Extreme makeover: The CIA edition

Extreme makeover: The CIA edition

The US Central Intelligence Agency’s CIO, Al Tarasiuk, provides a rare, exclusive look at how ICT operates in a business with a unique customer set, sensitive data and security requirements.

Nearly three years into his term as the CIO of the CIA, one of Al Tarasiuk’s most critical duties has been to infuse more corporate-like thinking into the CIA’s IT operations and staff. “My boss,” Tarasiuk says of CIA Director General Michael Hayden, “asked me to establish ‘corporate everything’ for IT — to the [fullest] extent possible”. But then, just as easily as Tarasiuk discusses agile development and SOA and IT governance — typical CIO stuff — he solemnly switches to the harsh realities of his particular line of business. When asked about information-sharing failures surrounding 9/11, he chafes a little. “I won’t comment on how we got to 9/11,” he says, “but I can comment on how we’ve improved since that.”

He’s well aware of what’s contained in documents such as the “9/11 Commission Report,” the “The Intelligence Reform and Terrorism Prevention Act of 2004” and the “Commission on the Intelligence Capabilities of the United States Regarding Weapons of Mass Destruction”: Namely, that all point to a dire need for the 16 government intelligence agencies to cease long-standing turf wars and tear down internal and external information silos — all in an effort to share critical intelligence more openly and avoid the costly and deadly mistakes of the past.

A mission enabler

Since he took over the CIO reins in 2005, Tarasiuk’s mission has focused on the corporatisation of CIA IT — which is no small feat. Severe security requirements, national security concerns and a culture where spying and deception are just part of the business add a whole other layer of complexity to attaining true business-IT alignment.

For many years, IT was not seen as a strategic enabler to the CIA’s success, say CIA employees. Spies in the field didn’t think they needed IT, and the analysts trying to make sense of the spies’ intelligence had to get by with antiquated data-management systems. Technology was “a threat, not a benefit,” noted one CIA researcher in 2002. And “cylinders of excellence” — meaning data silos — were ever-present.

Tarasiuk has, so far, opened up the 61-year-old insular spy agency to the concept of more efficient and effective information sharing by using Web 2.0 technologies, such as the CIA’s Wikipedia-like Intellipedia that’s used across the US intelligence community. Another sign of change is a grassroots, web-based collaboration among Russian intelligence experts at several US agencies, which enables analysts to securely share their insights, analysis and information on breaking news on Russia.

Tarasiuk has instituted a new IT governance team that has — for the first time — the highest level of management support at the agency. His team has also moved completely too agile project management methodologies, virtualised 1000 servers and empowered frontline CIA employees to ask for, decide on and employ new IT tools.

In 2007, Tarasiuk’s team was finally able to replace the CIA’s main information-handling system, which was severely outdated and lacked the basic functionalities found in 1990s era email systems, with a more modern and user-friendly system called Trident.

Technology iron walls

Tarasiuk has driven change inside the CIA’s IT operations and won notice for his efforts. But that is not to say everything now is perfect — or close to finished. After all, demand for all this change — more information sharing between and inside agencies that frees previously firewalled intelligence from fragmented silos and thousands of databases — was forced on the CIA and other agencies by the creation of the Office of the Director of National Intelligence (DNI) in 2004, to oversee all 16 government intelligence organisations.

The current director, J.M. “Mike” McConnell, is taking great pains to replace the “Need to know” culture with “Responsibility to provide” among the organisations. (The shift is significant because it replaces knowledge hoarding with knowledge sharing.)

Technology is a vital piece of the CIA’s overall change, and Tarasiuk knows this. “IT is the lifeblood of this organisation,” he says. “I’m trying to eliminate the technology iron walls that have existed in the past” inside the agency.

‘We were not on the right path’

Established in 1947, the CIA’s mission has been to conduct clandestine operations on foreign nations, collecting critical national security information, then analyse and synthesise the data points, and deliver intelligence to the president, military leaders and other policy makers. For most of its existence, the CIA focused on spying on the former Soviet Union and combating communism — with varying degrees of success.

