DIA's Michael Mestrovich: IT Innovator-in-Chief

We talk with the senior technology officer for innovation at the Defense Intelligence Agency about the agency's IT operations.

Cutting-edge technology is in Michael Mestrovich’s title. As the senior technology officer for solutions at the Defense Intelligence Agency’s CIO office, he leads the effort to find the next-generation IT tools to help fulfill the agency’s mission. If that were not enough of a challenge, shrinking military budgets and evolving cyberthreats greatly increase the degree of difficulty.

Before joining DIA, Mestrovich worked for more than a decade as a systems engineer for Cisco Systems and contributed to DOD IT projects around the globe.

Mestrovich spoke with FedTech managing editor Matt McLaughlin about the projects currently on his plate.

FEDTECH: You are DIA's senior technology officer for solutions. In what ways is DIA innovating in its use of IT? What kinds of innovations do you see coming in the future?

MESTROVICH: It's a continuous cycle. We are making significant progress on our newest thin client and virtual desktop deployment. We can talk more specifics about that, but that’s obviously one of our efforts. We had a situation where probably 20 percent of our computer inventory was thin clients previously, and obviously the other 80 percent was traditional PCs. And with our new thin client and virtual desktop technology, we are hoping to push that to 35 percent, maybe even 50 percent here.

So, virtual desktop technology is certainly one of the high-tech issues that we are pushing along down the pike, and we have had great success with that thus far. We are also doing substantial work with application virtualization. I think to date we have virtualized more than 300 applications that we have in our inventory, so that’s also something that’s been wildly successful for us.

Outside of the mission space — that is, outside of our top-secret network — we are investigating, if you will, “bring your own device” for the unclassified network. So, for example, we have 300 or 400 BlackBerrys that we provide to folks around the community for services. So that’s your access to unclassified e-mail, and it's a phone, obviously, as well. But we can't reach out to the larger community, the larger population of DIA, and really make them feel included. I mean, they can check e-mail with their own computer. That’s not a problem. But the younger people like their phones — they live on their phones. So the question is, “How do you allow people to bring their own mobile device, attach it to the unclassified network for communications, traffic, so on and so forth, and still  make  the network safe?”

So we are investigating a couple of companies that have a nice mechanism by which we can partition individual phones. You can run all of your business applications on one side, and you can do all of your personal stuff on the other, so we don’t have to lock it down. You can download new apps, and we as an agency can actually publish apps. One of the apps might be a workforce locator-type thing or a recall roster-type thing. There are some opportunities there that we are kind of excited about, and it goes a long way toward making the workforce a little bit more connected and involved.

We are also getting ready to do a Windows 7 deployment. I wouldn’t say there is anything amazing about Windows 7 architecturally, although it does allow for more memory. But the way that we intend to roll it out has certainly been a game-changer for us and I think for the larger intelligence community. We are looking at a totally automated way of pushing out a new operating system to our 20,000-odd computers that we have on our top-secret network. So that looks to reduce hundreds of thousands of man-hours.

FEDTECH: How are you doing that?

MESTROVICH: We have a management product that we brought online from Microsoft about three years ago, and that’s the way that we manage our current desktops. As that product has evolved, we now have the capability to re-image machines from that centralized platform. We can re-image hundreds of machines per night.

Our customer service representatives don’t necessarily need to be in a workspace anymore. We don’t need to have access if it's a facility that we don’t own. For example, the Pentagon: We may need to get into rooms in the Pentagon we don’t have access to after hours. Well, this gives the ability to do that in an automated fashion. We don’t need to have the workforce running around doing that. And it certainly corrects any errors. Obviously, removing repetitive tasks that are prone to error in this automated fashion has proved quite helpful to us so far.

FEDTECH: Budgets continue to tighten throughout the federal government. How is DIA dealing with this challenge?

MESTROVICH: We have had a process in place for the past two years. That whole process was focused on how we, as the IT component of DIA, do business more efficiently and also more effectively. It is about controlling costs, but it also is about controlling the resources and making sure that you have the right resources applied to the right tasks at the right time.

We have had the centralized desktop management system, which has really helped in the way that we manage our computer systems, and it’s really reduced the number of people that we have had to send around to touch individual devices, so that’s dramatically helped.

We have consolidated our data centers. So the number of centers where we host systems has decreased from 14 to —we’re around five right now. We will continue to push to move applications and data services to those major data centers. And in doing that, again, since we are now focused on protecting and securing and providing high availability and power and cooling to fewer facilities, that allows our dollars to go significantly further.

We are also looking at all of our internal policies and procedures. If we have processes that have 17 steps, we’re examining every single step along the way and asking, “Do we really need 17 steps anymore? Has technology removed the need for those types of steps or those policies and procedures?” We are doing a scrub of our governance, if you will, and we are looking at all the governing principles that we have internally and deciding which ones need to be updated.

