Download, rate and subscribe here: iTunes, Spotify and Stitcher.

INTELLIGENCE MATTERS - SEAN ROCHE

CORRESPONDENT: MICHAEL MORELL

Get Breaking News Delivered to Your Inbox

PRODUCER: OLIVIA GAZIS, JAMIE BENSON

MICHAEL MORELL:

Sean, welcome to Intelligence Matters. It is great to have you on the show.

SEAN ROCHE:

Thanks for having me.

MICHAEL MORELL:

There's a lot I want to talk about. But I want to start, if it's okay, Sean, with a couple questions that I know that are on the minds of many of our listeners. The first is, as I mentioned, you just retired a couple of weeks ago. You lived through, as one of the agency's most senior officers, a pretty unique time in the history of the organization.

Let's call it an unusual relationship with the agency's first customer, a president of the United States. Can you say a few words

about the impact that living in this political time that we live in has had on the morale of the workforce at the agency?

SEAN ROCHE:

Michael, I know Washington's all about politics and that's what everybody talks about. But quite frankly, not at the agency. I speak to, and for a time, spoke to every single incoming class of new officers. It was a great honor to do that.

And, having left only three weeks ago, the talk around the water cooler is, "How do we get on this mission or that mission? Or have you heard that someone had a success or someone needs more effort on theirs or more resources?" These events that go on in Washington really, quite frankly, everybody's got their head down in the scope. They're all about mission.

They are not on their cell phones because they're in a facility without them. And it's the mission that's compelling. There have

been times over my career when, for instance, during the peace dividend time, when a Cessna light aircraft crashed on the lawn of the White House. And the joke in this town was it was Director Jim Woolsey trying to get a meeting with President Clinton.

MICHAEL MORELL:

Right, I remember that.

SEAN ROCHE:

The agency, it's never been a better time. We are in a discussions that matter to us with the White House, the discussions about national security, the discussions about intel. And I would offer to anyone saying the morale is down that might be some formers who, for them, they're not in the game anymore. And I guess, it's a little bittersweet to not be in the game so their morale is down.

But boy, the average officer in the hallway, they're amazing. They're talented. We've

record recruiting. Our paramilitary operators going forward, the things they do and the morale that they cause all of us to have by just their courage, I'm sorry, I just don't buy that any of these events have had a change in morale.

MICHAEL MORELL:

I'm not surprised. Speaking of courage, the second kind of current issue I wanted to ask you about is the IC whistleblower on Ukraine. I should say that we only know from media reporting that the whistleblower is a CIA officer. So I don't want you to confirm or deny that. And I know you won't. But I do want to ask you about how folks in the IC broadly think about the whistleblower and what he or she did wherever he or she works in the IC.

MALE VOICE:

The timing on this question's interesting because I would offer that the only reflection and discussion on the whistleblo

wer is that that person, whoever they are, followed the proper procedure, followed the rules. The agency, if anything else, is an agency that follows the law.

The person followed the procedure that's in place, took the steps necessary and, from what's been reported, did a very professional job that used intelligence officer tradecraft to deliver a message they felt was important. And I think what's so vital is the only concern is that that is the whistleblower statute and how it's supposed to be used.

There are others who will claim are whistleblowers and are in fact criminals and thieves and treasonous people, like Snowden, who in this occasion publishes a book and tries to say that he has been a whistleblower. Or others have tried to put labels on people like him and others that would do harm to national security. So I think the only conversation turn that I'm

aware and was part of was let's not hope this term "whistleblower" is applied to people who don't follow the rules and who, quite frankly, seek to do us harm.

MICHAEL MORELL:

I just want to pick up on what you said because I think it's absolutely critical. When Daniel Ellsberg gave the Pentagon Papers to the media, he stood up immediately publicly and said, "I have done this. I've done it because I believe the public needs to know. And I am willing to accept the consequences of what I've done."

Edward Snowden ran off first to Hong Kong and then to Moscow and refuses to come home and face the consequences of what he did. So that's just a little opinion on my part. Sean, let's shift gears a bit and spend a little bit of time on your background. How did you end up at CIA?

