General Meyerrose Addreses the AFCEA Washington Chapter

General Meyerrose: Good afternoon. It's my pleasure to be here.

I know probably about half the room personally, and you still showed up -- great! [Laughter].

I'm always glad after the introduction when the audience doesn't get up and leave. In fact three years ago I was a guest speaker at Harvard's JFK School for Government Affairs and this was where I was going to speak to this gathering. So I show up and they were all excited. You can't believe the crowd that's there. It's a huge crowd gathered to hear your speech. I said what did you say I was going to talk about? They said no, no, they're truly interested in what you have to say. So I said okay, this should be good.

So I'm up there on stage and they start introducing me, and literally three-fourths of the crowd gets up and walks out. [Laughter]. True story. What had happened was, David Gergin was speaking next door and they'd put the wrong sign out in the foyer and people were there to hear David Gergin rather than me, and they were not shy in leaving. [Laughter].

Again, it's good to be with you all. It is indeed a pleasure to talk to people that I've spoken to numerous times before which means I can't use any of my old jokes, I can't use my stories, I had to dig up a new history, all those kinds of things just to make sure that somebody didn't call me on it.

As always, I think it's important that we ought to acknowledge and remember those of our countrymen who are in harm's way on the other side of the world. We're in a lot of places. Obviously in a crowd like this we immediately think of all those folks in uniform. But there are a lot of patriots in this room and we all come from organizations and are very patriotic and there are a lot of US government civil servants that are over there in harm's way as well who are just as patriotic. I know that many of your corporations have had your employees over there and I applaud their patriotism and we should always be mindful of that, so thank you very much.

I want to spend a little bit of time and use as the outline of my speech the process of me going through confirmation. The reason I'm doing that is because it raises subjects that I think you all are interested in.

As some of you may know, the Intelligence Reform Terrorist Prevention Act of 2004 is what created the Directorate for National Intelligence.

A lot of folks shorten that title to be the Intelligence Reform Act and forget that Terrorist Prevention was a significant part of that legislation and it forms the basis for a lot of what we do. I think that's very important to be mindful of that, particularly in the course of current public discussions.

In fact the responsibilities of my particular position were outlined in the authorization bill which implemented that Act.

I'll go through very quickly what those responsibilities are because they represent a departure from what the intelligence community is used to having. And in that departure you'll also notice some of the other responsibilities that the Office of the Director of National Intelligence has as a part of the Intelligence Reform Terrorist Prevention Act.

First of all, it formally established the position of the intelligence community CIO. While we had an intelligence community CIO named by the former Director of Central Intelligence, there was actually never a provision for an office or a function in the legislation until 2004.

It lays out four principle responsibilities.

The first principle responsibility was manage activities relating to the information technology infrastructure and enterprise architecture of the entire intelligence community.

Second, have procurement approval authority over information technology for the intelligence community.

Third, direct and manage all information technology procurement for the intelligence community.

Fourth, direct the information technology research and development activities for the intelligence communities.

As I've told people what those responsibilities are, the first reaction is usually, are you nuts for even taking that job? [Laughter]. In fact I'm honored. I'm so honored I'm not sure whether I'm nuts or not. Those are truly some monumental responsibilities, particularly since they've not been responsibilities that we've vested in organizations before.

A lot of us use the term intelligence community. Most of us who have been around the business for some time know that is sort of a colloquialism for a loose federation in cooperation. In fact the elements of our intelligence community are the finest in the world at what they do. They are all centers of excellence and without peer in the world. We should not forget that.

But the reason why this particular legislation was passed was because our expectations of performance and our expectations of our government have increased. There's a need for all of those centers of excellence, of organizations without peer in the world to work better together. And while that may be a daunting task, I'm humbled and honored that someone thought I could help with that and I consider it a work of significance.

Again, it doesn't take one long to realize that this is a huge undertaking and takes a huge amount of teamwork. It takes a lot of folks. It's interesting how I find the new friends that I've gotten by getting this job and it's also interesting the advice these new friends give me all the time.

But if you parse out those four responsibilities you'll find that there's a governance piece, there's an approval piece, there's a procurement piece and then there's a management oversight piece. Those are all roles we have to grow into. We cannot do those by edict. Just because you have the authority to do something does not necessarily equate to being able to do it.

So there are many folks who have been doing things for years that have to help us grown into a new set of processes with the desire precipitating a different set of outcomes.

