IT at the CIA

neocon writes "The current issue of the CIA's Studies in Intelligence (unclassified edition, natch) has an article on the state of IT within the CIA, titled 'Failing to Keep Up With the Information Revolution', which looks at how the agency has fared in staying up to date both with information security needs and with promising new technologies."

Interesting recommendations

[TopShelf]

Looking at the recommendations, what seems to pop out is that there is more a need for information organization than new-fangled gee-whiz technotoys. Analyst websites available via intranet, and the ability to search and join together information from various analyst accounts seem to be the major needs.

Made for OSS..

[i_want_you_to_throw_]

One reason is that DI offices cannot easily get funding for new software packages. The funding required for the development and testing of such tools--typically, tens of thousands of dollars per year--is small in comparison to the CIA's total budget. But it is enormous in the context of the discretionary funds that an individual office has--let alone an individual analyst.

Another reason for open source. I'm the lone OSS outpost in my military operation and when the budget cuts came, the OSS got rolled out!

Previously it was tough as hell but I am bringing in more and more OSS packages all the time that give some great functionality like Post-Nuke, phpESP, etc.

Now I can damn near get away with murder because I am still bringing some great functionality in with no additional cost.

This mantra has sold Linux more than anything else: "Services, not platforms".

Repeat

Re:Made for OSS..

[StandardDeviant]

Yeah, as I was reading that article, I was struck by how handy something like a secure version of LiveJournal would be to an intelligence organization. Each analyst could post things up, works in progress, tidbits of interest, or formal product, which could then be syndicated by other analysts and consumers of analytic content in a fluid manner (NB: obviously would need some additional access, authentication, and authorization infrastructure to regulate who can syndicate what). Further, the LJ codebase would allow feedback on each entry in the analyst's "text stream", or I should say "media stream". And as a bonus, clients exist to talk to LJ servers from pretty much any platform, and most don't require any knowledge of HTML or similar technologies by the end user. The source code for the LJ server system as well as most of the clients is available here but as usual for any outside product, it'd probably be wise to commission a source review of it before putting it into production in a secure environment. (This may be one way to help fund the projects, if possible, by commissioning project developers to contribute to the security process, and allowing the non-agency-specific security changes to be rolled back into the public sphere, analogous to the NSA's SELinux.)

Re:firewall? we don't need no stinkin' firewall!

[SirWhoopass]

The US uses the same thing with SIPRNET. It is physically separate from the internet. Script kiddies like to gloat about how insecure military networks are and how they hacked into classified information. Not true. They may certainly have seen some "private" web sites with telephone or social security numbers, but not actual classified information. They'd need to dig a hole and splice fiber first.

It reads like a help desk...

[gamgee5273]

This is a similar tact, though not exact, to the help desk structures that are successful. The DI analyst's job sounds quite a bit like the job my staff has to handle, and many of the suggestions like the ones I am regularly making.

I would suggest they actually look at those models. ITIL (the IT Infrastructure Library, brought to you by the British government) is an excellent set of guidelines to start off with...

Then they can hire me. :)

I worked for the navy at the pentagon.

THe two networks are completely separate. Most people had a classified, and unclassified machine at their desk, completely separate. Once a disk had gone into a classified machine, it could never be used in an unclassified machineagain(In theory) same for hard drives and memory, including printer memory.

TEh only time i have ever heard of the two networks being connected was a seinor chief plugged two lan cards into one computer, just messing around. Caught unholy hell for it, luckily he was the sharpest guy with the most experience in the office(Never fuck with a chief, they run EVERYTHING) and just got a verbal ass kicking, off the record. At least thats how i heard the story.

Re:I worked for the navy at the pentagon.

[out180]

I didn't work at the Pentagon but I was the lead IT on a ship and also an engineer (post-eaos) for the the NIPR/SIPR shipboard ISNS provider.

The CIA isn't the only government agency that is behind the times. Lets talk about intelligence handling with the Navy. It wasn't until 4 years ago that an official standard, project if you will, was implemented on a broad scale to handle the class/unclass infosys traffic. Now I'm not saying that it didn't exist, because it did exist, but what I am hitting on here is that the Navy, in this example, didn't provide a clear cut method for shipboard units to maintain data via a computer network. Now, the standards existed, but on a broad scale it was left up to specific commands to implement a computer system within the regulations for INFOSEC without outside assistance. So lets get into how it was done, pre-ISNS days.