SEAN ROCHE:

Over the years, I've been asked that

question. And it was one of those things. Washington's a very small town sometimes. I was serving on active duty in the Air Force. And, like so many times in my career, I had been called into a room and they said, "Hey, we need you to be on this task force. And you're going to be one of the more junior people.

"And the task force is really critical. And you're going to be working really late hours and we need you to do this." And my answer was, "Okay." It turned out that that task force was run by a man named Ambassador R. James Woolsey. And we ran the task force and delivered a report to the president. And it was my first time meeting a director of Central Intelligence.

And then I left the Air Force shortly thereafter and went to private industry to a startup company, where after some time, a short amount of time, I received a phone call and they said, "Standby for the

director's office." And what had happened was there had been a loss of some capability. It was an area that I had worked in, specifically ELINT. And the director said, "Would you be willing to come onboard here?" And I promised my wife it would only be two years. So I left the startup company.

MICHAEL MORELL:

It was on the west coast?

SEAN ROCHE:

Yeah, the startup company was operating out of the west coast and I was their Washington guy. And the idea was to move back to the west coast. And I said, "Honey, we'll only be here for two more years." I was employee number six at the startup. I believe employees number one through 15 have their own island somewhere in the Pacific.

But I've never looked back. And so that's how it started. It was not a life's goal or life's dream. And what kept me there was the amazing people that I had an opportunity to

work with. And the things that I saw them do that impressed and inspired me so much.

MICHAEL MORELL:

So how many years at the agency, Sean?

SEAN ROCHE:

More than 26.

MICHAEL MORELL:

How did the agency change over that time period? How do you think about that?

SEAN ROCHE:

There were aspects of the agency that changed. I would joke with officers that I'd walk through headquarters and I'd say, "Some days, I really do feel like Eisenhower still is president" because there were things that never changed. For a time, we had a library that was a very, very traditional library. And you could walk in the library and really feel like you were on a movie set from the 1950s.

But what never changed was a couple things. Was no matter what was going on in the

world, no matter what challenges we faced, no matter what the topic of the day was, it was never game over. There was never a time when anybody that I ever knew at the agency said, "We probably can't solve that problem."

There were things that changed for the better. I think the agency does a much better job of representing the country as it exists today. And I'm talking about building a workforce that values the diversity they bring and includes them in the conversation. And it was a very different workforce when I joined--

MICHAEL MORELL:

Sure was.

SEAN ROCHE:

--compared to where it is now. I also believe that the next wave of that is being led by the current leadership who are doing a fantastic job. Make sure that every officer has a balance and a resiliency and

that that's built into the agency career and lifestyle. The mission is addictive. Addictive in the truest sense.

And when I was there, multiple divorces were often as, almost proudly as dueling scars. And I think the emphasis now is going to be how do we make sure we have tandem spouse assignments? How are we taking care of our people because the resilient workforce is much stronger?

And one thing also that hasn't changed is the agency keeps getting asked to do incredibly difficult things that no one else can do. And particularly I think about my visits to the warzones where I had the honor of seeing our paramilitary operators go out repeatedly and do what they do year after year, in harm's way. And that just never changes. And it never fails to inspire. That's another thing that never changes.

MICHAEL MORELL:

What's the pitch you would make to a young

person with an S&T background on why they should come work at the agency?

SEAN ROCHE:

The pitch I would give is you can go out and make a whole lot of money and help other people make a whole lot of money. Or you can have a job where you probably can't tell people what you do, much about it at all. But you'll know that you got to do something that challenged you both technically, challenged you from a leadership perspective.

And years from now, there will be some segment of a Discovery Channel episode or maybe it's, a conspiracy theory episode, but you actually know what happened. And you were part of it. These last few years, our talent center has done a phenomenal job bringing, not only people in out of college, but something else that I'm really proud of that's happening is we're having folks who left before a full career and they're

boomeranging back.

But they're boomeranging back with great experience. These are senior people. We have Juliane Gallina, the CIO, coming back from IBM. John Edwards is the deputy chief operating officer coming back out of industry with tons of smarts about how we can solve problems in an agile way.

