Haft of the Spear

This is not an insignificant development (PDF):

A groundbreaking new policy from the Office of the Director of National Intelligence changes how the intelligence community and, by influence, the entire federal government will build, validate and approve information technology systems. The policy requires common security controls and risk-management procedures – a unified approach to enhance collaboration.

Intelligence Community Directive 503 covers a lot of ground, but two key details stand out: There will be a single certification and accreditation process, which means all systems must follow the same authorized security requirements. Systems managers, the policy adds, should accept security risks when necessary to yield a decision advantage from timely and accurate intelligence.

Those measures will make it easier for the IC to adopt cutting-edge technology. They also foster reciprocity as well as information sharing. If one IC element certifies a system or major application, then others in the community can trust that it is secure without spending more time and money to duplicate tests.

There is, in effect, a uniform standard for background checks and security clearances. Has been for some time. Yet every agency still imposes additional burdens and caveats that make one’s clearance largely un-transferable without forcing someone to jump through additional, often flaming, hoops.

Now before you get on my case about this being “a contractor problem,” I would note that this impacts feds going from one agency to another as well. The pain is universal, expensive, and detrimental to mission accomplishment.

So here is the thing to watch for: If you still read stories in GCN or FCW a year from now about differing standards or accreditation issues you’ll know ICD 503 is never going to live up to the promise and that we’ve squandered another practical reform effort for the sake of parochialism.

Hoping for the best …

… that make life so friggin’ difficult for the rest of us:

The story of the CIA officer, his mistress and his wealthy businessman friend appears to have come to an end, with the intelligence agency’s former executive director likely facing about two years behind bars.

Kyle “Dusty” Foggo, the former No. 3 official in the CIA, pleaded guilty yesterday in federal court to one count of wire fraud stemming from sweetheart contracting deals he awarded to a friend and a high-level CIA job he got for his mistress.

Don’t let the cell door hit your *** on the way in.

The author knows what she’s talking about since she was there at the top, at the beginning, when the effort was being made to fix these very problems:

U.S. government efforts to counter foreign spies remains fragmented and weak, despite a series of highly damaging spy cases, said a report made public Monday by a former high-ranking counterintelligence official.

Michelle Van Cleave, the former U.S. national counterintelligence executive,stated in the report that the FBI, CIA and other federal counterspy units lack both a needed focus and strategy for thwarting the growing foreign intelligence threat.

“Our counterintelligence capabilities are in decay. Instead of leadership and strategic coherence, the [director of national intelligence’s] office has given us more bureaucracy,” Miss Van Cleave said in an interview.

That would be six years of hearing the same song on the threat juke box and no meaningful attempt to change the record (that wasn’t thwarted somehow by people who like that old time music), while the FISes line up, sneak up, and stick their straws in our milkshakes.

Think I said as much the other day, but who cares as long as he can push the system to act accordingly?

While having a military skilled in fighting major conventional ground wars is essential, Gates said, such a war is unlikely in the near future. Yet the Pentagon has placed comparatively too much emphasis on developing high-technology weapon systems aimed at potential state adversaries such as China or Russia that take years to develop, he said, noting that the 2009 budget contains more than $180 billion for such conventional systems.

You’re probably not going to get the two of us to agree on much, but the thrust of this series of articles drives home a critical point: If you track these issues and anyone on either candidate’s roster of intel advisers is a stranger to you probably haven’t been doing this for very long.

The fact of the matter is that when it comes to the IC and intel reform, in 30-odd days we’re in for more of the same-old, and probably a turn for the worst. I can’t speak for any other campaign since the starter’s gun for this election went off, but to the best of my knowledge “America’s Mayor” is the only one who happened to bring on board a bunch of no-name punks who were anxious to inject some originality and vigor into the future of the IC and actually took, read and used their input.

Nothing against either candidate’s advisers, but if the rhetoric means anything then both might want to consider rounding out the roster with one or two people who have actually demonstrated the capacity to think, act and succeed in implementing various (and practical) reforms.