“I came in the mid-80s, during a period of time when the agency was very focused on big, covert actions,” recalls Tarasiuk, who spent time overseas in Africa.

The fall of the Soviet Union and the tearing down of the Berlin Wall were cataclysmic events for the CIA: The enemy suddenly was not there anymore. The inevitable downsizing and budget cuts soon followed. “Being in the IT world that was a part of the larger support element here, we got hit really, really hard,” he says, “down to the point where our global infrastructure was very fragile.”

Do all we can, with whatever we have on the shelves

The CIA wasn’t alone in data sharing and technology woes in the ‘90s, even as new threats began emerging. But all that changed at 8:46am on September 11, 2001.

The terrorist attacks on the United States and resultant global war on terror changed everything at the CIA, especially IT, which is called Global Communications Services. “It renewed focus in a mission,” says Tarasiuk, who was a senior manager in the IT infrastructure organisation at the time of the attacks. “The global war on terror, all of a sudden, became the agenda for the agency. The sense of mission came back, and the idea of being part of the tip of the sword in the fight against all this.”

For IT, the pressure was intense. “Immediately it was: Do all we can, with whatever we have on the shelves, get our systems together, extend the infrastructure to the best we can, and find creative ways of partnering with others, just to make the mission happen until we could get enough money in here to start rebuilding,” Tarasiuk says.

Infrastructure, storage, bandwidth, server, application and staffing requirements skyrocketed: Instantly, demands in those areas doubled, tripled and quadrupled. Tarasiuk contends that, due to the underfunding and downsizing, “we didn’t really have a well-organised plan” to deal with the new demand. For example, he says there simply wasn’t time to determine the best enterprise architecture strategy for the CIA’s new systems.

During 2001 and into 2002, a former CIA officer Bruce Berkowitz studied how the analysts in the CIA’s Directorate of Intelligence (DI) used information technology and how they might use IT more effectively. What he found was troubling: The analysts lacked awareness of and access to new IT services that could be of critical value to their work; the CIA did not put a high priority on analysts using IT easily or creatively; and, worst of all, wrote Berkowitz, “that data outside the CIA’s own network are secondary to the intelligence mission”.

Due to information-sharing security threats and a pervasive message that “technology is potentially dangerous,” technology became a “bogey-man rather than an ally” to the analysts, Berkowitz noted. The end result: “DI analysts know far less about new information technology and services than do their counterparts in the private sector and other government organisations. On average, they seem about five years or more behind.”

A seat at the table

Tarasiuk‘s appointment as the CIO at the CIA took place in October, 2005 (former Director Porter Goss appointed Tarasiuk). In his first year, however, Tarasiuk was seemingly handcuffed. “I had ideas [about transforming IT] when I first became CIO,” he says, “but the environment wasn’t aligned in a way where I could launch on these ideas.”

Since CIA Director Michael Hayden took over in May 2006, the “transformation” theme of the Tarasiuk era has not been subtle or kept quiet inside IT on a mission statement: Cut the bureaucracy and be more businesslike via stronger IT governance, more disciplined project management, greater data sharing and more openness to try new technologies. Hayden has demanded as much.

Tarasiuk created and chairs an Information Governance Board, which meets quarterly or as needed to make the strategic IT decisions for the agency. Hayden “demanded that because of the problems we’ve had in the past, because of who actually participated [in making IT decisions], he said to the business leaders, the mission managers, ‘You will sit at the table’,” Tarasiuk says. “So the support of the top leadership has been very important in making sure that board is effective.”

The four divisions inside the CIA are: Directorate of Intelligence (the analysis arm); the National Clandestine Service (the spies); Directorate of Science & Technology (which develops technologies to support the mission — think “Q” from James Bond movies); and the Directorate of Support (HR, finance, logistics, legal and other functions). For the most part, these CIA leaders appreciate being involved in the IT decision-making processes, Tarasiuk says, even though “not all of the decisions go their way.” For example, Tarasiuk forged what he calls an enterprise data layer strategy that enables those who have the need and the security clearance to access CIA data can do so.

