Industry offers hope but with a caveat.
The U.S. intelligence community may be a beneficiary of increased government funding for cyberspace, but it is facing considerable acquisition challenges before it commits to spending money in that pipeline. The intelligence office in charge of acquisition and technology is striving to establish a new relationship between badly needed research and development and the delivery of new systems to its customers.
These issues range across the entire technology acquisition realm of the intelligence community. However, cyber technology in particular places a different emphasis on acquiring and moving new systems to the customer. Industry may offer some solutions, but it may not be able to deliver the right systems quickly enough to suit the dynamic needs that characterize intelligence requirements.
The Office of the Director of National Intelligence’s (ODNI’s) cyber goal is “data finds data at netspeed,” offers Dawn Meyerriecks, deputy director of national intelligence for acquisition and technology and director of science and technology at ODNI. However, the intelligence community does not know how to achieve that goal yet. The private sector ultimately may provide the solutions if the community can work effectively with it. In terms of information security, many of the intelligence community’s cyberthreat issues are similar to those faced by the commercial sector, she notes.
The White House Office of Science and Technology Policy (OSTP) has committed to boosting cyber spending substantially—by several billion dollars—beginning in the fiscal year 2012 budget. The OSTP spending areas have not yet been determined, but this spending is not focused exclusively on the intelligence community. Meyerriecks adds that the ODNI wants to ensure that its own observations are incorporated into this funding.
Along those lines, the ODNI has compiled a list of seven “game changer concepts” for cyberspace. These seven are: to enable sub-spaces in cyberspace to support different security policies and different security services for different types of interactions; to deploy systems that are both diverse and mutating, which would create a moving target defense; to provide a scientific framework for economic incentives to cybersecurity; to provide cyber public health policies and capabilities; to provide increased understanding in cyberspace; to establish sharable data sets as a basis for collaboration and results verification; and to develop the technical means to establish a rich set of trust fabrics and the analytic and risk management technology needed to support decisions in a complex trust environment.
Commercial industry far outstrips intelligence community information technology investments, Meyerriecks notes. Her office must be a catalyst for industry to work on problems in ways that address the current threat environment so that the intelligence community can determine how to leverage the results. “We know that we’re still going to be heavily reliant on what the Microsofts, the Oracles, the Apples and the Amazons of the world can provide us,” she points out. “So our role is to bring a community together, and in this case that community actually is much broader than the intelligence community.”
However, Meyerriecks offers a cautionary note about commercial software. “With few exceptions, the IT [information technology] industry still does software like it’s the Wild West,” she declares. “They don’t think about building protections, for example.”
She suggests that one solution would be strict encapsulation. This approach would be similar to that employed by Apple in its Macintosh computers, which are tightly specified platforms. An encapsulated application would not hinder or damage its operating system—or any other application or file—if it failed or fell prey to a piece of malware.
“We just don’t think that way as an industry,” Meyerriecks allows. “Until we get to that level of maturity writ large, we will continue to worry about availability and reliability in the face of any kind of cyber attacks.”
Many of the information collection methods used by the commercial sector offer lessons for intelligence, either directly or indirectly. For example, Meyerriecks notes, both government and industry long have sought the ideal data model for an individual. It began with the person’s name and then might include another characteristic such as a Social Security number. But those raw identifiers proved insufficient, so data collectors began adding addresses and other vital statistics. Roughly seven criteria now serve as identifiers, and they still do not deconflict effectively.
Today’s Web retailers and marketers collect information about people’s searching and shopping habits, and this information can generate a detailed picture about that individual. That data may not even include a person’s name. Meyerriecks, who used to work in the private sector at AOL, notes that she can determine the gender of an individual from just three searches by the person. The tip-off: men tend not to scroll. Roughly 97 percent of men fall into that category, which allows a Web site to tailor a banner ad for gender-specific marketing. “I can infer a lot of things about how you behave, in your life arc, based on how you interact with just a couple of IT tools,” she observes.
Another lesson from industry is a behavior methodology that was used by her former commercial employer to detect phishing attacks. If a customer who focused efforts routinely on gaming suddenly was observed conducting transactions with a Russian bank, that person probably was the target of a phishing onslaught. So, the company would freeze the account and contact the owner.
Ironically, this spawned yet another lesson. Even after the company changed the account access information and provided improved security via a hardware token for the owner, within six months that user would no longer be using the advanced security. “We found that people will exchange privacy for ease of use every time,” Meyerriecks relates.