$.02

Someone at Bolling who understands, oh, intelligence and military support reach out to DS and explain why decisions about what analysts can and cannot reach via NIPR should be left to the hands of, maybe, analysts.

… than Big Brother. Remember that next time someone goes off on how evil our Uncle is. 99 times out of 100 its the curious and the stupid you have to worry about, and our Uncle doesn’t have a corner on that market.

As I have argued previously, absent a proponent of some sort, “information” or “cyber” based activities and disciplines will never gain the traction of more established disciplines. Looks like we might be on the road to such a construct shortly.

My copy of The John Boyd Roundtable is now in hand, along with a copy of Dan’s Revolutionary Strategies in Early Christianity, courtesy of Nimble Books LLC. For those with bad memories, the former was spawned post-blog-symposium at Chicago Boys.

• Virtual discussion (Time? Distance? Ha!)
• Serious discussants (So much for online not being ‘legit’ or ‘real’)
• Digital delivery (for the digerati)
• Dead-tree format (for those who like it like that)

Despite my optimistic outlook, even in February I knew that the world is not quite ready for a full-on 2.0 approach:

… We should all have Kindles or eBook readers and tens of gigs of text in our pockets for perusing anywhere … but we don’t. If you’re an aspiring xGW student in BFE who doesn’t have their Negroponte-issued laptop-ette, a dog-eared library copy of the symposium-and-related-works-as-primer might be your only option.

Congrats to Zenpundit. Toujours en Avant!

Bob is right: If this does half of what it says it does with nominal overhead on the part of users, this deserves to be in the paper.

Presuming the following happens sooner rather than later:

1. What primary loyalty will you fall back on?
2. Assume you are the head of a PL entity; what’s your primary source of intel going to be?

Despite being re-assured again and again that the government has largely fixed its information sharing problems, some people who are in a position to know beg to differ:

U.S. intelligence agencies are unable to share information about foreign cyber attacks against companies for fear of jeopardizing intelligence-gathering sources and methods, cyber security expert [and former NSC official] Paul B. Kurtz told lawmakers yesterday… .There is no coordinated strategy or mechanism for sharing intelligence about intrusions with companies, nor is there a systematic way for companies to share information with the government …

Naturally the government disagrees:

Them: Morons

Those: Whores

There are probably a hundred little victories we’ve never heard about, but the fact of the matter is, if you think this is not par for the course:

Something to think about:

• Career soldiers, expert warfighters, in the midst of rising casualties and escalating violence say “winning” means leaving and a COIN strategy is a waste of time.
• Bankers and financiers, expert money men, in the midst of economic collapse, think more scrutiny and regulation is not the answer.
• Career intelligence officers, expert spooks and specialists, in the midst of trying to keep dysfunctional agencies and a community together claim the best thing would be to leave them alone

The commonalities are obvious and the response those who ostensibly know better are laughable. I’m not unsympathetic – I didn’t log two decades in this business with the intention of coming out looking like a retard – but there is sticking to your guns and then there is stubbornness. And in the spectrum of stubbornosity there is harmless Crazy Uncle Joe stubborn and then there is the stubbornness of people who refuse to leave their homes in the face of a hurricane. Everyone is smarter than the authorities and tougher than mother nature … until they need the Coast Guard.

This is operating in the right domain in an effective manner.

He took the short Metro bus to the DNI OS Conference. (H/T S&M)

Not clear to me why this very old-school approach was taken and the whole thing no streamed or at least released via YouTube, etc., etc.

As noted earlier, this could have been a dismal experience but it was not. Talk may be cheap, but what I heard on day one was very far from the normal ‘rah rah’ (or as Mark Lowenthal put it - dance around the totem pole, then head to the bar) you expect at an event where the thinking is unoriginal and the course of action pre-determined. There were some very significant people here who could make life for OSINT-ers miserable (some would say, ‘you mean more miserable?’) but they’re certainly not talking that way.

