General Meyerrose Addreses the AFCEA Washington Chapter
General Meyerrose: Good afternoon. It's my pleasure
to be here.
I know probably about half the room personally, and you
still showed up -- great! [Laughter].
I'm always glad after the introduction when the audience
doesn't get up and leave. In fact three years ago I was a guest speaker at
Harvard's JFK School for Government Affairs and this was where I was going to
speak to this gathering. So I show up and they were all excited. You can't
believe the crowd that's there. It's a huge crowd gathered to hear your speech.
I said what did you say I was going to talk about? They said no, no, they're
truly interested in what you have to say. So I said okay, this should be
good.
So I'm up there on stage and they start introducing me,
and literally three-fourths of the crowd gets up and walks out. [Laughter]. True
story. What had happened was, David Gergin was speaking next door and they'd put
the wrong sign out in the foyer and people were there to hear David Gergin
rather than me, and they were not shy in leaving. [Laughter].
Again, it's good to be with you all. It is indeed a
pleasure to talk to people that I've spoken to numerous times before which means
I can't use any of my old jokes, I can't use my stories, I had to dig up a new
history, all those kinds of things just to make sure that somebody didn't call
me on it.
As always, I think it's important that we ought to
acknowledge and remember those of our countrymen who are in harm's way on the
other side of the world. We're in a lot of places. Obviously in a crowd like
this we immediately think of all those folks in uniform. But there are a lot of
patriots in this room and we all come from organizations and are very patriotic
and there are a lot of US government civil servants that are over there in
harm's way as well who are just as patriotic. I know that many of your
corporations have had your employees over there and I applaud their patriotism
and we should always be mindful of that, so thank you very much.
I want to spend a little bit of time and use as the
outline of my speech the process of me going through confirmation. The reason
I'm doing that is because it raises subjects that I think you all are interested
in.
As some of you may know, the Intelligence Reform Terrorist
Prevention Act of 2004 is what created the Directorate for National
Intelligence.
A lot of folks shorten that title to be the Intelligence
Reform Act and forget that Terrorist Prevention was a significant part of that
legislation and it forms the basis for a lot of what we do. I think that's very
important to be mindful of that, particularly in the course of current public
discussions.
In fact the responsibilities of my particular position
were outlined in the authorization bill which implemented that Act.
I'll go through very quickly what those responsibilities
are because they represent a departure from what the intelligence community is
used to having. And in that departure you'll also notice some of the other
responsibilities that the Office of the Director of National Intelligence has as
a part of the Intelligence Reform Terrorist Prevention Act.
First of all, it formally established the position of the
intelligence community CIO. While we had an intelligence community CIO named by
the former Director of Central Intelligence, there was actually never a
provision for an office or a function in the legislation until 2004.
It lays out four principle responsibilities.
The first principle responsibility was manage activities
relating to the information technology infrastructure and enterprise
architecture of the entire intelligence community.
Second, have procurement approval authority over
information technology for the intelligence community.
Third, direct and manage all information technology
procurement for the intelligence community.
Fourth, direct the information technology research and
development activities for the intelligence communities.
As I've told people what those responsibilities are, the
first reaction is usually, are you nuts for even taking that job? [Laughter]. In
fact I'm honored. I'm so honored I'm not sure whether I'm nuts or not. Those are
truly some monumental responsibilities, particularly since they've not been
responsibilities that we've vested in organizations before.
A lot of us use the term intelligence community. Most of
us who have been around the business for some time know that is sort of a
colloquialism for a loose federation in cooperation. In fact the elements of our
intelligence community are the finest in the world at what they do. They are all
centers of excellence and without peer in the world. We should not forget
that.
But the reason why this particular legislation was passed
was because our expectations of performance and our expectations of our
government have increased. There's a need for all of those centers of
excellence, of organizations without peer in the world to work better together.
And while that may be a daunting task, I'm humbled and honored that someone
thought I could help with that and I consider it a work of
significance.
Again, it doesn't take one long to realize that this is a
huge undertaking and takes a huge amount of teamwork. It takes a lot of folks.
It's interesting how I find the new friends that I've gotten by getting this job
and it's also interesting the advice these new friends give me all the
time.
But if you parse out those four responsibilities you'll
find that there's a governance piece, there's an approval piece, there's a
procurement piece and then there's a management oversight piece. Those are all
roles we have to grow into. We cannot do those by edict. Just because you have
the authority to do something does not necessarily equate to being able to do
it.
So there are many folks who have been doing things for
years that have to help us grown into a new set of processes with the desire
precipitating a different set of outcomes.
