16 July 2014


July 13, 2014 

Frank Konkel, writing in a July 11, 2014 article on the website DefenseOne.com, writes that “the Intelligence Community (IC) is about to get the equivalent of an adrenaline shot to the chest.” “This summer,” he writes, “a $600M computing cloud developed by Amazon Web Services, for the Central Intelligence Agency (CIA) over the past year — will begin servicing all 17 agencies that make up the IC. If the technology plays out [pans out], as officials envision, it will usher in a new era of cooperation, and coordination, — allowing agencies to share information and services more easily; and, avoid the kind of intelligence gaps that preceded the September 11, 2001 terrorist attacks,” against the U.S. homeland.

“For the first time,” notes Mr. Konkel, “agencies within the IC will be able to order a variety of on-demand computing and analytic services from the CIA and the National Security Agency (NSA). What’s more,” he says, “they’ll only pay for what they use.”

“This vision was first outlined in the IC Information Technology Enterprise plan championed by Director of National Intelligence (DNI) James Clapper; and, IC Chief information Technology Officer, Al Tarasiuk almost three years ago,” says Mr. Konkel. “Cloud computing is one of the core components of the strategy to help the IC discover, access, and share critical information — in an era of seemingly infinite data. For the risk averse IC,” he notes, “the decision to go with a commercial cloud vendor is a radical departure from business as usual,” and past practices.

“As one former IC executive — with knowledge of the Amazon deal told Government Executive, “It took a lot of wrangling, but it was easy to see the vision if you laid it out.” “The critical question,” writes Mr. Konkel, “was would the IC, led by the CIA, attempt to do cloud computing within; or, would it buy innovation?”

“Money was a factor,” according to one intelligence official; but, “not the leading one. The government was spending more money on information technology within the IC than ever before. IT spending reached $8B in 2013,” according to budget documents leaked by Edward Snowden. The CIA and other agencies feasibly could have spent billions of dollars standing up their own cloud infrastructure — without raising many eyebrows in Congress; but, the decision to purchase a single commercial solution came down to primarily two factors,” wrote Mr. Konkel.

“What we were really looking at was time to mission and innovation,” the former intelligence official said. “The goal was,” ‘Can we act like a large enterprise in the corporate world; and, buy the thing we don’t have, can we catch up to the commercial cycle? Anybody can build a data center, but could we purchase something more?” “We decided we needed to buy innovation,” the former intelligence official said.

A Groundbreaking Deal

“The CIA’s first request for proposals from industry in mid-2012 was met with bid protests to the Government Accountability Office (GAO) from Microsoft, and AT&T, — two early contenders for the contract. Those protests focused on the narrow specifications called for by the Request For Proposal (RFP). GAO did not issue a decision in either protest — because the CIA reworked its request to address the companies’ complaint,” noted Mr. Konkel.

“In early 2013. after weighing bids from Amazon Web Services (AWS), IBM, and an unnamed third vendor, the CIA awarded the contract to AWS worth up to $600M over a period of up to 10 years. The deal, handled in secret, was first reported by Federal Computer Week in March 2013, sending ripples through the tech industry,” Mr. Konkel wrote. “A month later, after the deal became public, IBM filed a bid protest with the GAO that the watchdog eventually upheld in June, forcing the CIA to reopen bids to both companies for the contract. A legal struggle between Amazon and Big Blue ensued, and AWS filed a lawsuit against the federal government in July 2013, claiming the GAO sustainment was a “flawed” decision.”

Last October, “U.S. Court of Federal Claims Judge Thomas Wheeler sided with Amazon and overturned GAO’s decision to force the CIA to rebid the contract. Big Blue went home, AWS claimed victory – under the deal’s original financial specs, and nearly 18 months after the procurement was first released, – the CIA and Amazon went to work.” according to DefenseOne.

“It’s difficult to underestimate the cloud contract’s importance. In a recent public appearance, CIA Chief Information Officer, Douglas Wolfe, called it “one of the most important technology procurements in recent history,” — with ramifications far outside the realm of technology.” “It’s going to take a few months to bring this online in a robust way, but it’s coming.” Wolfe said. “And, I think it’s going to make a big difference for national security.”

Securing New Capabilities

“The Amazon-built cloud, will operate behind the IC’s firewall, or more simply: It’s a public cloud — built on private premises,” writes Mr. Konkel. “Intelligence agencies,” he says, “will be able to host applications, or order a variety of on-demand services, like storage, computing, and analytics. True to the National Institutes of Standards and Technology definition of cloud computing, the IC cloud scales up, or down, to meet the need. In that regard, customers will pay only for services they actually use, which is expected to generate massive savings for the IC.”

