Implications of White House Review Group on Intel and Communications Tech
Published: January 08, 2014
In the wake of the Edward Snowden data breach the White House appointed a committee to review government intelligence gathering and security policies and make recommendations for improvements. Just before the holidays the President’s Review Group on Intelligence and Communications Technologies released their report and several of the recommendations could have contractor implications, if adopted.
The 300-plus page report, Liberty and Security in a Changing World, focused on reviewing and rebalancing how the U.S. Government conducts its intelligence information gathering while protecting security and privacy. It covers a broad range of areas from organizational, legal, and diplomatic issues to technical and policy concerns.
Recommendations with Contracting Implications
Most of the 46 recommendations address many of the concerns that have been raised in light of information in the Snowden leaks, although the White House has downplayed the connection. Below is a non-comprehensive list of recommendations from the report that, if adopted, could have significant contractor implications within the federal IT world and beyond.
- Rec. 24 – Split NSA and US CYBERCOM leadership, i.e. no more dual-hatted leadership
- Rec. 25 – Move NSA’s Information Assurance Directorate to the DoD under a cyber policy element
- Rec. 32 – Create an Assistant Secretary of State to lead diplomacy of international information technology issues
- Rec. 29 – NSA should support, not undermine encryption standards, nor undermine commercial encryption software. Further the government should increase its use of encryption to protect data at rest, in-transit, in the cloud, and on storage and encourage firms to do so as well.
- Rec. 30 – The National Security Council should manage an interagency process to review government activity in responding to zero-day attacks and press policies to quickly block and patch them.
- Rec. 42 – The National Security Advisor and OMB Director should report annually on the implementation of the best available cyber security hardware, software and procedural protections to protect networks carrying Secret and higher classification information against both internal and external threats. All networks carrying Secret and higher classification information should use a National Continuous Monitoring Program like EINSTEIN and TUTELAGE.
- Rec. 45 – Fund development or procure improved Information Rights Management software to control the dissemination of classified data
- Rec. 46 – Support use of cost benefit analysis and risk management approaches for personnel and network security measures
Personnel Security Clearances
- Rec. 37 – Restrict the vetting process to the US Government or a non-profit, i.e. no more outsourcing this function to contractors
- Rec. 38 – Shift to ongoing vs. periodic vetting by adopting Personnel Continuous Monitoring that note changes in credit ratings, arrests, court proceedings, etc.
- Rec. 39 – Create more differentiated security clearances like "administrative access" for IT support people who don't need access to policy or intel information.
- Rec. 20 – Create new software to allow the NSA to conduct targeted acquisition rather than bulk-data collection
- Rec. 30 – The panel allowed for the use of Zero Day attacks for high priority intelligence collection when approved through a senior interagency review
Like so many waves or pendulum swings (depending on your preferred metaphor) that come in response to current events, some resulting changes that have a constricting effect in one area could have an expanding impact in others. The in-sourcing of the personnel security clearance process could reduce or shift contract opportunities while the creation of more granular “administrative” clearance levels could open up more opportunities for contractor support within certain agencies. Reductions in bulk-data collection that could reduce data management and storage demands could be off-set by increased spending in commercial security-related hardware, software and software development services.
The White House has not yet indicated which of recommendations they will consider adopting, although it seems pretty clear that the joint leadership of the NSA and CYBERCOM is here to stay, for now. Ultimately, which of these recommendations are implemented will determine the depth and breadth of impact to the market.