Going through Senate confirmation and presidential
appointment is not something I would wish on anybody in this room. I was
continually surprised. I'd only been in uniform in the service of our country
for 34 years. This was just amazing. But again, I had a lot of help getting
through it.
One of the things I just found amazing was when I walked
out of the Senate hearing room, I had a closed hearing by the way. I was just as
happy it wasn't on C-SPAN. [Laughter]. The person who was accompanying me
immediately said sir, you fielded a total of 115 questions. They had these
questions all parsed out. How many were oral, how many were written, what my
responses were, and I thought why would anybody sit around and count the number
of questions that I got asked, but they did.
I found that useful as a guide about what concerns were
and thought possibly how to approach some things.
So let me share the unclassified version of some of the
things that folks talked to me about.
Probably the thing that most of the questions centered on,
and I'll phrase this the way in which we characterized the questions.
Information technology procurement failures. Think about that for a minute.
We're not talking about information technology procurement, we're talking about
information technology procurement failures and what are you going to be able to
do differently that's going to help avert some of those.
Again, somebody analyzed all the answers I put together so
that I could make speeches like this during lunch. [Laughter].
The way I approached that is I think key to some of the
things that we hope to establish through the DNI. Many of us are familiar with
traditional acquisition approaches, with Milestone A, Milestone B, Milestone C
authority. Much of our system is set up so that we can codify those
requirements, put money against it, and then track its progress. If you sorted
out what that traditional acquisition approach is, I submit to you it sounds
something like this. Someone has the grand design. We create a program to
address the need. To select a technology, we led with requirements, someone
designs to those requirements. We fully deploy and we plan for
success.
On the surface that sounds like a good approach, but I
submit that it is not. I submit that it is not how successful information
technology is brought on board in today's world.
Instead I believe that information technology needs to
design to opportunities. We need to start with a concept, understanding what the
desired outcome is. Deploy early and often. Think big, start small, scale
fast.
Grow into a capability through spirals. Some of you have
heard me speak before and have talked with me numerous times know that I see
spirals in terms of 16 week intervals, not months and years. Plan on failure and
learn from it.
Integrate all elements of governance, architecture, senior
leadership participation, operator participation in every aspect of process
reengineering and every spiral. That's the approach that we're looking to take
in the business of bringing new information technology projects and programs,
big and small, into the intelligence community.
The next series of questions that I fielded had to do with
balancing risk, security and privacy. I'll say right out, privacy is of supreme
important to us as a country and it's one that we take very very seriously. I
believe that we need to design privacy into those parts of our information
gathering networks just like we design security into those parts of our
information handling networks.
I'm not exactly sure how to do that, but we've already got
a lot of people a lot smarter than me starting to think in terms of that, that
the privacy elements are part of the entire process, not something you add on in
the human interface of handling paper as a product.
As most of us can imagine, we would provide a
characterization of risk as it's handled in the intelligence community as being
risk averse. I think most of us understand that because of the scope and the
consequences of not having good security in the intelligence business. We as a
country and a nation cannot afford to compromise those elements that are
essential to our security and well-being.
On the other hand, not every single piece of information
has to be authenticated and secured to the Nth degree. And I do not find it
constructive to talk about things in the extreme in order to set the mainstream.
So in the element of our processes we will try and implement things that truly
balance risk and security, not be risk averse. We need to go through the process
of learning what risk management is, and I know there are many folks who
represent entities in this room that can help us learn those kinds of
things.
As a result, you'll see us redo all of the intelligence
community written policies over the course of the next very few
months.
The thing that we're going to try and remember is the
purpose of information is not to protect it, but to use it. To make it
effective, protection is an indispensable piece but the purpose is to use
it.
I fielded several questions about enterprise architecture.
We can have lots of discussion about what architectures are or are not, but let
me boil it down to some practical elements. Those of you who have dealt with the
intelligence community over the years know that we have had an intelligence
community enterprise architecture structure for the past four or five years.
Those of you who are intimately familiar with that would also probably agree
that that enterprise architecture is almost solely centered around
infrastructure. Those of us who have worked enterprise architectures for a
period of time know that enterprise architectures go beyond infrastructure. The
axiom that I use is the I in CIO does not stand for infrastructure, but stands
for information. So that's the mindset that we're approaching that, and we're
looking to expand the enterprise architecture to all mission and functional
parts of the intelligence community. In fact we have some early efforts, one
associated with collections architecture and the other associated with human
resource systems integration that we're working and we'll be folding into the
unified architecture business.
As you can imagine, I got asked several questions about
information sharing. That is pretty much a buzz word around town. Everybody
talks about information sharing.