MICHAEL MORELL:

That's a change, right? That never happened 20 years ago. That's a very good thing. But that's new?

SEAN ROCHE:

That is new. And that demonstrates, hey, we have a rule book. We follow the law. We follow the rule book. But boy, we have a lot of latitude when it comes to hiring. And we can do that kind of thing. Twenty years ago, if you left, you were dead to us. We sat shiva and it was over. And now, it's really

a case of you're a national talent, let us know when you want to come back.

MICHAEL MORELL:

So Sean, you spent much of your time working in the science and technology directorate, which is probably the least well known of the different directorates at the agency.

In an unclassified biography of you for a talk you gave at a cyber conference last year, maybe it was earlier this year, this is what the agency was willing to say about you and the S&T. Let me read this to you, okay? "Over the course of his career, Sean served in senior leadership roles in the offices of development and engineering, technology collection, global access, integrated missions and mission resources.

"He led teams that developed, delivered and deployed satellite and airborne reconnaissance systems, next generation collection platforms, clandestine collection operations and advanced targeting

tradecraft." Wow. That's an interesting list with words that conjure up all sorts of interesting things, but don't provide any specificity whatsoever if you listen to the words closely.

So what I was wondering, and I'm prepared for the answer to be no. And that's okay. Nobody knows that better than me. But are there a couple of specific things that you worked on perhaps earlier in your career that have now been declassified that you can talk about a little bit?

SEAN ROCHE:

Yes. The reference to satellites was a reference to the fact that CIA has a large contingent of officers that are over at the National Reconnaissance Office. And it's located in Virginia. The headquarters is located in Virginia. That's an organization that wasn't even acknowledged that it existed until the '90s.

And in that organization, if you think of

everything that's being done in space today and then say, "What else could be done," that's what that organization does in terms of delivering ISR real-time. Now, some of the things that I had the honor of--

MICHAEL MORELL:

ISR is?

SEAN ROCHE:

Intelligence, surveillance and reconnaissance. And one of the opportunities I had early on was to work on signal gathering satellites in low orbit, satellites. And specifically, ones that collected very faint signals. With them, we were able to do an awful lot of things to understand where people we cared about were, where weapon systems were.

And then also to figure out how capable those systems were. And that is then integrated with military planning. And I was lucky enough to participate in the next generation development of some systems, as

well as some operational use of those systems that was information that was brought down to the White House to say, "We can confirm this is happening.

"We can confirm that these people are in this position in the country. We can confirm they've crossed the border. We can confirm that they're moving at this pace." Or the other, which is they claim their missile has this capability. They claim they did the shot. We have data that refutes that completely." So that was the kind of work I did early on that a lot more of it is known. And that organization, the National Reconnaissance Office, the CIA still has a large presence there. And that organization's still doing phenomenal things.

MICHAEL MORELL:

What's the broad mission of the science and technology director?

SEAN ROCHE:

The CIA is not the CIA unless it has case officers and all sorts of analysts. So the mission of everybody else at the agency is, "What can I do to advance that mission?" Specifically for DS&T, "What can I give the case officers in terms of," for my former job, "What digital tools can I give them?

"How can we help the targeters that help them execute their mission and know who to recruit, how do we give them the right tools?" And that's a wide spectrum of things. How can we provide the all source analyst with insight into how long it would take to reload a mobile missile platform?

And the throw weight of a warhead of a mobile missile? All of these things to feed two groups that really define the agency, the case officers, which we talk about, human and the all source analysts that really build the product that's delivered to the rest of the IC and to the president.

So anyone else, and especially in the technical directorates of digital innovation and the S&T, they're coming to work saying, "How do I do something that people think can't be done, is not being done in the overt space? And how do I satisfy a need that will forward those parts of the mission?"

MICHAEL MORELL:

I just wanted to say one more thing about the S&T. One of the things that I loved doing when I was deputy director was visiting your labs and just walking around the labs and seeing what people were working on and what they were excited about and what the challenges they were facing. And how they were absolutely convinced that they could solve these really tough problems. I loved doing that. It was just a remarkable thing.

