- Filed Under
U.S. intelligence officials are starting to field tough security questions about their proposal to overhaul the community's intelligence storage and analysis process to focus on cloud computing. The questions are coming as much from the community's own ranks as from Congress.
The cloud proposal, announced Oct. 17 by Director of National Intelligence James Clapper, would divvy up intelligence collections among numerous computer servers so that accredited analysts can tap into the troves via relatively inexpensive desktop computers and someday remotely by mobile devices such as iPads and Android tablets.
Today, analysts typically download information online from server farms located at their agencies, and they crunch the data with applications loaded on their desktop computers.
The intelligence community wants to take advantage of the computing revolution that has played out in the private sector. Consumers routinely store photos and documents online through cloud services provided by Google, Amazon and others. Specialized software rapidly creates virtual computers wherever there is free space in the cloud servers, which allows more data to be stored on fewer power-hungry and expensive computers.
For the intelligence community, the biggest challenge is security. The community is banking that moving to the cloud can cover half of the multibillion-dollar cuts ordered by White House over the next 10 years. But officials do not yet know how they will secure the cloud, so they cannot project a precise cost.
With agencies on orders to identify contributions to deficit reduction, Clapper and other intelligence officials have been searching for ways to reduce intelligence spending short of making deep cuts in satellite programs, analysis and human intelligence. Clapper routinely cites the deep cuts in the years preceding the Sept. 11, 2001, terrorist attacks.
The cloud push is already receiving push back, however. Skeptics within the intelligence community are calling advocates "cloud evangelists." One official cautioned that numerous security hurdles must still be crossed. An influential lawmaker expressed skepticism that the shift can be made securely for the most sensitive information.
"If you were a private company, would you put your personnel records in the cloud? Hell no, you wouldn't, or at least I hope you wouldn't," Rep. Mike Rogers, R-Mich., chairman of the House Permanent Select Committee on Intelligence, told C4ISR Journal.
While the debate plays out, an internal intelligence community group called the Quint is hard at work planning the transition. The group consists of the chief information officers from the CIA, Defense Intelligence Agency (DIA), National Geospatial-Intelligence Agency (NGA), National Reconnaissance Office (NRO) and National Security Agency (NSA).
Among the challenges: figure out how to accredit cloud services; assure the identities of those using those services; and create measures to prevent analysts cleared for access to data classified at lower levels from accidentally or nefariously tapping into top-secret data that might be stored on the same server.
"It scares the hell out of me, quite frankly," a senior intelligence official said.
The Quint will have to work fast to resolve the security questions: Clapper wants the implementation plan on his desk in December.
Industry experts are upbeat about the prospects for securing the cloud.
"We have a great deal of experience in securing physical and virtual systems at the site and data center level and there are several published compliance policies, procedures and best practices to maintain these environments," said George Lycett, a solutions architect at L-3 Stratis in Tampa, Fla.
LONG TIME COMING
Advocates point out that although the cloud push was announced by Clapper at the Geospatial Intelligence conference in San Antonio, the decision did not spring out of nowhere. The National Security Agency has been working on a secure version of the cloud since late 2007. By the end of the year, NSA plans to move all its databases into a cloud architecture while retaining its old-fashioned servers for some time.
"Eventually, we'll terminate the other data base structures," said NSA Director Army Gen. Keith Alexander, who is also commander of U.S. Cyber Command, the group charged with protecting America's military and intelligence networks and standing ready to attack the networks of other countries.
The intelligence community proposal would expand the cloud approach across the community to take advantage of the cloud storage and access methods pioneered in the private sector.
Commercial cloud service providers keep hardware costs manageable by rapidly shifting bits and bytes to storage space wherever it is available, which can mean servers on different continents. The technique was spearheaded by information technologists working together on an open-source software project called Hadoop, administered by the open-source advocacy group, Apache Software Foundation.
NSA has created a secure cloud by combining the Hadoop approach with existing servers, Alexander said. Some industry officials also expect agencies, such as NGA, to make use of commercial cloud services provided by Google and Amazon for some data.
Clapper and Alexander said the cloud shift would actually make information more secure. Clapper said the result would be "a more defensible system" than any of the community's agencies could produce on its own.
Security was a primary consideration all through NSA's cloud work, Alexander said in San Antonio.
"I went in [and] talked to our folks who are on the offensive side" and asked them what would make a network "most difficult" to crack, he said. "And the answer was, going virtual and the cloud technology."
NSA has added security to the commercial technology, Alexander said.