• Collaboration is good: check. Cognitive diversity is good: check. When it comes to OSINT the IC can be trumped: check. So how come non-commercial attendees didn’t all get demo OSC accounts? Vetting to date may have been nominal, but give people six months to demonstrate their ability to contribute and then welcome them into the fold. Hello? Am I taking crazy pills?
• How about the next OSC head doesn’t come from the IC? Nothing against Doug, but no matter how much everyone at the bottom may want the culture to change, nothing moves things along in a bureaucracy like an MFIC who doesn’t know ‘how its always been done.’
• The Open Source Challenge was great, but why make it a special thing that happens only once a year? Why not issue 3-5 challenges monthly (at least quarterly). Doesn’t cost anything, could prove highly useful, and it gets the best of the best what they really want: bragging rights (it can turn into revenue later).

For every true believer who graced a dias there was someone who was clearly in their position because of their mastery of programmatics and ‘the system.’ Not that there is anything wrong with that, but this is information-age practice and information technology; the industrial processes are the weak point and potential killer of all this community holds good and true. This is about functionality and less about form, or at least finding a form that is less rigid and allows function to lead and not the other way around. As several panelist pointed out, technology takes us only so far, we need to change the people part of this business as well.

It was great to see old buddy Eliot Jardines, the first ADDNI/OS at the conference. Frankly I wish he’d gotten some stage time to talk about the dark ages and how far things had come; where we’ve fallen short and where we’ve shined. Eliot had all the tickets; right age, right mindset, right beliefs and the fact that he got the job at all is another data point for supporters to cling to as they patiently await the day when all the toiling in the backwater and conversations with brick walls pays off.

Since I have neither the time nor inclination to highly refine my notes from day one at the Open Source Intelligence Conference, I’m going to throw them up more or less as they were typed with my thoughts/comments at the time in between “//”.

For those that don’t want to scroll through the ramblings, the bottom line is that this was not a cheer-leading session; players and haters were represented, and it was clear the latter are not long for this world. It is clear very serious people in this business are taking OS very seriously inasmuch as they didn’t spend a lot of time paying lip-service and spewing platitudes. They put some thought into this and it showed.

Summary post to follow. Suffice it to say that I have been to a lot of intel conferences and this could have been really lame: it is not.

I suspect the hosting issues of the last few weeks have hosed up the commenting system. I’ve killed and reset Typekey comments/authentication, so if you’ve been trying to comment and been getting errors, please log out of Typekey and try again. Thanks!

Honestly, this is, depending on how you want to look at it, the second or third iteration of the same program that has done very little for the community (such as it is). It is a testament to the power of someone’s creative writing skills (and/or the ignorance of the evaluating panel, and/or the low standards of the Kennedy School) that this retread of a program gets rewarded for its “innovation.”

In fact I’m pretty sure the aspiring gray beards in the IC who actively try to get into the Kennedy School program haven’t come up with anything truly innovative, period. Upstarts with new ideas and who display ingenuity don’t get picked up for such programs; they tend to get beat down or driven out.

I didn’t want to start the day out hating, but this really chaffs my forth point of contact.

… where medal inflation is rampant and awards are based more on rank than performance, this seems like a fantastic injustice.

Another reason why anything “cyber” and “info” gets short shrift; seniors can’t be bothered to follow the rules for actual sensitive data much less virtual (where things are far, far worse). Accountability? Don’t bet on it. If this were anyone but an AG they’d be walking an employment tightrope, but if it were virtual almost no one at any rank would sweat it.

Not to brag, but I could have been responsible for helping put away one of the earliest miscreants on a “non-public” system. The bureaucracy didn’t know what to do with such people then and they still don’t despite law, regulation and policy.

Which is why Cyber Command flail is more or less an illusion of knowledge and control; 99% of people want it because of the money. Its why the loss of Gen Cartwright was such a kick in the groin … or maybe not …

Vigilantism, while perhaps warranted in the largely lawless ether, is something that can quickly get out of hand. There is a middle ground between keeping a digital rope and tree handy for every misfit and would-be virtual-world-dominator that crosses your path, but then why follow a path of historical and legal precedent when you can appeal to more base instincts?

