recommended reading

ODNI: Trade-off information security for good intel

The Office of the Director of National Intelligence issued a directive on Tuesday that recommends managers of information technology systems accept a lower level of security if it provides the United States with better intelligence.

Comment on this article in The Forum.Intelligence Community Directive 503, signed by Director of National Intelligence Mike McConnell on Sept 15, said the principle goal for risk management of any intelligence agency such as the CIA or the National Security Agency should be to protect the agency's ability to perform its mission, "not just to protect its information assets."

"Because risk cannot be eliminated entirely, the risk management process must allow decision-makers to consider the operational economic costs of protective measures weighed against requirements for mission accomplishment," the directive stated. "For example, a very high level of security may reduce risk to a very low level, but can be extremely expensive and may unacceptably impede essential operations."

Intelligence agencies should consider information sharing and collaboration across the community and with foreign partners "as essential mission-sharing capabilities," the directive said.

The directive is part of the push among intelligence agencies to open up their systems with the aim of improving intelligence and stopping attacks on the United States like the ones conducted on Sept. 11, 2001. In its report, which delineated the intelligence failures that resulted in the attacks against the World Trade Center and the Pentagon, the 9/11 commission called for a cultural shift to encourage information sharing. The intelligence reform enshrined those recommendations into law.

The language in the new directive stands in stark contrast to the one it replaces, the Director of Central Intelligence Directive 6/3 issued in 1999, which emphasized security and said nothing about operational requirements. That directive said IT system risk assessments should "identify specific areas that require safeguards against deliberate or inadvertent unauthorized disclosure, modification or destruction of information; denial of service; and unauthorized use of the [IT systems]."

ODNI described the new directive, which codifies strategic goals agreed on with John Grimes, the Defense Department's chief information officer, in January 2007, as "a ground-breaking new policy [that] . . . changes how the intelligence community, and by inference, the entire federal government, will build, validate and approve information technology systems."

"This is an important step forward, but primarily only for ODNI itself," said Pat Howard, the chief information security officer for the Nuclear Regulatory Commission. "This changes ODNI policy on certification and accreditation of IT systems to closely align to that of the civilian agencies."

The policy tracks the National Institute of Standards and Technology Special Publication 800-37. "I do think this is a step in the right direction since it is a move toward a common certification and accreditation standard that is accepted by a large part of the government, by an important agency that has a substantial number of highly sensitive IT systems," Howard said. "Perhaps DoD should move in this direction, too."

The directive lays out broad parameters to simplify accreditation and certification of intelligence community IT systems and calls for reciprocal accreditation of systems operated by other government agencies, including those at the state and local levels, or nongovernmental agencies that meet standards established by ODNI or NIST. The intelligence community also should accept system accreditations conducted by foreign partners including Australia, Canada, New Zealand and the United Kingdom, the directive said.

Steven Aftergood, director of the Project on Government Secrecy for the Federation of American Scientists, called the new directive an "exercise in common sense: It says security is a means, not an end, and risk needs to be managed."

Aftergood said the directive also ties in with the recent intelligence community policy to share information, rather than closely hold on to it.

Philip Coyle, senior adviser with the Center for Defense Information, a security policy research organization in Washington, said the new directive was a way to "fudge" on security, and the government would do better to follow the practices of industry.

Coyle, who served as assistant secretary of Defense and director of its operational test and evaluation office from 1994 to 2001, said he was struck by the differences between private industry and the national security establishment when it comes to information technology development and deployment.

Private industry is innovative, developing applications and systems within small teams, and is cautious about security risks, he said. Defense and the intelligence community, by contrast, are not as cautious. They want to build "gigantic systems that are outdated before they can be deployed, developed by major defense contractors operating with very large teams, wanting to fudge on security to deploy faster, and wanting to bypass testing, which is seen as an obstacle not an opportunity for insight."

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.