Inside the CIA’s Extreme Technology Makeover, Part 3
The CIA's big IT revamp required a resetting of relationships among IT and operations leaders, getting the mission side of the agency involved in data-sharing discussions and project management. And the CIA's CIO found himself navigating a tense line between making data visible and keeping secrets.
By Thomas Wailgum
The CIA is undergoing a major transformation, and IT is playing a leading role. In Part 3 of our inside look at the agency, we examine how CIO Al Tarasiuk got both high-level and low-level CIA employees to think about critical intelligence-sharing processes and showed that IT can be a valued partner. (See “Inside the CIA’s Extreme Technology Makeover, Part 1” and Part 2, to read the first and second parts in our series.)
“You will sit at the table”
Al Tarasiuk’s appointment as the CIA’s CIO took place on Oct. 1, 2005 (former Director Porter Goss appointed Tarasiuk). In his first year, however, Tarasiuk was seemingly handcuffed. “I had ideas [about transforming IT] when I first became CIO,” he says, “but the environment wasn’t aligned in a way where I could launch on these ideas.”
Since CIA Director Gen. Michael Hayden took over in May 2006, the “transformation” theme of the Tarasiuk era has not been subtle or kept quiet inside IT on a mission statement: Cut the bureaucracy and be more businesslike via stronger IT governance, more disciplined project management, greater data sharing and more openness to try new technologies. Hayden has demanded as much.
“What we had prior to that was some configurations of corporate [IT structure], but we didn’t have the business side—what we call the mission side—really fully engaged in big decisions about how we spent our money on IT, how we deal with information policies and things like that,” says Tarasiuk, whom Hayden realigned to a direct report when he took over. “My role was to do that.”
Tarasiuk created and chairs an Information Governance Board, which meets quarterly or as needed to make the strategic IT decisions for the agency. Hayden “demanded that because of the problems we’ve had in the past, because of who actually participated [in making IT decisions], he said to the business leaders, the mission managers, ‘You will sit at the table,'” Tarasiuk says. “So the support of the top leadership has been very important in making sure that board is effective.”
The four divisions inside the CIA are: Directorate of Intelligence (the analysis arm); the National Clandestine Service (the spies); Directorate of Science & Technology (which develops technologies to support the mission—think “Q” from James Bond movies); and the Directorate of Support (HR, finance, logistics, legal and other functions). For the most part, these CIA leaders appreciate being involved in the IT decision-making processes, Tarasiuk claims, even though “not all of the decisions go their way.”
For example, Tarasiuk forged what he calls an enterprise data layer strategy that enables those who have need and permission to access CIA data can do so. One part of the strategy is IT-related: Tarasiuk notes that service-oriented architecture (SOA) technology has been one key piece.
The other, and much more difficult, part has been process change. “We’re making corporate policies on how data is going to be managed, and we’re not going to allow little fiefdoms anymore,” he says, “where data is managed and protected and policy and regulations are set by some local manager at the lowest levels of the organization.”
It’s not surprising that there’s been resistance. “A lot of things are related to turf and how much you own and control,” Tarasiuk says. “What we’re doing, in effect, is we’re taking some of that control away. And that always hurts, and that’s why it makes it difficult because you are pushing out a culture that existed for many years.”
One result of the enterprise data layer strategy is Trident, a new research and analysis application for CIA analysts that links a set of a dozen or so (Tarasiuk won’t be specific) logical data repositories and has tiered access (depending on a user’s need to access the data) and single access control to all the databases.
Trident debuted in 2007, and it manages the voluminous amount of information flowing into the CIA and allows analysts to organize and comb through the intelligence most critical to their specialty. Trident provides a multitude of capabilities for them: tools for search, foldering, knowledge management, sharing, information extraction, link analysis, mapping and data visualization.
“Trident allows analysts to spend less time trying to find relevant information and more time analyzing,” Tarasiuk notes. He says that Trident has given many of the analysts an extra hour a day to perform more analysis.
“The number of people looking over your shoulder is staggering”
Next on Tarasiuk’s agenda has been to fix project management. Ken Westbrook, chief of business information strategy in the CIA’s intelligence directorate (the agency’s intelligence analysts), recalls that the past project management process had stifling “control gates” and placed too many cooks in the kitchen. “The problem with that is that it became so bureaucratic,” Westbrook says. “We were having projects, taking dozens of control gates, each of which could have hundreds of people in a room. It was not an efficient way of getting the job done.”
Ken Orr, principal researcher at The Ken Orr Institute and a former member of the National Research Council (NRC) committee who’s studied government IT project failures for years (though none at the CIA), says, “When it comes to managing big projects, the feds have this terrible oversight problem, and when anything goes wrong, they add another oversight layer.” “If you’ve got $100 million to $200 million project, the [number of] meetings and oversight and people looking over your shoulder is staggering.”
Since taking over, Tarasiuk has moved the CIA’s enterprise IT operations completely to an agile project methodology, and, according to internal customer data, now maintains an 80 percent success rate in delivering applications, he says. IT has streamlined the “control gate” process to more easily meet deadlines, Westbrook says, and now tracks deliverables, deadlines and whether they were met. “That’s revolutionized things,” Westbrook adds.