“We see this as a tremendous opportunity to sharpen our focus; and, to be very efficient,” Wolfe told an audience at AWS’ recent, annual nonprofit and government symposium in Washington. “We hope to get speed and scale out of the cloud, and a tremendous amount of efficiency in terms of folks traditionally using IT — now using it in a cost-recovery way.”

Mr. Konkel notes that “many agencies within the IC have already identified applications to move to the cloud. In a recent report, the National Reconnaissance Office (NRO) Chief Information Officer Donna Hansen said her agency had picked five applications, including its enterprise resource planning software, to migrate to the cloud. As with public clouds, the IC cloud will maximize automation and require standardized information, which will be shared through application programming interfaces, known as APIs. Amazon engineers will oversee the hardware because AWS owns the hardware and is responsible for maintaining it just as they do in the company’s public data centers. Whenever Amazon introduces a new innovation or improvement in cloud services, the IC cloud will [also] evolve. Company officials say AWS made more than 200 such incremental improvements last year, ensuring a sort of built-in innovation to the IC cloud that will help the IC keep pace with commercial advances. Wolfe said that AWS’ capacity to bring commercial innovation from places like Silicon Valley to the IC — is one of the contract’s greatest benefits. Whenever AWS introduces new products, the CIA will be able to implement them.”

“The biggest thing we’re trying to do — the visionary folks a couple of years ago – was answer the question, “How do we keep up?” Wolfe said. “The mission we have is important. The pace and complexity is really not [diminishing], in fact, it may be increasing. We feel it is very important to deliver the best IT products and services we can to our customers in the IC.”

“What of the data though,” asks Mr. Konkel. “Intelligence agencies are drowning in it, collecting and analyzing an amalgamation of information sensors, satellites, surveillance efforts, open data repositories and human intelligence, among other sources. Is that data really secure in the cloud?” Mr. Konkel asks.

“The CIA is convinced it is,” he writes. The IC cloud “will be accredited and compliant with IC standards,” says a senior CIA official familiar with the IC cloud. It will, for example, be able to handle Sensitive Compartmented Information, a type of classified information. “Security in the IC cloud will be as safe, or safer than our current data centers,” the senior CIA official added.

“Because the IC cloud will serve multiple tenants-the 17 agencies that comprise the IC-administrators will be able to restrict access to information based on the identity of the individual seeking it. The idea is to foster collaboration — without compromising security. Visually, the IC cloud can be thought of as a workspace hanging off the IC’s shared network – a place where data can be loaded for a variety of tasks like computing, or sharing. The IC cloud gives agencies additional means to share information — in an environment where automated security isn’t a barrier to the sharing itself. This could prove vital in situations reminiscent of 9/11, in which national security is an immediate concern.”

“Cloud vendors, including Amazon, have argued that cloud infrastructures can be more secure than traditional data centers because there are fewer points of entry; but, the leaks by [Edward] Snowden illustrate the potential threat from inside an organization,” observes Mr. Konkel. “Snowden was able to access and download classified information — intelligence officials said he shouldn’t have been able to access. To access information within the [IC[] cloud, analysts must have the proper permissions. In addition, the standardized environment and automation means all activity within the cloud is logged — and, can be analyzed in real-time.”

“Some government officials,” Mr. Konkel wrote, “view cloud computing as inherently less secure than computing on locally controlled servers; but, the CIA’s acceptance of commercially-developed cloud technology “has been a wake-up call,” to those who balk at it, according to John Pirc, a former CIA cyber security researcher who is now Chief Technology Officer at NSS Labs, a [cyber] security research firm. “You hear so many people on the fence about the cloud; and then, to see the CIA gobble it up to do something so highly disruptive, it’s kind of cool,” said Pirc. “To me, this removes the clouded judgment that the cloud isn’t secure. Them moving forward with this should send a message to the rest of the industry that the cloud is something you shouldn’t be afraid of.”

“Pirc is no stranger to disruptive technologies,” notes Mr. Konkel. “At the CIA’s research labs in the early 2000s, he recalls virtualization – a technology that allows multiple operating systems to run simultaneously on the same servers — allowing for far more efficient computing, before it became an integral component of many IT enterprises. Intelligence agencies use commercial-off-the-shelf (COTS) technology all the time, but to Pric, the importance of the cloud capabilities the CIA gets through leveraging Amazon Web Services’, horsepower is best exemplified in computing intelligence data. Scalable computing is critical for fostering shared services and enhanced collaboration between disparate intelligence agencies.”

“What it allows them to do is spin up servers and add more [computing power] fast, and when you’re computing intelligence data, the more computer power you have, the faster you can react,” Pric said. “In the private sector, compute is all about money and profit; but, from my viewpoint — when I worked for the agency, you’re working with extremely time-sensitive information. Being able to have that compute power, something that might have taken a couple of hours — might instead, take a few seconds. Profits aren’t lost when you make mistakes in the IC — people die when you make mistakes.”