In candor, most of the conversations I hear about
information sharing I don't feel are constructive for moving us forward. The
reason is because we don't have the consistent set of frames of reference about
which we use those words. We often talk past one another. We're often talking
about different levels, someone talking about sharing information at a strategic
or a national level versus someone sharing information at a tactical or local
responder [level].
So I think over the course of the next few months we're
looking to add a little structure to help bring those discussions and move them
forward because it's absolutely essential for a country to do so.
We need to define an information sharing cycle and while I
have one I won't bore you with it, I'm going to talk about the first two
elements of information sharing that if we could boil many of our discussions on
information sharing down to these two aspects, I think we can start moving to
the next level of complexity and effectiveness.
I think the most important thing about information sharing
is discovery. How do I discover information that I might need? How do I discover
partners that I might need to communicate with? How do they discover me? I don't
think it does us much good to talk about information sharing unless we talk
about that discovery piece. And there are all kinds of ways to think about
discovery. You can think about it in a network sense of what browsers and web
enabled and things like that, but I'm also talking about in a process sense,
relationships of organizations to one another because that leads into what I
consider the second element of an information sharing cycle and that's
access.
Once you've made a discovery, how do you grant access?
Again, we need to think of that in broad terms, in terms of process, in terms of
organizational, and then finally in terms of technical. How do you grant
technical access? So I tried to make that point and I think I have found a good
bit of traction not only going through the confirmation process but the folks
that I've talked with afterwards.
I fielded a series of questions on synchronizing with the
Department of Defense. Most of you know Mr. John Grimes, the Honorable John
Grimes who is the CIO for Department of Defense, the Assistant Secretary for
NII. He and I have been friends for three decades and we intend to make sure
that there is no daylight between us on major issues. He and I have pledged to
work together.
I believe that the more joint instructions we can come up
between the Department of Defense and the intelligence community, the more
effective we will be. That doesn't mean that everything may necessarily become a
joint instruction, but most things that we do with one another, I think it
behooves us to be more joint. Not separate, but equal. So we're working towards
that end.
Obviously there's going to be a lot of resistance on both
sides of the house that says if we do something joint our interests will not be
hurt and so the business about inclusion and making sure we have the right
vetting process and those kinds of things are hugely important.
I would also submit to you that with the intelligence
community it's not just the Department of Defense as the only part of the
government that we need to have joint documents with. Virtually every part of
the United States government uses some product out of the intelligence
community. Whether it's a homeland security related issue with the Department of
Homeland Security or a state of foreign affairs issues related the Department of
State, or pick any one of the other parts of the Cabinet.
So we in fact, when we reorganized the office of the DNI,
I don't know how you reorganize something that you didn't have before, but we
did anyway. [Laughter]. We in fact have a Senior Executive whose title is the
Deputy Associate Director of National Intelligence for Information Sharing and
Customer Outreach. And notice that it doesn't say anything about the
intelligence community because we have customer outreach and information sharing
responsibilities across the entire government, and that's an important thing to
realize.
We may not have as many joint ventures as we do with the
Department of Defense and that's probably understandable, but we will have joint
ventures, nonetheless.
Then I fielded several questions about priorities,
investment priorities and all those kinds of things. I basically answered those
questions with the following line of reasoning. I will have no priorities as the
ODNI Chief Information Officer. But in fact the only priorities I will have will
be the priorities of the intelligence community as a whole. And our
responsibilities will be to align all of our activities, to align everything we
do with the priorities of the entire intelligence community.
As you can imagine, the volume of work that's staring us
in the face is quite large. So there will be instances in which there will be
something that ought to be in our lane but because it doesn't align directly
with those priorities of the intelligence community we will elect to either
postpone doing it or not do it at all. That is the only way we believe we can
see forward in attacking this tremendous challenge.
Now one other thing that those of you that know me can
pretty much figure out that this is one of the first things I said. That is
we're going to tell some people no, but nobody in this organization is
authorized to tell anybody no but me. So the outlook of our organization is to
try and shoulder all the responsibilities we need to and if for some reason
there's a reason why we need to pare it back, that decision will be made at an
executive level and it will not be made at the working level.
Because I think many of you would agree if you've been
students of chief information officers, there are two principle reasons why
chief information officers fall short. The first reason is that they lack the
authority and the direct access to senior leadership. Fortunately for me the
United States Congress took care of that.
The second principle reason why chief information officers
fail is the inability to align information technology related activities with
business processes, business outcomes, mission goals, missions, or the tasks at
hand.
So when you deal with our organization you will not see a
commodity organized organization. In my direct reports you won't see things like
information sharing, you won't see things like infrastructure. You won't see
things that are distinctly information technology related because we've
organized ourselves around the authorities given to us by the Congress, endorsed
by the administration and the desired outcomes and our customers.
