If you're an IT administrator working for the NSA, you might want to brush off your résumé: Your boss, Gen. Keith Alexander, has announced he's planning to eliminate 90 percent of you and your co-workers thanks to some fancy new technology. The idea is to limit the organizational risk posed by Edward Snowden-type leakers. But what exactly will this sysadmin-vaporizing pixie dust look like?
Alexander was coy about it yesterday, speaking to an audience of information security professionals. He hinted at a "thin virtual cloud structure," but that was the extent of it.
So we know cloud computing is somehow involved. From that, we can infer that NSA is considering at least one, perhaps two systems. These aren't "new" in the sense that they've never been disclosed — in fact, the agency has been planning a shift to cloud computing since at least 2011. But to date, Alexander hasn't generally talked about cloud computing as a matter of internal security.
The first solution that could be considered is a program called ICITE — the Intelligence Community Information Technology Enterprise.
ICITE is designed to give analysts the ability to log onto a virtual desktop where they can call up data from a central server or multiple connected servers. What makes the system potentially powerful is that it's meant to be used across the whole intelligence community. This includes the so-called "big five" — the CIA, the Defense Intelligence Agency (DIA), the National Geospatial-Intelligence Agency (NGA), the National Reconnaissance Office (NRO) and the NSA. Each agency's technology currently exists in a silo, but if all goes according to plan, ICITE will consolidate everything.
"When we have that, it will enable us to rapidly scale our exploitation and processing capabilities and take advantage of all that is out there," said Letitia Long, director of the National Geospatial-Intelligence Agency, at a conference last year. "We don't have to each build it all ourselves."
ICITE was scheduled to launch this March. But it's also preceded by the NSA's other recent cloud computing initiative, known as Accumulo.
Accumulo is the name for an NSA database that was hacked together after the agency's engineers took notice of a similar Google product. What's special about Accumulo is that with any given set of data, the NSA can tag individual cells with different access rules. That means two people with different levels of security clearance can both look at the same sheet and only see what they're supposed to see.
The NSA made Accumulo an open-source project in hopes that other agencies would adopt the tool. But the Senate objected, accusing the NSA of violating a rule that requires federal agencies to buy commercial solutions off the shelf when available. The version of the defense authorization bill that would have codified the Senate's resistance never became law, however.
One possibility is that Accumulo could serve as the back-end database from which analysts, who are using ICITE, grab the data they need. But that would probably depend on whether other agencies would be allowed to use Accumulo as well. A call to the NSA Friday was not immediately returned.
Allan Friedman, a cybersecurity expert at the Brookings Institution, said cutting down on the number of technology silos in intelligence would naturally reduce the need for human sysadmins. Silos need to talk to one another, which means you need to hire a human to "get into the guts of the system" to make sure it happens. But with one universal system, everything is standardized.
"You make it so that even the sysadmins have to interact with it in a fashion that has authorization controls, access controls, audit logs," Friedman said. "You put all your eggs in one basket and you watch the hell out of that basket."
Despite the theoretical security advantages inherent to cloud-based systems, however, not everyone in the intelligence community is convinced the NSA can pull off such a maneuver. One former intelligence officer pointed out that the government has a mixed record on enterprise-level IT initiatives, and that nobody has figured out how to defend a cloud-based intelligence database in the real world.
Maybe those sysadmins won't be as expendable as Alexander thinks.