[ISN] Mission Possible

From: InfoSec News (isnat_private)
Date: Mon Jan 14 2002 - 01:12:18 PST

  • Next message: InfoSec News: "[ISN] Re: SANS Top 20 Vulnerability List Updated"

    By Justin Hibbard 
    January 18, 2002 
    It took just 90 minutes from the moment the first jetliner ripped
    through the north tower of the World Trade Center on September 11
    before a TV anchorperson uttered the words "failure of intelligence."  
    In the hours that followed, the phrase shot through the media,
    eventually finding its target: the U.S. intelligence community and its
    lack of technological prowess.
    "For many years, our intelligence technical capabilities were the
    standard of the world," U.S. Senator Bob Graham (D: Florida), chairman
    of the Senate Select Committee on Intelligence, told reporters on the
    day of the attacks. "We have fallen behind, and we need to close the
    gap and reassert our leadership."
    The sound bite had a familiar ring to anyone who had hung around the
    Central Intelligence Agency in 1999. That year, nearly the same words
    were spoken by supporters of a plan to start a CIA-funded
    systems-integration firm called Peleus. Proponents argued that the
    agency was failing to keep up with new technologies like sophisticated
    Internet search tools being developed by small, innovative companies.  
    In February 1999, Peleus was founded, given an annual budget of $30
    million, and ordered to seek risky startups that could keep the agency
    stocked with futuristic, James Bond-like gear.
    The following year, Peleus evolved into a nonprofit
    technology-procurement shop--one that not only hired contractors, but
    also made equity investments in small companies, much like a venture
    capital firm. Moreover, it changed its name to In-Q-Tel in homage to
    Mr. Bond's gadget-happy colleague, Q.
    To date, the experiment has received high marks from its overseers in
    Congress. In just two and a half years, In-Q-Tel has reviewed over 900
    business plans, funded 23 companies and research and development
    projects, and introduced five technologies into the CIA for testing.  
    In a report presented to Congress on September 14, Mr. Graham singled
    out the firm for praise.
    But since September 11, even In-Q-Tel has had to field the question
    that has pestered the entire U.S. intelligence community: why didn't
    we know? After all, if this taxpayer-funded venture firm provides the
    CIA with such powerful technologies, shouldn't the agency have been
    equipped to anticipate the attacks?
    Probably not. By traditional VC standards, two years isn't long enough
    for In-Q-Tel's portfolio companies to perfect their products, much
    less transform the CIA's information systems. Even more important,
    it's uncertain if any technology could have helped predict the
    hijackings anyway. September 11 was a failure of "human intelligence,"  
    counterintelligence, and analysis.
    Still, the tragedies underscored the need for the CIA to act on the
    recommendations made by an independent panel just weeks before--in
    particular, to speed the pace at which the agency integrates the
    products of In-Q-Tel companies into its operations. The CIA's adoption
    of advanced technologies isn't only necessary to stay ahead of new
    enemies, it's also vital to In-Q-Tel's success, which will be measured
    by the CIA's technological supremacy, not by IPOs.
    Panel Discussion
    For Gilman Louie, In-Q-Tel's 40-year-old president and CEO, any doubts
    about the firm's viability disappeared on September 11. Before the
    attacks, he had endured debates with members of the CIA about the
    importance of technology and trade-offs the agency would have to make
    to adopt new tools immediately. "There's no more question," he says.  
    "Today, everyone's saying, 'We have to have it.' Speed is everything
    Speed was a major theme of a 78-page report on In-Q-Tel released by
    Congress just five weeks before the attacks. Lawmakers had requested
    the study from a panel led by Business Executives for National
    Security (BENS), a nonprofit, nonpartisan research group. A 30-person
    team of private-sector VCs, lawyers, bankers, and executives studied
    the firm from January to June and came away applauding its progress in
    funding new technologies--and booing the CIA's sluggishness in
    adopting them.