“A test scenario described by the GAO in its June 2013 bid protest opinion, suggests the CIA sought to compare how the solutions presented by IBM and Amazon Web Services could crunch massive data sets, commonly referred to as big data. Solutions had to provide a “hosting environment for applications — which process vast amounts of information in parallel on large clusters (thousands of nodes) of commodity hardware” using a platform called MapReduce. Through MapReduce, clusters were provisioned for computation and segmentation. Test runs assumed clusters were large enough to process 100 terabytes of raw data input. AWS’ solution received superior marks from CIA procurement officials, according to GAO documentation; and, was one of the chief reasons the agency selected Amazon,” noted Mr. Konkel.

Limited Details

“The CIA declined to comment when Government Executive asked about the extent of the IC’s cloud capabilities, or that of NSA’s cloud. Amazon also declined to describe the IC cloud’s technical capabilities. It is a good bet though,” writes Mr. Konkel, “that the AWS-built cloud for the IC will have capabilities at least equal to existing capabilities Amazon has already implemented across government. For example, the company provides the cloud bandwidth for the Securities and Exchange Commission’s collection of more than 1B trade records and more than a terabyte of new data per day — through its Market Information Data Analytics System. This example may be prescient — given that now-public surveillance efforts indicate the IC collects billions, and perhaps trillions of pieces of metadata, phone, and Internet records; and, other various bits of information on an annual basis. The potential exists for the CIA to become one of AWS’ largest customers.”

“Within the IC, examples abound where the cloud’s capabilities could significantly boost the mission [performance]. As the geospatial hub of the community, the National Geospatial-Intelligence Agency (NGA), ingests, analyzes, meta-tags, and reports all geo-intelligence and multi-source content in its flagship program — Map of the World. Geospatial data’s importance to the IC has increased in recent years, as evidenced by the NGA’s $5B budget; and, its staff size nearly doubling in size since 2004. For intensive applications like ingesting, or analyzing geospatial data, scalable computing could have a significant impact on mission performance. The cloud could also improve the way the agency shares its large data sets.”

“What the IC has done with the cloud is not easily replicable,” according to American Council for Technology President Rick Holgate, — but, it is worth paying attention to. “The IC has a model other agencies should look to and aspire to — in terms of transforming what the way they think about delivering services across a large enterprise,” Holgate said. “They are looking to common platforms and service delivery models across an entire enterprise; and, not just gaining cost efficiencies, but to provide foundational capabilities to really allow it to operate.”

Mr. Konkel concludes, “whether or not the IC cloud serves as an example for the rest of the government, the CIA’s quest to buy innovation will loom large for years to come.”

An Initiative That Will Radically Transform The Intelligence Profession — For The Better!

Wow! Where do I start. Much like an old fighter pilot wants to fly one more time, I would relish the chance to rejoin the IC analytical ranks — with AWS at my disposal. To be sure, this won’t result in an instantaneous leap-ahead in collection and analysis. But. this initiative and innovation has tremendous promise for great benefits to the entire IC, and the National Security establishment — and, perhaps government as a whole. Hopefully, analysts and collectors will be more interlinked — something which has been badly needed for sometime. The metadata tagging will enhance both domains (collection/analysis); and, also boost our counterintelligence capabilities to ferret out and hopefully discover the next Bradley Manning or Edward Snowden — before they can do the destructive actions that significantly undermine the IC’s ability to conduct the kind of sensitive intelligence collection operations that must be done to keep us safe.

Hopefully, “bread crumbs” can be left in certain areas — so analysts and collectors — who have a need to know — will know that additional, critical intelligence might be available [in special access programs], that might substantially bolster, or not, their analytical, or operational collection understanding of the issue at hand.

This kind of innovation and effort might also be a blueprint for our entire federal government. I would hope that the military services will take a hard look at this initiative as well.

We should not have all our eggs in one basket; and, perhaps we can build an intelligence community — social media base — as opposed to a defense industrial base — so that no one company has a monopoly on our efforts. A single point of failure is almost always — never a good thing.

I would also warn intelligence professionals and policymakers from using this new technological improvement as a crutch and an excuse to cut corners and/or fail to do the hard analytical thinking that will still be required to connect the dots. Insatiable curiosity and imagination will still be needed to really give this new initiative the kind of power that can deliver better results in a shorter [sometimes a considerably shorter] time period.

But, there is no question that this initiative has the potential to radically transform the IC and our national security apparatus — for the better. V/R, RCP

No comments: