ODNI: Trade-off information security for good intel

Director of National Intelligence issues security directive that could change how agencies build, validate and approve IT systems.

The Office of the Director of National Intelligence issued a directive on Tuesday that recommends managers of information technology systems accept a lower level of security if it provides the United States with better intelligence.

Comment on this article in The Forum.Intelligence Community Directive 503, signed by Director of National Intelligence Mike McConnell on Sept 15, said the principle goal for risk management of any intelligence agency such as the CIA or the National Security Agency should be to protect the agency's ability to perform its mission, "not just to protect its information assets."

"Because risk cannot be eliminated entirely, the risk management process must allow decision-makers to consider the operational economic costs of protective measures weighed against requirements for mission accomplishment," the directive stated. "For example, a very high level of security may reduce risk to a very low level, but can be extremely expensive and may unacceptably impede essential operations."

Intelligence agencies should consider information sharing and collaboration across the community and with foreign partners "as essential mission-sharing capabilities," the directive said.

The directive is part of the push among intelligence agencies to open up their systems with the aim of improving intelligence and stopping attacks on the United States like the ones conducted on Sept. 11, 2001. In its report, which delineated the intelligence failures that resulted in the attacks against the World Trade Center and the Pentagon, the 9/11 commission called for a cultural shift to encourage information sharing. The intelligence reform enshrined those recommendations into law.

The language in the new directive stands in stark contrast to the one it replaces, the Director of Central Intelligence Directive 6/3 issued in 1999, which emphasized security and said nothing about operational requirements. That directive said IT system risk assessments should "identify specific areas that require safeguards against deliberate or inadvertent unauthorized disclosure, modification or destruction of information; denial of service; and unauthorized use of the [IT systems]."

ODNI described the new directive, which codifies strategic goals agreed on with John Grimes, the Defense Department's chief information officer, in January 2007, as "a ground-breaking new policy [that] . . . changes how the intelligence community, and by inference, the entire federal government, will build, validate and approve information technology systems."

"This is an important step forward, but primarily only for ODNI itself," said Pat Howard, the chief information security officer for the Nuclear Regulatory Commission. "This changes ODNI policy on certification and accreditation of IT systems to closely align to that of the civilian agencies."

The policy tracks the National Institute of Standards and Technology Special Publication 800-37. "I do think this is a step in the right direction since it is a move toward a common certification and accreditation standard that is accepted by a large part of the government, by an important agency that has a substantial number of highly sensitive IT systems," Howard said. "Perhaps DoD should move in this direction, too."

The directive lays out broad parameters to simplify accreditation and certification of intelligence community IT systems and calls for reciprocal accreditation of systems operated by other government agencies, including those at the state and local levels, or nongovernmental agencies that meet standards established by ODNI or NIST. The intelligence community also should accept system accreditations conducted by foreign partners including Australia, Canada, New Zealand and the United Kingdom, the directive said.

Steven Aftergood, director of the Project on Government Secrecy for the Federation of American Scientists, called the new directive an "exercise in common sense: It says security is a means, not an end, and risk needs to be managed."

Aftergood said the directive also ties in with the recent intelligence community policy to share information, rather than closely hold on to it.

Philip Coyle, senior adviser with the Center for Defense Information, a security policy research organization in Washington, said the new directive was a way to "fudge" on security, and the government would do better to follow the practices of industry.

Coyle, who served as assistant secretary of Defense and director of its operational test and evaluation office from 1994 to 2001, said he was struck by the differences between private industry and the national security establishment when it comes to information technology development and deployment.

Private industry is innovative, developing applications and systems within small teams, and is cautious about security risks, he said. Defense and the intelligence community, by contrast, are not as cautious. They want to build "gigantic systems that are outdated before they can be deployed, developed by major defense contractors operating with very large teams, wanting to fudge on security to deploy faster, and wanting to bypass testing, which is seen as an obstacle not an opportunity for insight."