We are not a front line support organization. The
components of the intelligence community are the front line O&M
organizations.
So we're working very hard to ensure that we don't fall
into those traps.
Again, if you go back, and I pretty much quoted word for
word everything in the legislation about my position. It's pretty clear, except
for one thing. What is information technology related? Good question,
huh?
Every door in a hotel that has a security card, that's an
information technology related thing, isn't it?
Every projectile that ends up with a sensor on it, that's
information technology related, isn't it?
You can be real expansive and you can say that almost 100
percent of the intelligence budget is information technology related. I don't
believe that it's constructive to do that.
So with the help of the community at the corporate level,
at the senior leadership level within the intelligence community we will outline
what the baseline is for information technology related things and then that's
what we will be held accountable for. We'll go back to the Congress and say this
is what we believe the baseline to be and this is how we'll be held accountable
for it.
You'll also see us do several other things. The business
of not only doing the governance documents but also the structure by which we
interface amidst all the intelligence agencies.
I did my own bean count as I was going through the
process. I came up with over 100 working groups, oversight committees, ITTs,
tiger teams, councils, council of colonels, council of [inaudible] colonels, all
of those kinds of things associated with oversight of intelligence technologies.
So we're going to eliminate almost all of those and streamline that down to
something that somebody can list on a single sheet of paper, count on fingers of
both your hands.
Why? Because in the past the business about putting
together a committee and trying to get consensus was the only mechanism that the
intelligence community had for solving its problems. Those authorities have now
changed. We have some authorities to work things at a more definitive level. So
the past mechanism of having the committee approach to solving problems is no
longer needed. Not that there wasn't good, positive, constructive work done
during those mechanisms, but when you have new turf you need to work new
authorities.
In working those new authorities the very first thing that
people balk at is the word authority. That means that you're going to tell me
what to do. As you might imagine, that obviously has some implications to
it.
Again, I don't think it's productive to approach it from
that perspective. Instead I think it's more important to approach it from the
perspective of we worked it from the same mission space and there is now a
structure by which we will all interface in that mission space and we need to
become advocates of each other's center of excellence. We need to reduce
complexity. We need to make things easier to happen from one organization to the
other, and that may come down at some point in time to somebody making a
decision that is not popular with everybody else, and again, that's implied in
the authorities. But that's not how we'd like to approach it. The business of
being inclusive. But being insistent that says that because we can't reach a
consensus doesn't mean that we're stalled. It doesn't mean that we can't reach a
solution. It doesn't mean that we can't move on to the next level without an
extraordinary amount of time involved. So that's how we're approaching the
business of trying to exercise those new authorities.
If we do it right, the business about putting out an edict
will be a rarity indeed. If we do it right we'll be seen as the advocates for
lots of things in the community.
For instance, I know I've talked with many in this room
about the business of the certification and accreditation processes that many of
us had to go through in order to either bring innovation to information systems,
processing classified information, or in fact certifying information
systems.
We're going to reengineer that process. Again, that's a
joint venture between us and the Department of Defense and it's one I think we
can work and work rather quickly. Because we need to dispense with the element
of taking many months to bring innovation in and a lot of times the months it
takes to bring innovation in means it's two years old by the time it gets put
in. It also cuts out smaller businesses and the innovation of smaller
companies.
So we need to figure out how to give everybody a little
bit of a stake in the game. So we'll be trying to figure out how to get this
input into what are the right kinds of things to look at when we go through the
certification/accreditation process.
In fact we're going to become, hopefully very quickly,
unified within the intelligence community that says that we will have centers of
excellence that will speak with the intelligence community, and a center of
excellence in Agency A certification will carry the same weight as the
certification from Agency B.
These are all fine-sounding things to do, aren't they? If
anybody thinks I can get them done by the second Tuesday of next week, raise
your hand. [Laughter]. Indeed, it's tough. Indeed, it's a very daunting
challenge and one that will be harder to do than to say, and we fully realize
that.
I don't sell short one minute how tough this is to do.
Because there are a lot of good, smart Americans who using a different set of
values may come to different conclusions and we have to work through that.
That's why the Director of National Intelligence was created, and I pledge to do
that.
Thank you for your kind attention, and those of you that
heard me speak Wednesday, I tried not to give the same speech that I gave on
Wednesday. It's always good to come back to the Washington Chapter of which I
was a member 20 years ago. So it's again, my pleasure and my honor. It's so good
to see so many friends. I wish you all a great day, and God bless
America.
[Applause].
(END)