Source: Cyber Threat Intelligence Integration Center, Organization Chart , June 2015. Unclassified. Date: Jan 1, 2016 Archive: ODNI Freedom of Information Act Release.

---

Editorial Analysis

Original analysis by the DriftSeas editorial desk. The complete primary-source document, transcribed from the National Security Archive scan, appears in full below.

A New Hub for Cyber Coordination, 2015

The chart released by the Office of the Director of National Intelligence (ODNI) in mid‑2015 marks the formal birth of the Cyber Threat Intelligence Integration Center (CTIIC). Conceived in the wake of high‑profile cyber intrusions—most notably the 2014 Sony Pictures breach and the 2015 Office of Personnel Management (OPM) hack—the Center was meant to stitch together fragmented intelligence streams that had previously lived in siloed pockets of the intelligence community, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), and law‑enforcement cyber units. The document’s “Vision” statement—"a federal cyber community informed and enabled to anticipate, mitigate, and counter foreign cyber threats"—encapsulates the strategic urgency felt in Washington after those incidents, when policymakers publicly acknowledged that the United States lacked a single, authoritative body to synthesize foreign cyber threat data.

The chart lists a lean hierarchy: Director Tonya Ugoretz, Deputy Director Maurice Bland, Research Director Thomas Donahue, and a Chief of Staff whose name is illegible in the OCR. Beneath them sit three functional sections—Current Intelligence, Analysis Integration, and Threat Opportunity—each tasked with a distinct phase of the intelligence cycle. The “Current Intelligence Section” is charged with building shared situational awareness, a direct response to the “information‑sharing gaps” that the 2013 Snowden disclosures had exposed. The “Analysis Integration Section” promises multidisciplinary, all‑source analysis, reflecting a shift from technology‑focused cyber forensics toward a broader geopolitical framing of cyber operations. Finally, the “Threat Opportunity Section” signals an intent to translate intelligence into policy options, explicitly linking cyber threats to the full spectrum of national power.

The Broader Context: From Reactive Posture to Whole‑of‑Government Strategy

CTIIC’s emergence fits within the Obama administration’s 2013 Cybersecurity Strategy, which called for a “whole‑of‑government” approach and the creation of a “lead agency” for cyber threat intelligence. While the National Security Agency (NSA) and the Department of Homeland Security (DHS) had previously claimed overlapping jurisdiction, the ODNI’s charter for CTIIC was designed to sit above those agencies, providing a neutral platform for coordination. The chart’s inclusion of “ODNI Corporate Resources”—civil‑liberties protection, IT, strategy, publications, and administrative support—reveals an awareness of the legal and privacy sensitivities that have long haunted U.S. cyber surveillance efforts. By embedding civil‑liberties oversight directly into the Center’s support structure, the ODNI attempted to pre‑empt the criticism that followed the Snowden leaks.

Key actors named in the chart—Ugoretz, Bland, and Donahue—were seasoned officials with experience across intelligence, defense, and academia. Ugoretz, a former senior analyst at the CIA, had overseen cyber‑related intelligence products, suggesting that the Center would lean heavily on existing intelligence pipelines rather than reinvent them. Donahue’s title as Research Director hints at a research‑oriented agenda, likely aimed at developing predictive models of foreign cyber behavior, a capability that the National Security Agency had been cultivating under its “Cyber Threat Intelligence” program.

What the Chart Reveals—and What It Hides

Beyond the obvious structural information, the chart’s language offers clues about internal power dynamics. The placement of the “Threat Opportunity Section” after the analytical units implies a top‑down flow: raw data → integrated analysis → policy options. This ordering suggests that the Center was envisioned not merely as a data repository but as an active shaper of interagency cyber strategy. However, the absence of any explicit liaison to the Department of Defense or the White House’s National Security Council hints at potential friction points; those agencies would still need to be persuaded to feed their own classified assessments into CTIIC’s unclassified framework.

The illegible Chief of Staff entry may be more than a scanning error. In many ODNI‑run centers, the Chief of Staff often doubles as the primary liaison to the Office of the Director of National Intelligence, handling budgetary and personnel matters. The omission could reflect the still‑fluid staffing of the Center at the time of the chart’s release, underscoring that CTIIC was in a nascent, experimental phase rather than a fully operational entity.

Legacy: From Chart to Institutional Fixture

Although CTIIC’s public profile has remained modest, its institutional footprint can be traced in subsequent policy documents. The 2018 National Cyber Strategy references a “cyber threat intelligence integration” function that mirrors the three‑section model outlined in the 2015 chart. Moreover, the Center’s emphasis on civil‑liberties protection foreshadowed the 2016 “Cybersecurity Information Sharing Act” (CISA), which codified private‑sector information sharing while embedding privacy safeguards.

In short, the June 2015 organization chart is more than an administrative snapshot; it is a window into a pivotal moment when the United States sought to transform a chaotic, reactive cyber posture into a coordinated, intelligence‑driven enterprise. The document’s concise structure, its choice of personnel, and its explicit nod to civil‑liberties oversight together illustrate how the ODNI attempted to balance operational effectiveness with democratic accountability—a tension that continues to shape America’s cyber policy today.

---