One result of the enterprise data layer strategy is Trident, a new research and analysis application for CIA analysts that links a set of a dozen or so (Tarasiuk won’t be specific) logical data repositories and has tiered access (depending on a user’s need to access the data) and single access control to all the databases.

Trident debuted in 2007 and currently manages the voluminous amount of information flowing into the CIA, allowing analysts to organise and comb through the intelligence most critical to their specialty. Trident provides a multitude of capabilities for them: tools for search, knowledge management, sharing, information extraction, link analysis, mapping and data visualisation.

Project management

Tarasiuk’s agenda also includes a fix on project management. Ken Westbrook, chief of business information strategy in the CIA’s intelligence directorate (the agency’s intelligence analysts), recalls that the past project management process had stifling “control gates” and placed too many cooks in the kitchen. “The problem with that is that it became so bureaucratic,” Westbrook says. “We were having projects taking dozens of control gates, each of which could have hundreds of people in a room. It was not an efficient way of getting the job done.”

Since taking over, Tarasiuk has moved the CIA’s enterprise IT operations to an agile project methodology and, according to internal customer data, now maintains an 80 percent success rate in delivering applications, he says. IT has streamlined the “control gate” process to more easily meet deadlines, Westbrook says, and now tracks deliverables, deadlines and whether they were met. “That’s revolutionised things,” Westbrook adds.

If information leaks, people die

Tarasiuk says, matter-of-factly, “You know, one of the things we do here is we commit espionage. That’s the business we’re in.” The blandness of his delivery belies the statement’s heft: At the end of the day, his business is so atypical, his customer set unique, his data so sensitive, and his security requirements so exceptional that his job stands apart — way apart — from that of other CIOs.

His day-to-day work is one big balancing act: Weighing the need to protect the CIA’s information — “absolutely protect that data”, he implores — and the need to share that information. “Because information that sits here and no one uses is worthless,” he says.

Technology can only go so far

A CIA clandestine officer who works closely with Tarasiuk describes the CIO role as one that has to satisfy typical CIO obligations (delivering appropriate applications to users to make them more efficient) with one big catch. “Here’s the rub: He can bring all the efficiencies here, but [it’s difficult] because of our unique security requirements,” says the senior national clandestine service officer, who declined to be identified, citing his active duty status at the agency. “I care about: Security, functionality and efficiency.”

He says CIA officers like him realise technology applications have the ability to free up ops people to do more of the personal work — but only to a certain level. “Technology can only get you so far,” the officer says. “Information sharing is critical, but at the same time, we need to have some ‘cylinders of excellence’.”

While Tarasiuk has been working to get the CIA to experiment with new IT–related, data-sharing processes and applications, he worries about missing something when the consequences of failure are great. There are critical decisions that need to be made with all the data accumulated during the past 60 years, Tarasiuk says, like what to keep, what to make public and what to discard. There are also thousands of databases across the intelligence community whose contents may or may not need to be connected.

All of which weighs heavily on Tarasiuk. “The thing that worries me the most,” he says, “is that we have buried somewhere, in some database, some piece of information that a person that might need access to it doesn’t have the access.”

How to entice people to play

Prior to 2004 the CIA was the de facto lead intelligence agency — the CIA director briefed the president every day. The CIA fiercely opposed the creation of the Directorate of National Intelligence (DNI) in 2004 with the CIA becoming just another one of the 16 agencies reporting into DNI. Other organisations that are a part of the DNI and are now required to share intelligence among the community include: the FBI, the Pentagon’s Defense Intelligence Agency, the National Security Agency, the National Reconnaissance Office and the National Geospatial Intelligence Agency.

Tarasiuk says that he meets with the CIOs of those five agencies regularly to talk about building out the “connectivity tissue” to each other, as well as share ideas on how to “entice people to play” and share more information. One of the more notable successes that the CIA has delivered to the intel community is the Intellipedia product, which was introduced in 2006. Based on wiki software, Intellipedia allows analysts in all 16 organisations in the intelligence community to share web-based information on critical topics and search for intel expertise on a wide range of subjects. Unlike Wikipedia, there is no anonymity: Everyone is authenticated onto the system and quality control is high, reports the CIA’s Ken Westbrook.