Going through Senate confirmation and presidential appointment is not something I would wish on anybody in this room. I was continually surprised. I'd only been in uniform in the service of our country for 34 years. This was just amazing. But again, I had a lot of help getting through it.

One of the things I just found amazing was when I walked out of the Senate hearing room, I had a closed hearing by the way. I was just as happy it wasn't on C-SPAN. [Laughter]. The person who was accompanying me immediately said sir, you fielded a total of 115 questions. They had these questions all parsed out. How many were oral, how many were written, what my responses were, and I thought why would anybody sit around and count the number of questions that I got asked, but they did.

I found that useful as a guide about what concerns were and thought possibly how to approach some things.

So let me share the unclassified version of some of the things that folks talked to me about.

Probably the thing that most of the questions centered on, and I'll phrase this the way in which we characterized the questions. Information technology procurement failures. Think about that for a minute. We're not talking about information technology procurement, we're talking about information technology procurement failures and what are you going to be able to do differently that's going to help avert some of those.

Again, somebody analyzed all the answers I put together so that I could make speeches like this during lunch. [Laughter].

The way I approached that is I think key to some of the things that we hope to establish through the DNI. Many of us are familiar with traditional acquisition approaches, with Milestone A, Milestone B, Milestone C authority. Much of our system is set up so that we can codify those requirements, put money against it, and then track its progress. If you sorted out what that traditional acquisition approach is, I submit to you it sounds something like this. Someone has the grand design. We create a program to address the need. To select a technology, we led with requirements, someone designs to those requirements. We fully deploy and we plan for success.

On the surface that sounds like a good approach, but I submit that it is not. I submit that it is not how successful information technology is brought on board in today's world.

Instead I believe that information technology needs to design to opportunities. We need to start with a concept, understanding what the desired outcome is. Deploy early and often. Think big, start small, scale fast.

Grow into a capability through spirals. Some of you have heard me speak before and have talked with me numerous times know that I see spirals in terms of 16 week intervals, not months and years. Plan on failure and learn from it.

Integrate all elements of governance, architecture, senior leadership participation, operator participation in every aspect of process reengineering and every spiral. That's the approach that we're looking to take in the business of bringing new information technology projects and programs, big and small, into the intelligence community.

The next series of questions that I fielded had to do with balancing risk, security and privacy. I'll say right out, privacy is of supreme important to us as a country and it's one that we take very very seriously. I believe that we need to design privacy into those parts of our information gathering networks just like we design security into those parts of our information handling networks.

I'm not exactly sure how to do that, but we've already got a lot of people a lot smarter than me starting to think in terms of that, that the privacy elements are part of the entire process, not something you add on in the human interface of handling paper as a product.

As most of us can imagine, we would provide a characterization of risk as it's handled in the intelligence community as being risk averse. I think most of us understand that because of the scope and the consequences of not having good security in the intelligence business. We as a country and a nation cannot afford to compromise those elements that are essential to our security and well-being.

On the other hand, not every single piece of information has to be authenticated and secured to the Nth degree. And I do not find it constructive to talk about things in the extreme in order to set the mainstream. So in the element of our processes we will try and implement things that truly balance risk and security, not be risk averse. We need to go through the process of learning what risk management is, and I know there are many folks who represent entities in this room that can help us learn those kinds of things.

As a result, you'll see us redo all of the intelligence community written policies over the course of the next very few months.

The thing that we're going to try and remember is the purpose of information is not to protect it, but to use it. To make it effective, protection is an indispensable piece but the purpose is to use it.

I fielded several questions about enterprise architecture. We can have lots of discussion about what architectures are or are not, but let me boil it down to some practical elements. Those of you who have dealt with the intelligence community over the years know that we have had an intelligence community enterprise architecture structure for the past four or five years. Those of you who are intimately familiar with that would also probably agree that that enterprise architecture is almost solely centered around infrastructure. Those of us who have worked enterprise architectures for a period of time know that enterprise architectures go beyond infrastructure. The axiom that I use is the I in CIO does not stand for infrastructure, but stands for information. So that's the mindset that we're approaching that, and we're looking to expand the enterprise architecture to all mission and functional parts of the intelligence community. In fact we have some early efforts, one associated with collections architecture and the other associated with human resource systems integration that we're working and we'll be folding into the unified architecture business.

As you can imagine, I got asked several questions about information sharing. That is pretty much a buzz word around town. Everybody talks about information sharing.

