Things could have been very different for Laukik Suthar. The chief information officer at the United States' Naval Criminal Investigative Service (NCIS), he is part of an organisation that has operations in more than 140 countries worldwide.
A civilian federal law enforcement agency that supports the Department of the Navy, NCIS investigates felony crime, prevents terrorism and protects secrets for the US Navy and Marine Corps.
As CIO, special agent Laukik Suthar is an expert on information technology and cybersecurity strategy. He also oversees information operations and development, data security, digital infrastructure and related initiatives to support law enforcement and counterintelligence investigations and operations supporting NCIS headquarters, its 19 field offices, and 191 satellite locations overseas. In recent years, he played a key role in the cybersecurity review that showed what the US Department of Navy needed to do to prepare itself for any potential future war.
But before joining NCIS, Suthar had once considered medicine, with ambitions of becoming a doctor. September 11th, 2001 changed everything.
"I was pre-med," he said. "My family came to the States in the mid-70s from India and my brother became a doctor. My parents want me to be a doctor or an engineer. So I did pre-med, but also was taking computer science courses since high school. I was programming since the early part of my childhood. I just loved it."
That love of programming had led him to an internship with the NASA programme, which virtually guarantees a job with NASA when you complete it. “We were going to go do the programming of satellites,” he explained.
Then came September 11th and the attack on the Twin Towers in New York, and the Pentagon.
“9/11 changed that perspective for me,” he said. “It changed the way I was looking at things and it really had to go back to giving back to your country. I needed to do what I could.”
A chance encounter at a job fair set him on the path to his current role. “I was walking out of a job fair, and saw this sign that said NCIS. There was no show, nothing like that.”
It piqued his interest. “I interned, didn’t go to NASA, and I fell in love with it,” he said. “I liked it, because it focused on the war-fighter. They were going to go into harm’s way; I think the world already knew that. I wanted to bring my skills to an organisation that can protect them because that’s where I knew where my calling was.”
He describes the NCIS as having a “unique mission”.
Rather than head straight for his first love of computer science, Suthar deliberately did not go into the NCIS’s cyber or IT work at first.
“I wanted to get the foundations of how to become a special agent,” he said. “I did a lot of investigations: murders, rape, burglaries, and really got a good understanding of interrogation, interview, the skill sets that you gain, how you use it in the real world. What I say is you extract information from people so you can make sure that the Department of Navy is a nice sharp sword. Readiness and lethality; that’s what you want.”
Those skills have been put to good use on many occasions over the years as Suthar moved up through the organisation, working alongside other agencies such as the FBI Taskforce, overseeing digital forensic investigations, and moving on to head up cyber operations field offices. It involved moving around the US and further afield, including one memorable four-year stint in Hawaii.
“It’s taught me to stay calm during really bad situations. Because if I didn’t, then I would have not been able to deliver my second child in the Federal Building, where my wife was working as a lawyer because we didn’t make it to the hospital,” he said.
Then came his appointment to the CIO role permanently, just prior to the Covid-19 pandemic hitting the world. “It’s been eye opening because when I got into the job, we didn’t have the pandemic. Months later, I had to get the entire agency ready to be remote working,” he said. “Not only do you have to change culture and you have to ensure that the technology is ready for it.”
It was, he says, a big shift for him. “Now I’m on the defence side, making sure that information is at [our agents’] fingertips wherever they are, or wherever they’re in the world. Because we’re everywhere around the world.” Data, he says, is key. It’s behind every decision they make; making sure that information flows, but that there is also balance in risk, and a proper assessment of those risks. “There’s always risks on either side, but understanding the risk – that just comes with experience.”
Over the years, Suthar has built up a formidable reputation as an expert in cyber security. He is in Dublin next month to speak at Zero Day Con, the conference that brings security experts together to discuss the latest threats and strategies in information security.
It is due to be held on March 10th in the Convention Centre in Dublin, the first time it has been held in person for two years. It will also be Suthar's first time in Ireland, and marks a return to business travel that has dropped off in recent years.
The conference will also hear from Mark Russ, NCIS deputy director of operational support for NCIS; Donna Creavan, director of corporate services with the Irish Prison Service; Garda Detective Chief Superintendent Pat Lordan; and a host of industry experts from IBM, GetVisibility, Sitecore, Fenergo, Microsoft and ThreatLocker.
“One thing you’ll hear me speak about, one of my favourite terms, is EVA. It is a very simplistic way to understand what we look for when it comes to investigations, or what every organisation should be looking at and how we should be building our relationships,” he said. “EVA stands for exploits, vulnerabilities and access vectors. One of those three is going to impact an organisation no matter what. You’re going to have an exploit that hits you and you might not know the vulnerability it hits. You will have vulnerability and it’s been waiting; and access vector, you don’t know where they come from. So that information is key to being successful in understanding an investigation.”
The conference is coming at a time when the word “unprecedented” has been bandied around so frequently, it has almost lost all meaning.
But these are unprecedented times. From new technologies to new security risks, to geopolitical tensions and a rapidly evolving regulatory landscape, cyber and business risks are in flux. The threats are global, and becoming increasingly sophisticated.
The fight may have evolved a little from his early days as a special agent, but those skills Suthar had spent years honing are in need now more than ever. An explosion of malware attacks targeting everything from healthcare facilities – as Ireland saw with the HSE ransomware incident in May 2021 – to government agencies, as with the Solarwinds attack in 2020, has brought home the vulnerabilities of our increasingly connected lives.
His personal use of technology is considered. He drives a Tesla. He uses Snap but not Facebook – although he has an account on the Meta-owned platform. He deals with the same concerns as the rest of us about his children's relationship with technology and social media – specifically striking up relationships with people who they don't know in real life.
“One thing I figured out is I always thought that new generations are better at technology. I’ve come to slowly realise they aren’t; they’re no different. That was a hope for me to say they’re going to be better than what we have, but it’s not a generational issue. It’s an education issue,” he says.
Suthar compares it to driving a car. “You drive your car; but do you know how to change the batteries? Do you know how to change the oil? You know how to move it, you know how to go forward. If you use the iPhone, you know how to do basic things on your device, but if you understand the cybersecurity side, you understand the ins and outs of that vehicle,” he said. “I use that understanding because what it comes down to is education. We need it. We need to teach people how to use the technology they have, but understand if you hear that noise or you see this or you recognise this, what you can do is to be preventative.
“Make sure you change your oil. If you change your oil every 3,000 miles, you’re not going to have this problem. It’s going to be too late when you do.”