Deborah Frincke and the Need for Diversity of Perspective in Cybersecurity

TOPICS:  cybersecurity   NSA   privacy 
Deborah Frincke
September 20, 2016

Deborah Frincke is the Director of Research at the National Security Agency. As director, Frincke leads the NSA/CSS Research Directorate, with research personnel and world-class facilities in a range of technical fields, including math, physical sciences, cyber, analytics, and telecommunications. In this interview, Frincke talks about her experiences promoting a diversity of perspective at NSA and the need for such diversity as the field embraces new and unforeseen challenges.

Question: Why is diversity important in cybersecurity?

Frincke: Cybersecurity is an enabler—supporting trusted relationships among people, leveraging machines, making sure that data is properly handled, and so on. Diversity of perspective is an enabler, too—for example, making sure that all views are represented in a conversation. Cybersecurity needs to support all people—in all aspects where they need it, in the diverse areas where they live, work, and play, for all populations. That’s why multiple perspectives are important, because this isn’t easy. There is a vastly different range of cybersecurity implementations that will be useful to parents taking care of their children at home as compared to what it takes to support our security-intensive environment here at the National Security Agency—and if we do not involve a broad array of perspectives and populations, we are likely to miss something critical.

Cybersecurity as a practice also has disparate goals, not just one, which is another reason many perspectives and people need to be involved in thinking things through. At NSA, we support signals intelligence, information assurance, and cyber defense activities—and each of these has different imperatives. If you think of these as cat-and-mouse games, it is clear that a winner must understand both the cat and the mouse!By bringing diverse perspectives to think through ways to defend or break a system, you’re more apt to get complete coverage.

Question: Is there an effort you’ve been involved in that was particularly memorable or effective?

Frincke: We created a postdoctoral program that focused specifically on bringing diverse perspectives into the federal government. We specifically devised the program to appeal to the kind of person that wants to support the national defense, and bring their whole self to work. The program has been very successful, with the major challenge being that most participants decided to stay with NSA after their postdoc was over, leaving little room for new applicants. Despite a number of obstacles, we had well over 100 applicants in the first year alone; the program received an award from the Office of the Director of National Intelligence for its success in attracting high-caliber diversity candidates.

Question: You frequently travel for speaking engagements. Do any stand out for you?

Frincke: Early on as Director of Research, I accepted an invitation to go to Doha, Qatar to talk about cybersecurity. I included slides on both privacy and the importance of diversity. I was honored to be present in my official US government capacity and attended without escort. I appreciated the willingness of the audience to listen to NSA discuss cyber, diversity, and privacy. This was itself an experience in diversity; probably half of the attendees were in Western or European attire, and the other half were wearing traditional garb for Qatar. I thought it was important to raise awareness that we/NSA place a premium on diversity in a very public and international way.

I always learn quite a bit at diversity events. I spoke at the SACNAS (Society for Advancement of Chicanos/Hispanics and Native Americans in Science) conference, and in addition to meeting many brilliant young scientists, I learned how meaningful it can be to include whole families in the recruitment process—taking what could be a scary opportunity for one into a matter of pride for the whole family. And of course, Grace Hopper is a terrific event, meeting amazing women who have accomplished so much.

Question: Once you’ve recruited a diverse workforce, what types of efforts are most effective in retaining them?

Frincke: Most importantly, take care of people and help them grow. I am a strong proponent of both mentors and sponsors. Some scientific studies indicate that men may benefit more from mentors, and women from sponsors—I’ve found both to be personally helpful. Another area is opportunity, and in STEM, that means letting people remain technical for their entire career if that is their desire. Something I like about our agency is that we have both senior executives and senior technical leaders. A person can promote into the highest senior ranks while remaining technically focused. That is not universally true.

A third area is to provide a welcoming environment for diverse careers. NSA is large, with many kinds of jobs. We find that helpful since it allows people to move from one opportunity to another, while remaining part of our organization.

Question: In your podcast with Gary McGraw, you mentioned that you were drawn to computer science because of the Morris worm. You wanted to solve a problem, not just play with gadgets. How do you think similar decisions might play out for children today, given social media and all of our interactions with devices?

Frincke: The impact of social media and social engagement may be key for the next generation, particularly with regard to how they think about security. Consider what’s happening now with Pokémon Go. I’d be surprised if many of the people who downloaded the app had any idea as to whether the code was secure. Some obtained code from unofficial websites—with unsurprising bad results! There was also a tremendous amount of collaboration and sharing, and even ad hoc teaming around common objectives (learning the game, competing together).

What’s especially interesting is the confluence of the cybersecurity aspect and the physical gadget, plus the unfortunate aspect of criminality—and this may be what brings people into cybersecurity in the future. We have a tremendous opportunity to rewrite the rules about what’s safe. Not only should one “look both ways before crossing the cyber streets,” it’s probably not smart to be out late at night trying to catch Pokémon after visiting an ATM or venturing into a secluded location. There are other unintended consequences. For example, asking people to respect physical boundaries that are crossed by virtual pocket monsters. The Holocaust Museum asked that people not catch the Pokémon creatures inside, out of respect, and most people would prefer not to have a public PokeStop in their homes. All of these things are part of the ongoing microcosm of cybersecurity of the future. None of these issues rely on fixing one particular application; it is now necessary to consider the psychosocial impacts of apps, unpredicted uses, and the evolution of the associated virtual (and human) society over time.

Question: In your 2011 guest-edited special issue of IEEE Security & Privacy, you wrote about living with insecurity. Has that changed?

Frincke: Cybersecurity is now fully integrated into our homes, our workplaces, and how we deal with our national security. Humanity is beginning to rely on medical devices implanted in people to keep them well. We play games that cross international boundaries, with virtual creatures we can “photograph” in the real world. And we haven’t even scratched the surface of where someone can go with social media. In five years we may well laugh at the impact of a Pokémon Go on society because it has been followed by something bigger, even more integrated. And still, in the midst of all that change, we will need to keep ourselves safe and secure, not limiting our freedoms. Living with insecurity is the way of the future.

A final thought. Life and creativity imply a certain amount of risk, and too much safety can lead to stagnation. We need to be careful not to walk away from technology just because it’s not perfect, or we’ll limit our ability to engage with people or live our lives. We also need to be responsible users and devisers of technology, and be aware of how our work affects the world. We owe it to ourselves to make our creations beneficial, build them to be as secure as possible, mitigate the risks, and then move forward, eyes open.