Other efforts rolled out or revamped within the past year show that the CIA is, at the very least, opening up the network connections to other agencies and offering more CIA “product”, as Tarasiuk terms it.

One of these efforts is called CIA Wire. The CIA Wire is a communications conduit the agency uses to disseminate its intelligence (through private networks) to the Joint Worldwide Intelligence Communications System, and the Department of Defense’s secret-level network, the Secret Internet Protocol Router Network.

At the CIA, the technology expectations from the influx of staff under 30 have not always synced to the stringent security requirements. In some cases, they expect IT to be “very much what they see on the outside before they drive through the gate,” Tarasiuk says, “and some have been disappointed.”

According to government watchers, the CIA and other intelligence agencies with strict security policies are going to only hear more about the necessity of Web 2.0 and Google-like features in their applications, as government collaboration is linked even more to information-sharing successes.

Resilient to change

Inside the CIA’s IT department, the one constant has been the frequency of change. Enemy. No enemy. New enemy. Funding. No funding. New funding. Staff. No staff. New staff. (Much like the CIA overall, almost half of the IT workforce is new since 9/11, and many are under 30.) “We don’t reorganise every other month,” Tarasiuk says, “but we have had some significant ones.” He says there was a period of time after 2001 when IT was centralised, decentralised, split into various groups with different CIOs, and then all consolidated under his direction in 2005. Tarasiuk says that IT staffers go through “a lot of scrutiny” to join the CIA. “And by the way, once you’re in here, we continue to scrutinise them, particularly those that have additional privileges,” he says.

“It’s not unusual for some of those people to go through an annual investigation and polygraph, when you’re talking about sensitive data.” (Tarasiuk also gets polygraphed.) He describes his IT staffers as “agile, adaptive and able to move with the organisation no matter where the mission goes.

“Our people are very good about focusing on the mission and not worrying about all that stuff,” he says. “When they’re here, they’re focused on getting the job done because the mission is priority to them.”

Tarasiuk also has to deal with the intense public and media scrutiny that comes with working at an agency that is covered in media reports related to the alleged torturing of detainees in the war on terror. He defends his agency and watches over his staff closely, instructing them to focus on their mission. “We’re a secretive intelligence service, so we know things here that we can’t talk about, and a lot of it is very, very positive,” he adds.

Extracting specifics about the IT workforce he manages is difficult. He can’t talk about the number of staff, the size of his budget, or specifics of networks and most applications. “I can’t get into specific details about what we use,” Tarasiuk says, though he does offer that his is a Microsoft shop, and they use Sun systems and other Linux-based platforms.

Future focus

Tarasiuk will continue to build on his successes and the standing of IT inside the CIA, knowing full well that more change is inevitable.

A looming budget downturn for the CIA is expected, Tarasiuk says, and he’s concerned about maintaining the same level of service and delivery that everyone has become accustomed to. Lastly, there is still a war going on and a terrorist threat that has been weakened but is still, as described by the 9/11 Commission, “sophisticated, patient, disciplined and lethal”.

In his office, splayed out in front of Tarasiuk on a conference table, is a mix of glossy, government-issued strategic road maps. He touches all of the booklets: “National Strategy for Information Sharing”, courtesy of the president in October 2007; “United States Intelligence Community Information Sharing Strategy”, from the director of national intelligence’s office in February 2008; and “Strategic Intent: 2007-2011”, the CIA’s road map for the next five years.

Last is Tarasiuk’s own contribution to the road maps: “CIA Enterprise IT Strategic Plan: 2007-2011.”

“All this means change. This is huge change for us. OK?” Tarasiuk says. “But we’re doing a lot of things as a government to make sure that we don’t have another incident, at least one that’s not attributable to a lack of sharing data.”

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securityCIO rolechange managementproject managementsocial networkingWeb 2.0

Show Comments