Curtis Dukes, the NSA official who headed up its cyber-defenders, the famed Information Assurance Directorate, has left the agency — a few months after IAD was merged with the offensive, eavesdropping side of the house, the Signals Intelligence Directorate.
The agency confirmed Dukes’ departure in an email, saying he had retired. The original announcement came from his new employer, the Center for Internet Security.
Dukes, a computer scientist by training, will be CIS’s executive vice-president, the center said, and will run their Security Best Practices Automation Group, which maintains the center’s security benchmarks and controls and develops tools to automate their evaluation.
Dukes’ “three decades of senior executive leadership and his unparalleled track record of pioneering and managing complex cybersecurity products and services make him an ideal leader for the Security Best Practices Automation Group,” said John Gilligan, CIS board chairman and interim CEO. “His addition will accelerate our efforts to provide our nation with effective solutions to address rapidly growing cybersecurity challenges,” he added.
In his new role, Dukes will focus on the expansion of the content of CIS standards and increased adoption of CIS security best practices and standards.
“The cybersecurity industry is about innovation, and CIS is already a well-positioned leader in transforming security technology for today’s increasingly connected businesses,” said Dukes. “I am excited to join CIS,” he added.
Dukes was head of IAD since 2013. In that post, he was responsible for defending U.S. national security networks — IT systems that handle classified information or are otherwise crucial to the U.S. military or intelligence agencies. He also headed up the agency’s response when it was asked to help out the civilian government — as it was for instance following the massive hack of the Office of Personnel Management.
But last year, NSA chief Adm. Michael Rogers announced that IAD would be merging with signals intelligence into a new Operations Directorate — a move labeled NSA21 that many fretted would disadvantage the defenders.
A few weeks later, in an unusually forward intervention for a career official, Dukes made a speech at the right-leaning American Enterprise Institute during which he slammed the Obama administration’s planning for cyber-incident response.
“I’m now firmly convinced that we need to rethink how we do cyber-defense as a nation, possibly even going so far as that we unite pieces of those three organizations [NSA, the Department of Homeland Security and the FBI] into one organization that does it [cyber defense/response] on behalf of the whole government,” he said.
Figuring out under whose authorities an incident response should be run meant giving the enemy a head start, he said. “By the time we fill out the paperwork that would allow NSA to provide assistance, it’s typically days to a week before we can actually respond,” he added.
“Who’s in charge? … By the time we get that all sorted out, we are at a disadvantage,” he concluded.
Prior to heading IAD, Dukes spent six years running the NSA’s Commercial Solutions Center, where he led the agency’s outreach to and relationship with the commercial world of off-the-shelf software.
Dukes earned a master’s degree in computer science from Johns Hopkins University after completing his undergraduate in computer science at the University of Florida.
The Center for Internet Security is a nonprofit that runs the Multi-State Information Sharing and Analysis Center, or MS-ISAC, which it calls “the go-to resource for cyber threat prevention, protection, response, and recovery for state, local, tribal, and territorial governments.”