But that behavior tracking approach can be revealing. “Behavior that doesn’t match your life arc is generally a really interesting thing to go look at,” she says. “It might be somebody masquerading as you, or it might be that you’ve changed in some fundamental way—either because you’re under duress, or because you’ve decided that radicalism is the right answer—or whatever. If that changes in some fundamental way, then that is at least worth looking at.” It is a different way of viewing data from the traditional straight-line perfect-match method, she says. The idea is for analysts’ searches to be cued by aberrations instead of having to monitor everything.
Meyerriecks emphasizes that these efforts do not run roughshod over
In addition to cyber, Meyerriecks’ office has two other thrust areas. One is hard targets, and the other is Afghanistan/Pakistan, or AfPak. Hard targets have been on the intelligence community menu for a long time. AfPak is the major focus of the effort to track down and eliminate al-Qaida facilities and key personnel, but it also serves as an example of the types of engagements the
Meyerriecks points out that no matter how long
The director of national intelligence gave Meyerriecks two organizational challenges on which to focus. One was to alter relationships within the community so that the ODNI served as an influencer rather than as police. “We have to be brush-clearers as opposed to foot-foulers,” she analogizes.
Her dual-hatted position is part of this effort. She relates that the concept of separate acquisition and technology development processes has caused rifts in the system because it reduced the emphasis on acquisition, which is supposed to deliver top-notch technology to the user community. One of her goals is to reduce the severity of the gap between the two. “The fact that I have the luxury of having the R&D/S&T [research and development/science and technology] piece, in addition to the MSA [major systems acquisition] piece, we can actually start looking at problems much more holistically.”
This does not necessarily mean that R&D and acquisition will be a single activity, however. Under Meyerriecks’ vision, the two would be complementary. The R&D aspect might be separate from an MSA, but planners would be able to decide when to incorporate the R&D as the program progresses.
For example, a heavy metal system—which she describes as a large technology-defined system such as a satellite—may have a cycle time of several years to a decade. This process must be distinct from the information technology cycle time, which should be measured in months. At the other end of the spectrum are low-production, few-unit special items such as operations gear that could even be mission-specific. These approaches cannot be served by an umbrella process, she adds.
Meyerriecks states that if an information technology platform can be defined up front, then technology insertion can take place behind it. For example, commercial organizations such as Google run thousands of experiments each year. These experiments are transparent to the user, who does not realize he or she is operating in a test environment. Following that approach, if the intelligence community can define information technology platforms from an acquisition perspective, then technology insertion becomes a procurement activity—not an MSA.
Achieving this will require defining the problem and then considering possible solutions, she continues. It will permit information technology insertion “at the speed of commercial evolution.” The ODNI will conduct a couple of pilot programs using this approach.
“We have great technologists in the community,” she declares. “They are just as frustrated as I am when we can’t get even close-to-the-latest stuff to the end users.
“We’ve gotten to the point where process was trying to compensate for the lack of clear articulation of the problem and a good systems engineering approach to solving it. If you don’t have those two things, no amount of process is going to fix that,” she emphasizes.
The new approach can be applied to heavy metal systems, albeit with modifications. Meyerriecks notes that the decades of investment in space systems have given experts a fairly clear picture of how long and how much money is required to develop key components. However, the usefulness of all that information will be invalid if these programs are suspended or cancelled for any length of time.
“The thought that you can de-invest in a particular area for six or seven years, and then make it up on the back side, [has been] proven over and over again to be just moribund,” she declares. “It is really hard to do that. Not only that, particularly in this business, there are only so many people that actually have the intellectual capital to do it.”
Improving the acquisition process also will help in the effort to improve relationships. Technology investment as a percentage of the intelligence community budget has remained fairly constant over the past few years, Meyerriecks reports. A recent intelligence community study that explores S&T spending is being examined to determine if the right amount of spending is occurring in the right areas.
Because she sees all of the intelligence MSAs on a quarterly basis, Meyerriecks can pick out trends that indicate where the community is having problems. One such problem involved large data sets. The acquisition executives and technologists involved joined her in calling in the major provider to examine the problems strategically in the hope of influencing the provider’s product direction. Instead of harping on each problem, the intelligence community experts focused on a broader approach to lead to a solution. The provider’s experts recognized the problems as similar to those experienced by some commercial customers. The result of this discussion was movement toward fixing the overall problem.
“Because we don’t buy things here, I can host these [meetings] and I can collate the information across the community,” she explains. “I’m not giving them direction; this is strictly an information exchange—an appropriate role for an enterprise technology integrator.”