SEAN ROCHE:

One of my favorite things to do, the higher

I went in the organization, the more important it was to do this, was to walk the halls. And in case of the labs, was to go hide in the lab for as long as I could until they found me. And the labs, which are worldwide, and what they do, and it's exactly what you said.

I would go in and there'd be someone, maybe with a soldering iron, maybe looking at something through a microscope. Maybe with a large piece of machinery next to him that's an industrial piece of machinery that's highly specialized. And they've maybe got a college t-shirt on and a pair of jeans.

And they look up at me like, "Oh look, there's a visitor in the lab, somebody with buttoned clothes on, a suit maybe. You don't belong, but I'll make sure you don't get, smattered with any stuff." You would ask them what's going on. And the intensity they had about solving a problem.

And the problem they were asked to solve was so bizarre. I said, "Why do you have these on the table?" "Here's the deal. We found out that there's a possibility that if we can do this with this device and put a beacon." I was, "Oh my goodness. How are you going to possibly do that?"

And the best kind of, I'll say inspiring demonstration, of what this workforce can do is on a Thursday night, I would go to my guys and say, "You know what? I just don't think we can get it ready. As good as you guys are, they just tested it and it's not the right frequency, or it emits too much."

"It turns out that they're going to have to use a different platform. This is probably too much to do. I should probably push back, huh?" And it's just a throw down. And the officers just run at it like red meat.

And what happens is you do that on a Thursday and then you say, "Folks, whatever

you need." And literally, there was one team where I just left them my credit card. I said, "Here is my credit card if you guys need food or anything else." So I come back Monday afternoon and there are piles of empty containers from takeout and Panera and everything that could get delivered. And Domino's, you name it. Somebody went and did runs.

And I think three of them were wearing the same clothes because their dedication was, "I'm not going home until this is finished." And sure enough, they had something that wasn't going to be ready on Tuesday, but it was going to be probably ready on Saturday. And it did the job. It was absolutely incredible.

MICHAEL MORELL:

So Sean, in 2015, Director Brennan created the agency's first new directorate in 50 years. So adding to the longstanding operations, analytic support and S&T

directorates, he created the directorate of digital innovation. And John made you the number two in this new directorate. So let me ask you some questions about that. Why was it formed?

SEAN ROCHE:

It was formed out of the recognition that the technology and digital domain was changing so fast that a team dedicated to integrating it into everything we were doing both from an opportunity standpoint and to account for the challenges of the digital domain, that that really required a separate team focused on that.

And, of course, that team works really closely with the rest of the agency. And so what happened was we had the worldwide secure IT that was reporting basically upstairs to the senior leadership. But their digital expertise was really high.

So we combined that with the folks in cyber intelligence, who

execute that mission and do it better than anybody else in the world. Combined with this place called Open Source, that had kind of had been a little bit adrift maybe. But really, that business was exploding in a digital way as well.

And then combined it with the data scientists and created a separate data office just to handle data. So it was not a holding company. It was a really new approach. And I think it was interesting, it was announced and March 6th, 2015.

And the OPM hack was revealed to the world the following month and everything took off from there. The OPM hack was a sonic boom for things digital in that you needed better defense on a network, you needed that knowledge to be in the hands of everyone in the organization, not just the IT team.

There was a cyber intelligence aspect of it. And aspects of CNE, computer network

exploitation, that needed to be discussed and cyber norms. And this exploded into a very, very big conversation. So the timing was absolutely perfect. And people said, "Did you know this was coming? Did you create the directorate to know this was coming?"

It's that we don't create directorates over threat reporting, but the foresight of that. And that was done based on a 90 day panel, of whom one of the members of that is now the chief operating officer of the agency, Andy Makridis. So a lot of really smart people, myself not in that group.

MICHAEL MORELL:

That's not true--

SEAN ROCHE:

Not in that group.

MICHAEL MORELL:

That's not true.

SEAN ROCHE:

Got together for this 90 day study and said,

"This is really what we need to do" and picked Andrew Hallman to lead it, who has now risen up to more senior levels in the IC.