Seaman Smuckitelle is tasked with providing a half-ass computer network on the ship. Since during that time the DS's were still in existance it wasn't a hard task but the real fun came when everyone started messing around with it. The only "allowed" system shipboard was unclass due to the obvious INFOSEC requirements of a class network and the serious lack of personal that could accomplish such a task unassisted. Now, DS2 Smuck creates this network and connects all the major spaces together, this is UNCLASS mind you. Now, as you can probably tell what ended up on that unclass network, yep... classified material. In a matter of a week you have chief's writing CASREPS on it (a classified message). Then, someone has a bright idea. From a distant corner of the Wardroom comes a voice that says, lets put all of our message traffic on it through the exchange server. There was much celebrating from the wardroom that night and thus the unclass, insecure, half-ass, non-INFOSEC compliant network now magically becomes a secret network.

This isn't to scare anyone, its just to further extend the point of being "behind the times". In the case of the CIA we should hope that the outdated IT problem is due to hardware and lack of funding. In the case of the Navy it was due to a lack of training and organized leadership. The foresight of a tight, well designed INFOSYS infrastructure wasn't clear until well past its need. Once it was clear, they tried to do something about it. Now as of 2 years ago, when I last touched it, the times were changing... but there was still alot to be learned. Example being when the Navy decided to formalize their shipboard INFOSYS structure they downsized the DS rating (the only rating in the Navy that specialized in Data Systems specifically) and crossed all of the new IT responsibility to the RM's, or Radiomen. Now, who do you think could handle this task better, a Data Systems specialist trained in the use, support, and troubleshooting of computer systems (despite the obvious age of these system), or a RM who's only purpose in life was to push paper and transmit radio traffic? Well, I'll tell you this... any advance the Navy made by bringing a standard cross-ship platform for INFOSYS into the works was further slowed by allowing inexperienced people take charge of it. My exact point is made very clear in the above post where a Chief, a leader mind you, hooked an unclass and a class network together on the same system. Why might you ask? Well the real fact is clear, people as a whole are very concerned about Information Security, the single induhvidual (yes Dilbert) doesn't think before they act. Could it be innocent, yes but the information that is classified is made such for a reason and the gross mishandling of that information leads to serious problems. Do I believe that SIPR is secure, sure in theory, but the people behind it are not.

Its the government, they never choose wisely until its too late and then they always find a way to muck it up in the long run. You know how many times I went onboard a ship to fix a downed Exchange server and they hadn't backed up in 2 months....

Re:What the CIA needs:

[RobertNotBob]

One of the things I remember most clearly from the morning of 9-11 is the face of a former head of the CIA. He was going from one media outlet to another preaching from the mountaintop that this attack came because of a policy change preventing the CIA from paying known criminals. I don't remember his name off the top of my head, however I do remember he was on every channel saying the exact same thing over and over.

So there were at least SOME people who recognized the need for Human Intelligence, but it unfortunately seems that they were run out of the organization rather than listened to.

CIA Humint - Sigint - Remote Sensing

[Wyatt+Earp]

The CIA's problem isn't a lack of funding, a lack of agents in the field or a lack of IT.

The problem is that since 1980 it hasn't figured out anything in advance.

1983 Hezbollah attacks on France/US missed
1983 Marxist revolt in Granada missed
1989 Czech border reforms missed
1989 E. Germany fall missed
1990 Iraqi invasion of Kuwait missed
1991 Coup attempt in USSR missed
1992-94 Islamists in Somalia missed
1993 Bombing of WTC missed
1998 African Embassy bombings missed
1999 Attempt on DDG Sullivans missed
2000 Bombing of Cole missed
2001 WTC/Pentagon missed

Clancy has been a CIA supporter for a long-time even though they don't accomplish anything anymore.

I read the Hunt for Bin Laden which is about the Green Berets in Afghanistan which doesn't have anything nice to say about CIA either.

I just don't see how they are relavent anymore.

Re:CIA Humint - Sigint - Remote Sensing

[Jonny+Ringo]

Of course its also easy to not think about how many of these things they miss on purpose. Its the easiest way for the CIA to get more funding.

Re:CIA Humint - Sigint - Remote Sensing

[the_rev_matt]

I understand that they can't broadcast their successes, but seriously, missing pretty fundamental things NOT perpetrated by a shady loose network of terrorists (like the fall of E Germany, Czech border reforms, Iraqi invasion of Kuwait (esp. considering he ASKED PERMISSION), Coup attempt in USSR, hell they missed the fall of the Soviet Union even though Gorbachev had been broadcasting it for YEARS).