    "The CIA's technology-introduction process is way too bureaucratic and
    complicated," says C. Lawrence Meador, a technology executive who
    chaired the panel. For instance, at the time, new hardware or software
    required a 136-step review process by six different boards before it
    could be installed on the agency's networks, the panel found.
    The panel recommended that In-Q-Tel measure its performance by the
    speed with which it inserts new technologies into the CIA. But it
    added that responsibility for inserting the technologies should be
    shared by In-Q-Tel, the CIA, and a liaison between the two, the
    In-Q-Tel Interface Center (QIC), which is a department within the CIA.
    Some of the panel's harshest criticism was aimed at QIC. "QIC had
    focused too much on overseeing the functions of In-Q-Tel when its
    better role would have been the intermediary for getting technology
    into the CIA," says Paul Taibl, a BENS analyst who contributed to the
    After searching six months for a description of the CIA's technology
    strategy, the panel came up empty-handed. "We were unable to find any
    alignment of the agency's technology and business strategies," Mr.  
    Meador says. That misalignment could make it hard for In-Q-Tel to
    match its companies' products with the agency's needs, the reviewers
    By the time the panel completed its study in late spring, the CIA had
    addressed many criticisms through a reorganization led by its newly
    appointed executive director, A.B. "Buzzy" Krongard. The agency filled
    the vacant post of chief information officer, named a new director of
    QIC, and streamlined the process by which technologies are added to
    its information systems. "The report's recommendations have been fully
    implemented," says Mr. Louie. "[Director of central intelligence]
    George Tenet and Buzzy Krongard said information technology is a
    priority for this agency."
    Spy Culture
    But permanent improvements may require more than a management
    shake-up. Resistance to ventures like In-Q-Tel is ingrained in the
    CIA's culture. Though the agency has a history of embracing innovative
    technologies, its secretive ways lead some employees to reflexively
    distrust ideas from outside.
    "The agency has an established culture that has grown up around a
    security model and a way of doing business that are less appropriate
    to some of the threats we face today," says Ruth David, former deputy
    director of science and technology at the CIA. While developing the
    original concept for In-Q-Tel in the late '90s, Ms. David struggled to
    win acceptance for working with nontraditional intelligence
    contractors. "I ran up against a lot of brick walls and had limited
    success," she says.
    Her sentiments echo a now-infamous farewell memo circulated inside the
    CIA in January by the agency's outgoing inspector general, L. Britt
    Snider. "The world of information technology does not relate very well
    to the world of intelligence," he wrote. "It thrives on transparency;  
    we thrive on secrecy. It does not want to be tied up by government
    contracts and classification stamps; we know nothing else." The memo
    went on to implore support for In-Q-Tel: "Agency managers and
    overseers must find a way to make it work."
    The U.S. intelligence community's culture is still based largely on
    the cold war-era notion of "stovepipes," in which each organization
    shares information internally but not with the others. Connecting
    organizations is risky, since an intruder might glean secrets from
    multiple spy outfits by penetrating just one of them. But the
    technology revolution of the past decade has demanded that
    intelligence agencies and foreign governments increasingly co÷perate,
    since no single entity can process the world's daily output of data.
    In the weeks leading up to September 11, the U.S. intelligence
    community's 14 organizations--which span the departments of defense,
    energy, justice, transportation, and treasury, as well as the CIA--may
    have gathered fragmented clues that together might have hinted at what
    was to come. Though it's unlikely any combination would have suggested
    the exact plan of attack, the need for increased communication and
    data analysis is clear. "One of the post-September 11 themes is
    collaboration and information sharing," says Alan Wade, the CIA's
    chief information officer. "We're looking at tools that facilitate
    communication in ways that we don't have today."
    The CIA and In-Q-Tel were already looking at those tools; the attacks
    haven't drastically altered their interests. "If you compare what we
    were looking at before September 11 and what we're looking at now,
    they're identical," Mr. Louie says. Along with collaboration, In-Q-Tel
    has consistently invested in companies like Intelliseek, MediaSnap,
    Mohomine, and SafeWeb, whose security software and search applications
    are capable of analyzing data from a wide variety of sources. The
    firm's other investment themes have included mapping, visualization,
    and sensors.