In candor, most of the conversations I hear about information sharing I don't feel are constructive for moving us forward. The reason is because we don't have the consistent set of frames of reference about which we use those words. We often talk past one another. We're often talking about different levels, someone talking about sharing information at a strategic or a national level versus someone sharing information at a tactical or local responder [level].

So I think over the course of the next few months we're looking to add a little structure to help bring those discussions and move them forward because it's absolutely essential for a country to do so.

We need to define an information sharing cycle and while I have one I won't bore you with it, I'm going to talk about the first two elements of information sharing that if we could boil many of our discussions on information sharing down to these two aspects, I think we can start moving to the next level of complexity and effectiveness.

I think the most important thing about information sharing is discovery. How do I discover information that I might need? How do I discover partners that I might need to communicate with? How do they discover me? I don't think it does us much good to talk about information sharing unless we talk about that discovery piece. And there are all kinds of ways to think about discovery. You can think about it in a network sense of what browsers and web enabled and things like that, but I'm also talking about in a process sense, relationships of organizations to one another because that leads into what I consider the second element of an information sharing cycle and that's access.

Once you've made a discovery, how do you grant access? Again, we need to think of that in broad terms, in terms of process, in terms of organizational, and then finally in terms of technical. How do you grant technical access? So I tried to make that point and I think I have found a good bit of traction not only going through the confirmation process but the folks that I've talked with afterwards.

I fielded a series of questions on synchronizing with the Department of Defense. Most of you know Mr. John Grimes, the Honorable John Grimes who is the CIO for Department of Defense, the Assistant Secretary for NII. He and I have been friends for three decades and we intend to make sure that there is no daylight between us on major issues. He and I have pledged to work together.

I believe that the more joint instructions we can come up between the Department of Defense and the intelligence community, the more effective we will be. That doesn't mean that everything may necessarily become a joint instruction, but most things that we do with one another, I think it behooves us to be more joint. Not separate, but equal. So we're working towards that end.

Obviously there's going to be a lot of resistance on both sides of the house that says if we do something joint our interests will not be hurt and so the business about inclusion and making sure we have the right vetting process and those kinds of things are hugely important.

I would also submit to you that with the intelligence community it's not just the Department of Defense as the only part of the government that we need to have joint documents with. Virtually every part of the United States government uses some product out of the intelligence community. Whether it's a homeland security related issue with the Department of Homeland Security or a state of foreign affairs issues related the Department of State, or pick any one of the other parts of the Cabinet.

So we in fact, when we reorganized the office of the DNI, I don't know how you reorganize something that you didn't have before, but we did anyway. [Laughter]. We in fact have a Senior Executive whose title is the Deputy Associate Director of National Intelligence for Information Sharing and Customer Outreach. And notice that it doesn't say anything about the intelligence community because we have customer outreach and information sharing responsibilities across the entire government, and that's an important thing to realize.

We may not have as many joint ventures as we do with the Department of Defense and that's probably understandable, but we will have joint ventures, nonetheless.

Then I fielded several questions about priorities, investment priorities and all those kinds of things. I basically answered those questions with the following line of reasoning. I will have no priorities as the ODNI Chief Information Officer. But in fact the only priorities I will have will be the priorities of the intelligence community as a whole. And our responsibilities will be to align all of our activities, to align everything we do with the priorities of the entire intelligence community.

As you can imagine, the volume of work that's staring us in the face is quite large. So there will be instances in which there will be something that ought to be in our lane but because it doesn't align directly with those priorities of the intelligence community we will elect to either postpone doing it or not do it at all. That is the only way we believe we can see forward in attacking this tremendous challenge.

Now one other thing that those of you that know me can pretty much figure out that this is one of the first things I said. That is we're going to tell some people no, but nobody in this organization is authorized to tell anybody no but me. So the outlook of our organization is to try and shoulder all the responsibilities we need to and if for some reason there's a reason why we need to pare it back, that decision will be made at an executive level and it will not be made at the working level.

Because I think many of you would agree if you've been students of chief information officers, there are two principle reasons why chief information officers fall short. The first reason is that they lack the authority and the direct access to senior leadership. Fortunately for me the United States Congress took care of that.

The second principle reason why chief information officers fail is the inability to align information technology related activities with business processes, business outcomes, mission goals, missions, or the tasks at hand.

