CIA CIO says Amazon Web Services is safe for spooks

Profile picture for user slauchlan By Stuart Lauchlan June 24, 2014
There are some customers whose very presence at an event carries weight. The CIA is one of them. With that in mind, Amazon Web Services just delivered another bloody nose to private cloud rival IBM.

It’s been a big month for the CIA. Not only did the intelligence agency join Twitter and Facebook, but it’s now out and about and talking up the merits of Amazon Web Services (AWS).

Screen Shot 2014-06-25 at 10.05.50
Spook humor

As agency CIO Doug Wolfe told a Washington conference yesterday with quiet understatement:

This is not something in my 30 years that we have traditionally done.

The conference was the AWS Government, Education and Non-profits Symposium and Wolfe’s presence in a 15 minute presentation was something of a triumph for AWS, given the bitter dispute between Amazon and IBM last year that led to the former ultimately picking up a $600 million deal with the agency.

AWS had won the original bid, beating IBM on all but one metric, even though though it went in at a higher price.

IBM took umbrage and complained, leading to the Government Accountability Office ordering the CIA to re-open the bids. This in turn caused AWS to issue its own protest and finally securing the deal.

So having Wolfe present was not only a poke in the eye for IBM, but also a great tick-in-the-box for the benefit of the wider audience of public sector IT and security professionals, especially those who remain to be convinced that AWS is a safe option.

Old habits

Inevitably, Wolfe was relatively thin on specific detail in his talk. Maybe that’s because old habits die hard, but more likely it’s attributable to this being very much a work in progress.

What he did reveal is that since October last year, the CIA has worked with Amazon to build effectively a private cloud system that it hopes to have running by this summer.

Doug Wolfe

He also name checked AWS’s Kinesis and Redshift applications as offering the kind of capabilities that the CIA needs, while also highlighing AWS’s Marketplace storefront.

Wolfe said:

The ability to not only get the IT, but get the application [and] pay by the hour. That’s going to be incredibly useful to us.

If you’re a government customer who has been used to just ordering up however much IT you want, and over-ordering typically — which people do, they often order for their peak need — if you’re a government customer used to doing that, you’re going to start getting a bill.

You’re going to start seeing exactly what your consumption cost, and start understanding exactly how server storage processing etc was applied to the problem. So we see this as a tremendous opportunity to sharpen our focus and be very efficient.

He added that the agency wants to work with and:

take the best of the private sector, lift it, and . . . be able to operate that for the intelligence community.

I am determined that they will not only have the innovation on how do we spin up the servers and spin up the IT … but to start to bring the innovation from the commercial sector in terms of applications to the mission space.

Wolfe described a “pretty interesting clash of cultures” between the public and private sectors, picking out security as a case in point:

It’s been a pretty interesting clash of cultures here. We’ve had some interesting conversations and debates on security. We’re working through that.

I think that we’re going to end up with a very good and quality product and a very secure product to handle all kinds of different workloads at the classified level in the intelligence community.

For AWS, Stephen Schmidt, the firm’s chief information security officer and himself a former Federal Bureau of Investigation official, talked up the secure nature of Amazon’s offerings.

He told the audience that while employees knew which countries data centers were in, few knew their physical addresses and even those who did could only enter using specially encrypted ID:

Does our staff member need to know that information to do their job? If they don’t, they don’t get access to it.

Eliminate blast radius. If somebody were somehow to do something nefarious to our corporate badging system, it would not extend to the data centers.

My take

There are some customers whose very presence at an event carries weight. The CIA is one of them.

Wolfe may not have said anything particularly revelatory, but the very fact that the agency was prepared to let him stand on a public stage and endorse AWS simply by being there is PR and marketing gold dust for the firm.

Whether it convinces more public sector organizations and agencies to go down the Amazon route remains to be seen. Whatever else we know, it's clear that the CIA is getting a special private cloud implementation from a provider that theoretically only believes in public cloud.

Is this something that any public sector body can ask for and expect to receive? It seems highly unlikely.

But that said, the only people who will be unhappy with yesterday's performance will be working for IBM.