    Deployment Agency
    The ultimate goal of In-Q-Tel's investments is that its ventures
    introduce valuable technologies into the CIA, not return cash or
    high-priced stock. Along with every investment it makes, the firm
    requires a portfolio company to sign a contract promising delivery of
    a product to the agency.
    For startups, working with In-Q-Tel is like working with a corporate
    customer that is also an investor. During product development,
    In-Q-Tel portfolio companies work closely with CIA employees to learn
    the agency's requirements. "It pays off because you build what people
    need and want," says Kathy DeMartini, president and CEO of MediaSnap,
    a security software company that took a $1.3 million investment from
    In-Q-Tel in June 2000.
    But In-Q-Tel's pre-investment screening process (also known as due
    diligence) is more rigorous than that of most corporate customers,
    which some companies appreciate. "In-Q-Tel's core value is due
    diligence on the technology," says Mahendra Vora, chairman and CEO of
    Intelliseek, an advanced search-engine developer that took a $1.4
    million investment from In-Q-Tel in May. "They're not just doing it
    for government purposes. They want to make sure it works for corporate
    customers, too."
    Another benefit of In-Q-Tel's demanding technical testing is the
    potential for additional sales. If the CIA buys a product, agencies
    like the Federal Bureau of Investigation and the National Security
    Agency may follow suit. "Naturally, there's an appeal to other
    government agencies if one agency is already using the technology,"  
    says Ms. DeMartini.
    Some startups might be wary about taking an investment from a firm
    that could pressure it to develop technology that is useful to only
    one customer--the CIA. But In-Q-Tel insists it has an incentive to
    help its portfolio companies widely commercialize their products
    because commercial products are cheaper to upgrade and support than
    custom ones.
    To find deals, In-Q-Tel informally shares leads with about 80 VC
    firms, as well as investment banks, universities, and research labs.  
    Some VCs have asked what business the government has competing with
    private-sector investors for deals. "With a $30-million-a-year budget,
    you're not in competition with anything in venture capital," says Mr.  
    Louie. In-Q-Tel tends to invest much smaller amounts than its
    private-sector co-investors, some of which like investing with
    In-Q-Tel because of its thorough due diligence.
    The U.S. government has a history of so-called public VC programs
    dating back to the Small Business Investment Company program started
    in 1958. The results have been mixed. The programs often fail when
    they try to stimulate growth in geographic regions where there is
    little private-sector investment. But they sometimes succeed when they
    focus on an under-funded industry that is independent of a region.
    "In-Q-Tel is quite different from typical public venture capital
    programs," says Josh Lerner, a professor at Harvard Business School.  
    "It's largely stimulating technologies in industries where it feels
    there is insufficient private development taking place."
    The In-Q-Tel model could eventually be extended to other U.S. defense
    and intelligence agencies. The BENS panel recommended that In-Q-Tel
    remain focused on the CIA until it has had time to mature. But Mr.  
    Meador envisions the firm eventually spawning 14 divisions, each
    supporting an intelligence agency.
    That vision isn't likely to come true on an annual budget of only $30
    million. But substantial budget increases are on the way for U.S.  
    defense and intelligence agencies, including the Department of
    Defense's R&D budget (total expenditures are classified), which is
    likely to gain $20 billion over the next five years. In addition, the
    Senate Select Committee on Intelligence has called for revitalizing
    the NSA's technology and rebuilding a strong R&D program for the
    entire intelligence community. An organization like In-Q-Tel could
    channel a portion of these funds to innovative startups.
    But first, In-Q-Tel must master the CIA--a mission that has become
    imperative since September 11. "From that point on, there was no
    question why we're here and what our role is," says Mr. Louie. From
    his office window in Arlington, Virginia, he can see the hole in the
    Pentagon left by the hijacked airplane. "If I ever forget what's
    important, I just look out the window," he says.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Jan 14 2002 - 06:53:40 PST