While the U.S. federal government is developing and adopting new technologies at an unprecedented pace, it’s still challenging to capitalize on commercial innovation without loosening critical security and compliance controls.
In part 1 of this two-part series, we first look at how the intelligence community can embrace emerging technologies from the commercial sector and build trust while protecting classified data. In part 2, we’ll examine approaches our national security agencies and commercial technology innovators can take to work together effectively.
We asked three former senior officials from the intelligence community about their thoughts on this topic:
- Jack Gumtow, a member of the Babel Street Board of Advisors and former CIO of the Defense Intelligence Agency;
- Farid Moussa, senior strategist with Babel Street and former executive at the NSA; and
- Pat Butler, the Executive Vice President of Product at Babel Street, and a former CIA targeting officer.
Pat Butler provided some background on the profound change in the last 10-20 years in the government's use of commercial innovation, particularly in the use and perception of open-source intelligence (OSINT). It used to be where OSINT was predominantly foreign media — newspapers, TV, and transcriptions. Everything else was classified, and intelligence analysts were spending most of their time in classified systems.
The rise of social media, emergence of the dark web, and explosion in the volumes of available data changed the nature of OSINT. Data that was once considered classified, such as location and signals, is now being used in commercial applications. Essentially, there’s a commercial equivalent for many systems that were once exclusive to the government. Which begs the question – if the commercial sector is already developing these applications, does the government also need to?
According to Farid Moussa, “During my years of experience in the federal government, it never made sense to me that we’d hire all these bright people and then direct them to ‘reinvent the wheel’ by building something that the private sector had already created.” Instead, Farid recommends focusing those resources on the really difficult problems that only the government can solve.
Furthermore, if the government develops all these systems, they also take on the associated maintenance, security, and overhead. Rather than owning the whole thing, the public sector could get 80% of the solution from commercial vendors and then fine tune it from there. And finally, there’s the time factor. An in-house developed solution could take well over a year to complete, but if a similar solution is available commercially, it can go into production quickly to benefit the mission.
While it might be desirable to implement commercial innovation, agencies still face several challenges, especially when dealing with classified environments. Jack Gumtow identified several issues here:
- All the services required for applications to run may not be available in high side environments because of security controls.
- The process of moving data from unclassified to classified systems can become costly, while also exposing an attack surface.
- While many applications operate in the cloud, the cloud is not available everywhere, especially in locations where communications may be spotty at best.
- Agencies must be assured that the technology is actually secure – with the vendor providing a software bill of materials and proof that the development environment wasn’t compromised.
All three experts agree that the most important factor for adopting commercial technology in the public sector is a relationship built on trust that is nurtured by both sides.
Farid spoke to the prevailing attitude of distrust, such as between government field personnel and headquarters, and how it spills over into relationships with the commercial sector. But the reality is that HQ and field, public and private, are all trying to fulfill the same mission.
One of the biggest areas of distrust that must be overcome on both sides involves the concept of a “black box” — the need for visibility into how a piece of software works to ensure it will meet mission parameters. The customer (the government) needs proof that the code is secure and will work as promised. Gaining that assurance often means taking a deep look at the underlying logic and intellectual property that the vendor has developed. At the same time, the provider also needs assurance that the government won’t just use this information to reverse engineer the code.
Understanding the needs of each side is a big step toward a productive partnership where each side respects the other. But there are significant obstacles to overcome. During Jack’s 30+ years in public service, he spoke of the strong sense he had that the vendor community was just trying to take advantage of the government. It wasn’t until he started working in the commercial sector that he realized this wasn’t true. Rather, the public and private sector are trying to accomplish the same mission, but with different incentives for doing so.
What are some ways the public and private sector can increase trust and work more effectively to speed adoption of commercial innovation? We'll explore that topic more in part 2 of this series.