"We started with Hadoop, open source, and we expanded it, added in security layers that we felt [were] needed, and we tested those," he said. "We also added in identity management, data tagging, and the things that we needed to ensure that was secure."
A lot of money would be saved by reducing the number of applications used by intelligence analysts, Alexander said.
"We've reduced the number of applications in the cloud environment from 5,000 down to 250," he said.
Expanding the cloud approach across the community's 15 other agencies would be a huge undertaking. Today, specific classes of information, such as signals intelligence or imagery, are stored on servers set up specifically for that type of information. The result has been a panoply of storage systems and overlapping analytical applications.
Clapper said his goal is "a common IT architecture but [one] allowing for unique mission or agency-specific capabilities."
FUZZY MONEY
Intelligence officials are wrestling with the precise cost of the new architecture and exactly when the savings would kick in.
The cloud proposal would save money eventually by letting information managers unplug redundant networks, make more efficient use of servers and gradually replace expensive desktop computers with cheaper versions and hand-held devices.
That is possible in a cloud environment because most of the data remains in the servers, which is also where the bulk of the computing work is done. Only the information an analyst needs would be viewed.
Intelligence officials have not said exactly how much they expect the transition to save. Covering half of the required cuts — reportedly a cumulative $25 billion — is a "stretch goal" that could "hopefully" be achieved, Clapper said.
The Obama administration's intelligence spending proposal to Congress largely rests on the promise of large savings.
At the C4ISR Journal conference Oct. 27, Rogers said he doesn't want to see the intelligence budget cut any deeper.
"I look at it as we gave at the office in the 2012 bill," he said, referring to the nearly billion-dollar cut to the Obama administration's proposal that was approved by the House in September. The statement appeared directed at Clapper, who had told the San Antonio audience,"We're all going to have to give at the office."
If there is going to be savings through the cloud, it won't be immediate. "This will call for some investment in the near years, and hopefully we will reap benefits in the later years," Clapper said.
At the Defense Department, a top intelligence official seconded Clapper's caution.
"It happens all the time, right? If everybody jumps on my cloud, I can save you $10 billion. And then, of course, the proof's in the pudding," said Kevin Meiners, who is in charge of portfolios, programs and resources in the Office of the Undersecretary of Defense for Intelligence. Clapper is being "measured" by projecting few savings over the first five years and more savings later, Meiners said. Money in later years is "kind of fuzzy money anyway," he said.
Still to be determined is how the intelligence community's cloud push would affect the Defense Department outside of DIA. The Pentagon plans to roll out what some defense officials describe as a rival information framework, called the Defense Intelligence Information Enterprise (DI2E).
Speaking at the C4ISR Journal Conference, Meiners said DI2E will be an online codebook for developers of applications and intelligence hardware. The goal will be to ensure compatibility with versions of the Distributed Common Ground System, which are the computers and software military analysts rely on to produce products for commanders and troops. Meiners described DCGS as a "federated" system, meaning information can be shared among analysts at the DCGS sites, rather than as a pure cloud system.
The Pentagon has allocated $41 million to NRO to roll out DI2E via an industry competition. The contract will have multiple task orders. One task will be to write the codebook. Another task will be to establish a process for ensuring developers follow the codebook.
"You bring in a widget, we'll be able to take it to the NRO, and they'll be able to test it and say it is DI2E compliant," Meiners said.
In San Antonio, Alexander of NSA expressed concern that the Pentagon could go its own way.
"The intent would be, let's not have everybody come up with a different cloud architecture that doesn't scale," he said when asked about DI2E. During his talk, he elaborated: "The reason that both the intelligence community and Defense Department really have to work together as a team is the applications. We don't want to have each agency within the intelligence community having different applications that do similar things."
The Pentagon has not yet sold the DI2E plan to a major producer and consumer of military intelligence: the U.S. Army.
"I would say that it's up to DI2E to prove its value or not," said Lt. Gen. Richard Zahner, the service's deputy chief of staff for intelligence, speaking at the C4ISR Journal conference. "We're going to the new ISR frame architecture with the IC [intelligence community.] I see no value in a thing that basically creates something between the two of us that changes the framework."
The Army is in the process of converting desktop applications into online versions through a project called the Ozone Widget Framework.
Alexander depicted skeptics of cloud computing as swimming against a tide of modernization in the private sector.
"You all see it, with the iPhones, the iPads, the ability to access cloud databases, collaboration. It is coming our way. Tremendous opportunities and tremendous vulnerabilities," he said. å
Jim Hodges contributed to this story.