MICHAEL MORELL:

So what was the director's vision? At the end of the day, what did he want this thing to deliver to the agency?

SEAN ROCHE:

First and foremost, he wanted, not a holding company, but an integrated capability that, no matter what the issues were, that it was able to inform the risk calculus. And that's what we do at the agency. Our security teams, our counterintelligence teams, our operations teams in the field, our analytic teams, all of them are using various tools to inform a risk calculus.

And then to figure out what the risk is, whether we should take that risk. And when we're talking about incorporating new technologies, tremendous, tremendous

opportunities. But what normally stopped us was that we were not doing what we needed to do to inform the risk calculus.

And we rebuilt the workforce, we changed the way we promoted expertise in it. It really had the charge to accelerate the adoption and then create the advantage for the agency in the digital domain. And I would offer, stepping back after exactly four years on the job, which is what I committed to, that the men and women of that new directorate have moved light years along with their partners from the rest of the agency.

MICHAEL MORELL:

More to be done?

SEAN ROCHE:

Always more to be done. The pace of change demands really some very different approaches. The biggest thing I would offer is that what is happening outside of CIA's networks on we call it the low side, but on the internet and the expansion of internet

of things and the expansion of just the digital footprint of what data is out there.

Our ability then to operate in that open domain without revealing our hand when we are trying to understand what foreign adversaries are doing, there's a lot more to be done. And again, what's impressive is people of all backgrounds get exposed to this mission, especially these officers we're bringing in right now. And they come back with very different ways of solving the problem. And that's what's most exciting. I think all tradecraft has basically a half life. And the digital tradecraft, that half life is very short.

MICHAEL MORELL:

Sean, I want to ask one more question about this which relates to Director Brennan since he played such a very significant role in creation of the new directorate. In fact, I wanted to ask you about him. There are some voices in our country who have painted him

as a political hack, to put not too fine a word on it. And where have accused him of politicizing the agency when he was the director. You were one of his direct reports. You worked with him every day. Did you ever see him make a decision for political reasons?

SEAN ROCHE:

No. And I led an effort that has not been talked about, is not in my bio. But now there's an entertainment movie out about it called The Report. I led that task force and reported directly to him every day for nine months. It was often seven days a week.

MICHAEL MORELL:

This is the Senate Intelligence Committee's investigation of the enhanced interrogation program?

SEAN ROCHE:

Yes, that's correct. So you had a workforce that was genuinely concerned. You had our president in the White House said, "We're go

ing to release this in the public interest." You had the Senate that had written a report that many would call a prosecutor's brief. And we had to release this and work through it and work those three things.

And there was a nine month negotiation back and forth with a lot of data science and other things with the Hill. They were doing their job. A lot of intense conversations with the White House, including with the president's chief of staff. And in all of these conversations, in all these nine months, a period of time that was where you'd get together at 9:00 at night with five people in the director's office.

And a call from the White House based on a call from the Senate staff, et cetera, or the members themselves. I never heard John Brennan say one disrespectful thing or one partisan thing. And further, he wouldn't allow it. There were times when our tempers were frayed, we were tired.

People were frustrated. This was nine months of agonizing over every single word in that document. And if any of us had even a negative comment about any of the other people we were working with, who were all just trying to do what they felt was the right thing to do, that's the time he would snap at us, say, "We're not going to have that conversation."

I met him when he was working for George Tenet, who worked across parties. Worked in various administrations. I don't know what his political affiliation was because he never said it. I just remember John Brennan when I was a much younger officer, being up on the seventh floor, being in the deputy EXDIR. And if something went wrong, you got a call to Brennan's office, it was very clear what you had to do. You had to fix the problem.

MICHAEL MORELL:

So Sean, I do want to take a little bit of

time here at the end to talk about cyber.

As your role in the digital innovation center, as you talked about earlier kind of put you at the center of the agency's own cyber operations on the one hand, and the agency's need to protect its own systems on the other. So I know you've thought a lot about the cyber threat. And so let me ask you a couple of questions about that. One is on the threat side. How do you define the threat? How do you think about its significance? How do you think about how fast it's evolving? Walk us through the threat first.

SEAN ROCHE:

So for the threat, I would say you have the nation state players. They're particularly Russia, China, North Korea and Iran. And there's a respect for the capabilities that they bring in the cyber arena for sure. What is evolving quickly in the threat is the non nation state and the non nation state

sponsored actors.

And what I'll offer is splinter factions of maybe something that was originally conceived or sponsored by a nation state, now in the hands of another group that has some other aim or objective. And that space seems to be increasing rapidly, which, one of the agency's responsibility as an intelligence organization is to provide not a description of how the hack worked, because that's kind of the forensics of a car accident.

But instead, to really say, "Okay, who did this? And who did this with confidence," the attribution piece. And that's a very, very difficult mission. And it involves an orchestration across the agency that extends far beyond digital.

And this again is where all sorts of analysts and our case officers or the director of operations, they're a very big

part of this, of understanding. Explaining what happened is okay. It's a minimum. It's a minimum standard though. But who did this? And then more importantly, what will they be doing next? What are they intentions?

MICHAEL MORELL:

What are their capabilities? What can they do?

SEAN ROCHE:

Absolutely. So among the digital players, I'd say, and that means cyber command, our partners at NSA, our partners at FBI, et cetera, we are all working with each other. We all have a lot of respect for each other, we all know each other. But then what's different about it and what has to evolve and continue to evolve faster is every officer has to see themselves in part of this space. And what can they do? What are the intelligence requirements that actually drive back to understanding the cyber mission and the cyber threat?

MICHAEL MORELL:

This is a really tough question. If you think back in history, is there something like this that we can compare it to? Or is this a unique phenomenon that we're facing?

SEAN ROCHE:

I don't think that there's any one thing, per se, that we can compare it to because of the non state actor role. The barrier to entry here is very, very low. Very low. So let's take a couple of examples and then offer that no two problems are the same that the agency has to solve, but we can learn from each set of problems.

First, there was the air defense problem that emerged after World War II. World War II, the advent of radar, better and better radar. There were smart people that said, "We probably shouldn't be building more airplanes, we should just launch missiles at each other. An airplane will never get through."

Then someone said, "The agency designed the A12. And, it's faster than a bullet. They're just never going to catch it." The U2 was first, it just flew a lot higher. Then the radars got better. Then the missiles got better. Then the missiles had seekers. Then we made the planes out of stealth.

So that back and forth, now cyber's not quite that, but there's a lot of that in cyber. The back and forth of tradecraft and signature management. And then you have anti-submarine warfare which again, a lot of nuances, a lot of different technology, a lot of different techniques. And a lot of very inventive ways of solving the problem.

And then you have terrorism, where you had state sponsored terrorism. And they had splinter groups. And then you have wannabees and lone wolves. So if you take those three problems which men and women in the agency have contributed over the years, and

especially in our counterterrorism center, what they do is just flat out incredible for every American.

If you take the tradecraft involved in those three and create the organization that learns and adapts as we did for those problems, we can get there in digital. And digital is different. But I think also, another thing the counterterrorism mission has done for the agency, that the agency's done about it, is in the last 19 years the ability of those teams to move quickly and adapt and change the agency teams has had to match the pace of the adversary. And they've demonstrated they can do it. So there's that agility and speed. We've got to borrow from that model as well.

MICHAEL MORELL:

Sean, the other question I wanted to ask about cyber is the defense side. And I know you have something that you call the five Cs of cyber defense. Where'd they come from?

And could you kind of briefly walk us through those?

SEAN ROCHE:

Yes. Actually, one thing I found that I really was doing poorly for the first six months as director was that most of these conversations were with people who were truly interested, but didn't have a lot of background in it. In some cases, they were very senior people who were intimidated by the fact that they did not have a grasp of all of these different issues.

Nobody could, by the way, including myself. So having been a military person and gotten up and briefed everybody from an E1, that's an enlisted private equivalent, to a four star general, to the secretary of defense, came up with something we all remember. And some hooks to have the conversation go into any level, and that's the five Cs. And I borrowed it from the jewelry business a little bit.

MICHAEL MORELL:

The jewelry business?