Infighting

A little mouse once told me a story about two different IT groups in the CIA focusing a lot of effort on making the other group look bad. This infighting has led to a lot of missed opportunities.

recruiters told me this three years ago

I went to a job fair and talked with the CIA recruiters. They told me that if I was interested in cutting edge I should stay away. They had hardware and software that was older than dirt and had no budget for anything new and no forceable change in budget status.

I had them send me the employment forms anyway...

I then went to a dot.bomb - iCAST.com -
I should have gone with the CIA::

questions on the form ( in addition to listing all relatives, frinnds, neighbors, aquaintences, relatives neighbors aquaintences etc.)

Do you have any issue with being relocated during your tenure with the CIA

Do you understand that once hired you will remain an employee for a minimum of three years

Do you understand that at any time you may be relocated to wherever we need your services

e-mail vs. formal message traffic

[KD7JZ]

I worked for a large 3 Letter Agency during the late 80's through the mid-90s and one large issue we had was the transition from formal message traffic to e-mail. The military/intel community for years had a network for sending formal message traffic. These were written messages with formal accountability. They could be used to order actions, dispatch personnel, transfer money. When e-mail came along it was a big challenge to figure out if that same accountability could be built into e-mail or not.

This is not limited to the CIA

[nemaispuke]

Before I retired from the Navy, I worked in an Intelligence facility at the Top Secret level. The equipment that was available to me was several Macs (to produce PowerPoint slides), a Sun Sparc 10 used as a file and print server, a terminal to connect to PROFS (IBM OfficeVision) to read Top Secret e-mail, another Mac to access the Secret LAN and read Secret e-mail. There were no unclassified PC's, Macs, or Unix workstations to "surf the net" despite reading an article in the same command about "open source intelligence". Part of the problem is compartmenting the information which makes it difficult to search for information since not everyone can access all the information based on the compartments an individual is cleared for. This will not go away soon. And let's not get into the politics of it.

Re:What the CIA needs:

[dolbywan_kenobi]

Qualifications: How about the raid on Son_Tay in Vietnam? Perfectly executed in everyway except there were no prisoners there. Or to use a more modern example - Iraq. How many WMD have been found there? None. So either someone's lying to the American people or the CIA's intello is faulty.

Here's an anecdote I read a long while back, near the end of the Cold-War:

NATO wanted to know the bore of the gun of a Soviet tank. There was one in East Germany. The US used satellites at a cost of millions of dollars. The British used someone to break into the facility to measure the bore. The cost was to replace the lock but the person who did it risked his life. The French took a Russian officer out to dinner, after having plied him with good food and lots of alcohol and just asked the him what the bore was.

A bad case of falling behindism?

[swb]

"Falling Behindism" is a term that I and my old boss created for the creeping paranoia that says, no matter how hard you're working at it, you're falling behind technologically and are not keeping up. The corallary is that you can't ever catch up and are doomed to obsolensence.

I think everyone largely suffered from this during the late 90s, when, if you weren't paying attention for a week, you got two full revs behind on your applications and missed an OS rev entirely.

The reality is usually more nuanced and perceptions of technological sophistication are very skewed by trends. Having an advanced widget doesn't prevent falling behindism if the buzz is about using anti-widgets instead.

I think it's also a problem to look at the state of technology across broad fields (OS, systems, networks, applications) and see yourself behind on all of them. It's a false standard, since it's nearly impossible to get any decent sized organization current on everything (or anything) -- and even if you could, you'd garner some risk due to new problems not yet discovered.

Classifed networks difficult for a reason

they call it Sensitive Compartmentalized Information (SCI) for a reason...

its the easiest and most effective way to ensure that people like our friends at the (Karl Gruber from Die Hard)Efff....Beee.... Eyeeeee...(/Karl Gruber) who do end up selling out and spy against the US are prevented from getting all the secrets.

I've got a TS/SCI, worked on a few Special Access Requires (SAP) programs, and realize that not only for the programs' sake, but for mine as well, if i was ever caught or captured while on travel in a foreign country, SCI is there to ensure that not all the marbles get let out.

The deliniation between SCI programs, the "need to know", and the restricted access is not there because its assumed that _everyone_ is not trustworthy... on the contrary.