So when you deal with our organization you will not see a commodity organized organization. In my direct reports you won't see things like information sharing, you won't see things like infrastructure. You won't see things that are distinctly information technology related because we've organized ourselves around the authorities given to us by the Congress, endorsed by the administration and the desired outcomes and our customers.

We are not a front line support organization. The components of the intelligence community are the front line O&M organizations.

So we're working very hard to ensure that we don't fall into those traps.

Again, if you go back, and I pretty much quoted word for word everything in the legislation about my position. It's pretty clear, except for one thing. What is information technology related? Good question, huh?

Every door in a hotel that has a security card, that's an information technology related thing, isn't it?

Every projectile that ends up with a sensor on it, that's information technology related, isn't it?

You can be real expansive and you can say that almost 100 percent of the intelligence budget is information technology related. I don't believe that it's constructive to do that.

So with the help of the community at the corporate level, at the senior leadership level within the intelligence community we will outline what the baseline is for information technology related things and then that's what we will be held accountable for. We'll go back to the Congress and say this is what we believe the baseline to be and this is how we'll be held accountable for it.

You'll also see us do several other things. The business of not only doing the governance documents but also the structure by which we interface amidst all the intelligence agencies.

I did my own bean count as I was going through the process. I came up with over 100 working groups, oversight committees, ITTs, tiger teams, councils, council of colonels, council of [inaudible] colonels, all of those kinds of things associated with oversight of intelligence technologies. So we're going to eliminate almost all of those and streamline that down to something that somebody can list on a single sheet of paper, count on fingers of both your hands.

Why? Because in the past the business about putting together a committee and trying to get consensus was the only mechanism that the intelligence community had for solving its problems. Those authorities have now changed. We have some authorities to work things at a more definitive level. So the past mechanism of having the committee approach to solving problems is no longer needed. Not that there wasn't good, positive, constructive work done during those mechanisms, but when you have new turf you need to work new authorities.

In working those new authorities the very first thing that people balk at is the word authority. That means that you're going to tell me what to do. As you might imagine, that obviously has some implications to it.

Again, I don't think it's productive to approach it from that perspective. Instead I think it's more important to approach it from the perspective of we worked it from the same mission space and there is now a structure by which we will all interface in that mission space and we need to become advocates of each other's center of excellence. We need to reduce complexity. We need to make things easier to happen from one organization to the other, and that may come down at some point in time to somebody making a decision that is not popular with everybody else, and again, that's implied in the authorities. But that's not how we'd like to approach it. The business of being inclusive. But being insistent that says that because we can't reach a consensus doesn't mean that we're stalled. It doesn't mean that we can't reach a solution. It doesn't mean that we can't move on to the next level without an extraordinary amount of time involved. So that's how we're approaching the business of trying to exercise those new authorities.

If we do it right, the business about putting out an edict will be a rarity indeed. If we do it right we'll be seen as the advocates for lots of things in the community.

For instance, I know I've talked with many in this room about the business of the certification and accreditation processes that many of us had to go through in order to either bring innovation to information systems, processing classified information, or in fact certifying information systems.

We're going to reengineer that process. Again, that's a joint venture between us and the Department of Defense and it's one I think we can work and work rather quickly. Because we need to dispense with the element of taking many months to bring innovation in and a lot of times the months it takes to bring innovation in means it's two years old by the time it gets put in. It also cuts out smaller businesses and the innovation of smaller companies.

So we need to figure out how to give everybody a little bit of a stake in the game. So we'll be trying to figure out how to get this input into what are the right kinds of things to look at when we go through the certification/accreditation process.

In fact we're going to become, hopefully very quickly, unified within the intelligence community that says that we will have centers of excellence that will speak with the intelligence community, and a center of excellence in Agency A certification will carry the same weight as the certification from Agency B.

These are all fine-sounding things to do, aren't they? If anybody thinks I can get them done by the second Tuesday of next week, raise your hand. [Laughter]. Indeed, it's tough. Indeed, it's a very daunting challenge and one that will be harder to do than to say, and we fully realize that.

I don't sell short one minute how tough this is to do. Because there are a lot of good, smart Americans who using a different set of values may come to different conclusions and we have to work through that. That's why the Director of National Intelligence was created, and I pledge to do that.

Thank you for your kind attention, and those of you that heard me speak Wednesday, I tried not to give the same speech that I gave on Wednesday. It's always good to come back to the Washington Chapter of which I was a member 20 years ago. So it's again, my pleasure and my honor. It's so good to see so many friends. I wish you all a great day, and God bless America.