On the heels of the Garfinkel database post comes a particularly apropos story:

Retired Lt. Gen. Patrick Hughes, once the director of the Defense Intelligence Agency and a top Homeland Security Department intelligence official, said after he entered the private sector in 2005 he was denied boarding on a flight because his name was on the no-fly list. It has taken him ever since to clear up the confusion …

“It’s all about the name. I don’t see anything really subversive about Patrick …. Hughes, but it appears there’s an IRA guy out there who has the same name. Probably equally handsome,” he said.

Hughes’s was one of about 50,000 names on the no-fly list … Also snagged by similar name mix-ups have been Democratic Sen. Edward Kennedy of Massachusetts and 1960s civil rights leader Rep. John Lewis. Such problems show the watchlist is poorly managed, critics say, but authorities call it a useful tool and say they have tightened procedures against such problems.

As Dr. Garfinkel pointed out; garbage in, garbage out. And in an application where security is paramount, a cr@p database managed by bureaucrats is a particularly blunt instrument.

But, as pointed out in an non-security-related book I’m reading, it is amazing how smart and effective people get when you give them a little authority. There is, for example, no reason why a properly trained air or TSA security staffer could not be allowed to over-ride the cold, likely incorrect, yet otherwise definitive database finding. The kindly, older gentleman with the retired general officer ID card is clearly not the real-life rendition of Sean Bean from Patriot Games. Its not that “Patrick Hughes” should not be on the list; its that certain “Patrick Hughes’” do not need to be prevented from flying. Granted, it is probably easier for a retired General vice an ordinary citizen to demonstrate at the terminal that he is not a wanted IRA terrorist, but the point remains the same; it is not necessary to be obtuse to be secure.

Bob Baer hits the high notes and reiterates what I’ve been saying for some time (purge, pay, contracting); is the only fellow alum who also advocates relocation; and sings a new tune (leveraging hard-needed skills w/o risking the crown jewels). Good stuff.

A great series of articles (I’m only half-way through them) in the latest Scientific American on privacy, security and the ‘tubes. Of particular note is Simpson Garfinkel’s article on data fusion, which is one of the most well thought out and balanced pieces I’ve read to date. HoTS (and Weekly Standard) readers will recall my earlier mention of Dr. Garfinkel’s work on randomly collected and analyzed hard drives and the implications for DOMEX. If the IC’s struggle with digital media is a fever, then the only prescription, is more Garfinkel.

I’m not an expert in military strategy and planning, but articles like this seem to be somewhat sensationalist at a minimum, and unnecessarily confrontational at the far end of the spectrum.

We (and many others throughout history) have a lot of experience training masses of men to fight en masse, in conjunction with other weapons systems, against similarly configured foes. Insert your own memory of force-on-force battle scenes from The Patriot or Patton here. Getting lots of guys to move in a given direction and shoot everything in uniform that doesn’t look like them is pretty straight forward; its the “thinking war” that gets you.

I can understand if you were suddenly DIVARTY and now you’re a “Dragoon” that you’d have concerns about your ability to put big chunks of steel on target, but is that a sign that we’re not prepared to fight large-scale force-on-force battles or that someone got the force mix wrong for this particular shin dig?

There are more COIN and COIN-like fights going on in this world at any given moment and I’m willing to bet there always have been. Russia-Georgia is one data point; Afghanistan and Iraq are two, and we haven’t even left the (more-or-less) Middle East. Seems to me that if you’re going to err on the side of preparing for X type of fight, it should be the one most likely to occur and hardest to fight.

$.02

You could find-replace “Chinese” with “US” and this article would still hold up. The Twitter-fest in Congress the last couple of weeks notwithstanding, there are still too many Luddites in the halls of power; Executive, Legislative and Judicial. This is particularly important when you consider ‘graph seven of this summary. I mean its not like we haven’t had years of I&W slapping us in the face.

No, I’ve got no bandwidth to spare, but if you do, then you ought to give serious consideration to helping out the Mercyhurst gang.