Its there to keep you safe, limit your danger, ensure that you can't be squeezed for any more information than is necessary, AND to limit the damages inflicted by spys/sellouts/rat bastards.

I ensure you all - as part of "The Conspiracy" - we're just normal folks.. you probably even live or play or church with many that have these accesses... but this guy is a twit if he thinks that there is a SIMPLE approach to problems... there is not.

MLS networks are hard to do. They are very difficult to work with. They are not elegant and simple. Can this info go from this net to this one? What about someone with tickets x, y, and not z? Can he still get this info, but not that info? What is the classification of this jpg? Of this .zip file? Of this .sit file? (yeah, everyone's on a Winblowz box, right.)

The permutations are mindnumbing... and there is simply no really great way to do it other than physical network separation.... for now. Now, i challenge folks all the time to use VPNs, because there often is no need to use separate copper/fibre... but we simply need a content separation... that is not being adopted as fast as it should, i agree.

SIPRNET is a quagmire because of the low level of security is it/has/protects.. and the number of people jacked into it. Its a bitch for everyone, and usually, its not worth the trouble. Its a bitch because its at such a low level - SECRET - and often, people try to integrate UNCLASS onto it. DISA keeps it held so close because too many people get their SIPRNET account, and then want to jack in all kinds of things that may or may not munge the security of the network.

I don't have the solution to the SIPRNET problem. I'm not going to say i do... but running the Homeland Defense agency (or whatever the hell it is) isn't going to make matters better, i guarantee you that... how many freaking govt. wakners are going to want/need/get SECRET clearances just to email each other the latest "10 things To Make Someone Smile" spam via SPIRNET simply because their boss said they need SIPRNET.... unnecessary.

There is no easy fix to it other than simply building your own network, and going around the whole problem.

Yes, OSS is a great thing for the classifed world.. and it pisses me off that we don't use it more.. because we'd have the smegging code if we did... you morons.

(obvously, i'm not in charge around here).

sorry for this being all over the map.. i'm working. ;-)

Re:firewall? we don't need no stinkin' firewall!

[kruczkowski]

Funny thing is that ILUVYOU was released on SIPERNET. Becouse the militray has the secure mentality most (of those that do have) anti virus software were out of date.

Did I mention that the systems run Windows?

Re:Bah, just a front! -- I doubt it

You have to remember that the CIA has three divisions, DI, DO, and DS&T. The Operations and Sci/Tech boys get all the toys -- which I'm sure are amazingly advanced -- used for collecting data in the field. The poor Intelligence analysts that muck through documents and databases are the ones stuck behind.

It's common to think of the government as one big unified organization, but even one agency can be highly compartmentalized, with quite different resources and procedures.

Don't believe everything you hear

[Muttonhead]

Black Ops:

1. Downplay your capabilities.
2. Carry out a sophistacated op, like bombing yourself.
3. Blame somebody else.
4. Proclaim, "Oops, we goofed. Give us more money to fix the problem."
5. Get more money for computers, etc.

Example: Michael Hayden a year or two before 9/11/2001.

True? Who knows, but the moral of the story is don't believe everything you hear. It stands to reason that anything the CIA wants the public to know is made available for a reason. And likewise everything it doeosn't want people to know is not made available.

Re:What the CIA needs:

[garyrich]

"Or to use a more modern example - Iraq. How many WMD have been found there? None. So either someone's lying to the American people or the CIA's intello is faulty."

Actually the CIA had been telling the executive branch for a long time that Iraq didn't have any WMD, or at least not any significant weapons stockpile. They got so sick of hearing such "unpatriotic" talk in the white house that they stopped listening to the CIA a couple of years ago. Rumsfeld and Cheney run their own little "mini CIA" out of the DOD that tells them what they want to hear. CIA intel is largely ignored.

Could not disagree more strongly

[slashdotcassius]

For DI, to be breeched is to fail. As a phrase in the article adeptly hints, managing risk indicates, at best, incompetence, and at worst, treason. A policy of excluding risk, however, is acceptable. Where Bruce Berkowitz suggests, " . . . a 35-year-old DI analyst with ten years of experience ought to be able--routinely-- to take calls directly... noting where there is important uncertainty or disagreement", I could not disagree more strongly. Never should the opportunity for treasons of subterfuge of misdirection lie within a single human being. The current bureaucracy of peer review represents an excellent example of risk exclusion policy.