It's all cyber, everywhere and all the time.
By The CyberWire Staff
Sep 11, 2017

It's all cyber, everywhere and all the time.

The Intelligence and National Security Summit was held in Washington, DC, this week. Sponsored jointly by AFCEA and INSA, the annual two-day conference affords the US Intelligence Community an opportunity to exchange ideas in a public, unclassified forum.

Three clear themes emerged over the course of the two days.

It's all cyber.

First, the intelligence world's center of gravity has shifted decisively into cyberspace. Even such traditional disciplines as image intelligence and human intelligence are now fully entangled with the online world, and there is no way of untangling them. 

The IC feels it can't do without Section 702.

Second, the reauthorization of Section 702 authority was universally regarded by speakers as essential to the Intelligence Community's ability to carry out its mission. And this seemed to be the sense of their audience as well, which isn't surprising. Admiral Michael Rogers, Director of the National Security Agency said he knew of "no ability in NSA that could replace what it can get under Section 702." Rogers stressed that Section 702 authorized collection overseas against non-US persons, and he, like other speakers, was at pains to emphasize the protections in place to protect the privacy and civil liberties of US citizens. 

As explained by the US House of Representatives Permanent Select Committee on Intelligence, "Section 702 of the Foreign Intelligence Surveillance Act authorizes the Intelligence Community to target the communications of non-U.S. persons located outside the United States for foreign intelligence purposes. A key anti-terror tool that has helped to thwart numerous terror plots including the 2009 conspiracy to bomb the New York City subway, Section 702 operations are subject to multiple layers of oversight by all three branches of government."

Two members of Congress who spoke, (Representative Adam Schiff, D-California 28th, and Senator Mark Warner, D-Virginia, both serving on their House's Intelligence Committees) thought it likely that Section 702 would be reauthorized. 

Industrial-age talent management is obsolete.

Third, the Intelligence Community is concerned about its ability to develop and place workers with appropriate skills. The two skill sets most often mentioned lie in cybersecurity and linguistics. Interestingly, and this was most clearly articulated by the flag and general officers who spoke, recruiting people with these skills is less difficult than one might fear—Army and Marine Corps representatives were surprisingly upbeat on this point. Retention is more problematic, but still not proving as difficult as one might have thought.

The IC leaders who spoke generally shared a common perspective on the problem. Marine Corps Major General Michael Groen, currently Director of Intelligence, J2, characterized the problem as a set of artifacts from an industrial age approach to talent management. Suppose one brings in a cyber operator or someone with native proficiency in a highly valuable language. The ordinary military career patterns simply have no place for them to grow professionally. Customary job progression and the regular changes of station that punctuate a military career offer little scope for them to concentrate on using and developing the skills that made them so desirable in the first place. These issues are most clearly seen in the uniformed services, but civilian intelligence personnel aren't immune to their effects, either. 

So cybersecurity professionals working in the Intelligence Community would benefit from career paths that offered challenges and developmental opportunities that enhanced rather than detracted from their core competencies. Tom Bossert, Assistant to the President for Homeland Security and Counterterrorism, held up the Goldwater-Nichols Act as a model that might be usefully followed for the Intelligence Community. He thought the Act had shown over the years a very salutary effect on the quality of the officer corps in all the Services. 

Susan Gordon, Principal Deputy Director of National Intelligence, said in the closing plenary session, "You want people to move in and out, cross-fertilize, but not lose them too quickly either." Achieving such balance is the challenge whatever post-industrial-age system the Intelligence Community evolves will have to meet.

The security clearance process is broken.

And, of course, there was universal agreement that the security clearance process is effectively broken. This was perhaps the most common audience comment, and prompted more questions than any other topic. The process is regarded as insufficiently risk-based (the regular reinvestigation requirement attracted particular odium as being as pointless as it is resource hungry). Susan Gordon, who effectively took the Summit's last word on Thursday, was asked directly about how (and when) she intended to fix security clearances. She responded, "How many times have we looked at this? Almost everyone is begging us to clean this up. If we squander this moment, then you'll have a 6th Principal Deputy pretty quickly." 

In her view the fix will have to come from realistic appreciation and management of risk. Security rules aren't trivial, and they're not unmotivated: "No leaking, and no deciding what's secret what's really not." But risk can only be managed, not eliminated. "Zero-loss is the way I grew up. The reality is that zero loss isn't the thing we're achieving today."