SEAN ROCHE:

So the five Cs, cut, clarity.

MICHAEL MORELL:

Oh, okay, got you. Got you.

SEAN ROCHE:

I grew up in New York. So on this, the first one is connectivity. What are you connected to? And then you just ask people. "Do you really understand what you're connected to?" And they say, "Yeah, I do." And, "Do you understand your backup path is a Chinese VSAT?" And so there's connectivity, there's configuration. What equipment and what version are you running?

MICHAEL MORELL:

Are you up to date?

SEAN ROCHE:

That's compliance.

MICHAEL MORELL:

Okay, compliance, okay--

MICHAEL MORELL:

That's the third C, compliance. We talk about patching. The major vulnerability today is people don't patch. Within my family, I'm always checking cell phones and, do you have the latest version of the software, to which I threaten to cut them off if they haven't updated the phone because patching's a pain in the neck.

If you can find the box, then you have to patch it. But patching's really becoming [important] because these are, especially in the world of 5G, it's a software defined network. And then there's collection. And collection means monitoring the performance of your network, where it's not doing its job, where it's hanging up, where it's slow, where it's doing something that it's not supposed to do, or where it's about to fail.

And then audit. That's the insider threat of understanding what people are doing on your network. And then finally, the last C is for

culture which, counterintuitive, this is the toughest one. Getting people who used to see those IT guys as almost admin.

Now way back when in the agency, we had the IT professionals run a worldwide, secure network of communications and information technology and all the computers and everything else. They were attached to the administrative bureau, the administrative directorate. Now, that was a common model.

But so on that culture, creating the culture, and it really, really drives some different behaviors. And I did a very poor job the first six months really explaining it. For instance, on legacy equipment. I had no idea how hard it was going to be for people to walk away from legacy applications or legacy equipment.

MICHAEL MORELL:

Because they were used to it?

SEAN ROCHE:

They're used to it.

MICHAEL MORELL:

Comfortable with it?

SEAN ROCHE:

There's an emotional attachment. People said, "They're nostalgic for it." Nostalgia comes from a Greek word meaning "nausea." But what I had to do is I had to change my messaging and change the approach because I wasn't being successful. At home, you're throwing away your phone and throwing away your laptop.

The companies that are doing this best are literally assigning a identically configured laptop and then having them turn it in every 14 months and giving them a new one. We don't typically do that in the government. If it works, we keep it. If five people are still using the application, we have to wait for them to retire or leave.

And we have to break that paradigm somehow. The five Cs was an ontology I developed so that I could go into any level of depth,

depending on who was in the audience, and we could use basic words people could understand. And we would have these little tests.

For instance, the internet of things. The internet of things are commodity devices that now are hooked to your network. And you have them in your homes maybe. Security is not a feature built into them. And they are incredibly unsecure. But people think of it as a device like a blender on their counter.

They've got a human voice activated device on their counter. That's actually in your network now. So your network footprint now is getting more and more complex. We hire a lot of good folks to maintain systems. But in companies and across organizations in the government, we found, they were not on contract to maintain the configuration and know the configuration.

For instance, the fix, if I dive down a

little bit on patching and configuration, if you find a machine that's running Windows XP, the fix for XP is replace. Replace the whole thing. Go grab the machine and put a new one in. There's no patching Windows XP.

And so a lot of the big cyber events that have been reported were systems that, for a patch with existence, it simply wasn't patched. And when you go find out, "Did somebody not do their job?" They couldn't even find the boxes or understand what version, what Cisco security appliance they were running. So the five Cs was just an ontology and a way to start maybe a little bit of education with the discussion.

MICHAEL MORELL:

Sean, thank you so much for spending time with us, for sharing your thoughts. And most important, thank you for your 38 years of service to our country.

SEAN ROCHE:

Thank you, Michael. I just want to double

double down on saying that, again, it was an honor to it's inspired by the men and women who do things that people will never know about. And especially by those folks who go forward and do things that, few people are ever asked to do and few people are actually capable of doing.

MICHAEL MORELL:

Thanks, Sean.

* * *END OF TRANSCRIPT* * *