Of course, verifying the CIA’s claims about virtually anything outside the purview of the CIA is tough to do. For example, the Government Accountability Office (GAO), the auditing watchdog of Congress, which investigates the performance of the federal government, including IT operations, has been severely limited in its oversight of the CIA and other intelligence agencies.
In testimony before Congress in February 2008, the GAO’s comptroller general of the United States, David Walker, testified that with Congress’s approval, the GAO “could evaluate some of the basic management functions that we now evaluate throughout other parts of the federal government, such as human capital, acquisition, information technology, strategic planning, organizational alignment, and financial and knowledge management” at intelligence agencies, like the CIA. However, Walker added that, at the time, “we foresee no major change in limits on our access” to those agencies.
As Orr sees it, outside inspection of the CIA isn’t likely to happen soon. “Secrecy makes it hard to really know what’s going on,” Orr says, “but you cannot remove the secrecy from the organization.”
“If the data and names get out, people die”
Back in his office, in June, Tarasiuk looks across the edge of a conference table and says, matter-of-factly, “You know, one of the things we do here is we commit espionage. That’s the business we’re in.” The blandness of his delivery belies the statement’s heft: At the end of the day, his business is so atypical, his customer set unique, his data so sensitive, and his security requirements so exceptional that his job stands apart—way apart—from that of most all CIOs.
His day-to-day existence is one big balancing act: weighing the need to protect the CIA’s information—”absolutely protect that data,” he implores—and the need to share that information. “Because information that sits here and no one uses is worthless,” Tarasiuk says.
So as he goes about serving his customers (Tarasiuk prefers “partners”), he deals with spies’, analysts’ and other departments’ sometimes conflicting infrastructural and application demands. He relies heavily on the Information Governance Board and the enterprise data layer process, but “it’s a hard place to be,” he says, “because you never make anybody happy.”
For example, there has long been tension between the collectors of information (the “ops” or clandestine personnel) and the analysts who try to make sense of it. “Despite decades of trying to reduce the barriers between the Directorate of Intelligence (DI) and the Directorate of Operations (DO), sharp divides still exist,” noted Bruce Berkowitz, a former CIA officer who, from 2001 to 2002, studied how CIA analysts used information technology. “The DI and the DO, for example, have separate databases and separate IT architectures. Several DI analysts even told me that they had a better working relationship with their counterparts at NSA than with their own CIA colleagues in the DO.”
“The CIA has never been able to get their ops guys to talk to the analytic guys, because the ops guys basically know that if the data and names get out, people die,” Orr says. “They guard their information very closely, and the analytic guys want to make everything public in the community. That tension is there across the board.”
All Tarasiuk will say about the tension is that “technology is not the barrier for making them work more effectively.”
“Technology can only get you so far”
A CIA clandestine officer who works closely with Tarasiuk describes the CIO role as one that has to satisfy typical CIO obligations (delivering appropriate applications to users to make them more efficient) with one big catch. “Here’s the rub: He can bring all the efficiencies here, but [it’s difficult] because of our unique security requirements,” says the senior national clandestine service officer, who declined to be identified, citing his active duty status at the agency. “I care about: 1. Security. 2. Functionality. 3. Efficiency.”
The senior officer describes the “very personal, very human” nature of the clandestine organization, which illustrates some of the IT disconnects that were inherent in the CIA’s history. People, personal relationships took precedence over business processes and technology. “Twenty years ago, if you didn’t want to use technology, you didn’t [have to],” he says. Now, “it’s nearly everything we do.”
He says the CIA officers like him realize that technology applications have the ability to free up ops people to do more of the personal work—but only to a certain level. “Technology can only get you so far,” he says. “Information sharing is critical, but at the same time, we need to have some ‘cylinders of excellence.'”
And that’s where the CIO is, always in the middle of the risk-reward quandary. “So there you have Al Tarasiuk, the CIO, trying to figure out, ‘All right, what do I balance here?'” Tarasiuk says. “It’s not a one-size-fits all, and it’s not one solution.”
Lena Trudeau, a program director at the National Academy of Public Administration (NAPA), an independent Washington, D.C., government advisory group, notes that the government organizations typically “create a culture that would rather avoid the risk and not fail, than try and fail and learn from the failure and succeed the next time around,” she says. Trudeau leads a group that is studying how collaborative technologies can help solve the U.S. government’s complex problems. She says: “The CIA is a really good example of an organization where there’s not a lot of tolerance for failure, but we have to be in the position where we’re willing to try new things and risk failure that we can learn from and help us get it right later.”
While Tarasiuk has been working to get the CIA to experiment with new IT-related data-sharing processes and applications, he worries about missing something when the consequences of failure are great. There are critical decisions that need to be made with all the data accumulated during the last 60 years, Tarasiuk says, like what to keep, what to make public and what to discard. There are also thousands of databases across the intelligence community whose contents may or may not need to be connected.
Which all weighs heavily on Tarasiuk. “The thing that worries me the most,” he says, “is that we have buried somewhere, in some database, some piece of information that a person that might need access to doesn’t have the access or the data is not available to them somehow.”