So, we do have a strategy, we recognize that we are in an era of ever-increasing efficiencies. I came from the commercial world, and it was a relentless pursuit of efficiencies every single week. You are trying to drive down cost and increase profitability and productivity. Nothing new to me particularly. It’s something that this organization is now engaging in and has been doing for two years, and we will just continue to be ever more efficient in everything that we do.

FEDTECH: What’s DIA doing in the cloud, if anything?

MESTROVICH: There are a number of different cloud efforts underway throughout DOD and the intelligence community as well. DIA is unique in the intelligence products that we provide. I mean, we do have a specific area where we are subject matter experts in a particular intelligence realm. But for the large part, our analysts gather intelligence, pull intelligence from other organizations to produce a comprehensive product. And so, they work with the CIA or National Security Agency or National Reconnaissance Office or National Geospatial Intelligence Agency to glean bits of information from them to produce a comprehensive product.

That being said, our cloud efforts really revolve around how do we enable our analysts to search, through a federated model, various clouds that other agencies have set up. For example, NSA and CIA and other agencies all have their own cloud projects to help them process and manage the data that they collect. Our cloud effort, in conjunction with them, is how to make that data exposable and discoverable to other members of the community so that those members can pull that data in and use it for their own purposes in their own products.

So, we have engaged in this concept of a widget framework; that is, “I know that a particular member may have a bit of data that I am interested in. How do I extract that data and tie that together with something else from some other agency without building a new application that does that?” And so, we have this concept of widgets that are very specific — like apps for a phone — very specifically tuned to a specific purpose. Our widget framework — our Ozone Widget Framework — allows us to take these widgets and combine them dynamically to produce a new product without having to develop a new application.

FEDTECH: You have already discussed a little bit about the DIA’s Next Generation Desktop. What’s going on with that?

MESTROVICH: We have about 13,000 thin clients out in the inventory today that are due for replacement. We have just ­finished the deployment of Next Generation Desktop at the Northern Command, the Strategic Command, the Central Command and throughout Europe, so right now we have about 4,500 systems online.

We are in the middle of our deployment in the Pacific and have just begun our deployment in the National Capital Region.

Like I said, we have virtualized more than 300 applications, and we have about 2,500 systems out there running today. We really haven’t seen any major flaws in the technology. It’s hit the market, and it’s actually, I think, exceeded a lot of people’s expectations, and certainly given our customers access to tools and capabilities that they never had access to before.

The big killer for us in the previous thin client environment was Google Earth. Everybody wanted Google Earth. They all wanted to see things geospatially, and in the old thin client environment, we were never able to deliver that. So that kind of limited our population set. Well, now we are able to deliver that: Multimedia streaming video, Predator UAV feeds, all of that stuff can be enabled on a thin client. So now our audience, our potential audience for customers, has really expanded, and they are quite happy with this so far.

“We have virtualized more than 300 applications that we have in our inventory, so that’s something that’s been wildly successful for us.”

FEDTECH: Do you use commercial software?

MESTROVICH: We do. We use a number of commercial products in that architecture. For virtualization, we are using XenDesktop, which is a desktop virtualization tool. On the application side, we are using both XenApp and ThinApp, and also App-V, so we are using three different application virtualization tools. There are some reasons for that, and we have actually partnered in that sense with the National Geospatial-Intelligence Agency, which has done significant work on application virtualization as well. We were able to basically take a number of applications that NGA had already virtualized and just import them into our library, if you will, and deliver them. So that’s been a great cost savings for us, and it’s certainly been a significant advance moving the process down the path. We are using VMware for our server virtualization products.

FEDTECH: Is there a lot of that kind of collaboration going on with other agencies?

MESTROVICH: Certainly. There are ever-increasing degrees of collaboration, and we are doing it on many fronts. We have talked about the application virtualization component, in which we partnered with NSA, NGA and NRO. We have shared experiences, lessons learned; we have done technology exchanges with regard to that. We are partnering on cloud efforts. We are partnering on data center hosting activities. So there is much more collaboration, and it seems ever-increasing among the agencies.

FEDTECH: How does the sharing take place? Do you have informal meetings or formal seminars?

MESTROVICH: It depends. There are some ways in which we do formally get together on a regular basis and talk about opportunities for collaboration. For example, there are a number of different committees and meetings that talk about network collaboration — how do we operate and maintain networks or provide visibility into networks in a more seamless fashion? Those are kind of ongoing activities.

There are activities within DOD. For example, DOD has a process whereby they get people to collaborate on, say, Windows 7. DISA wants to go ahead and put together a security model for Windows 7. It's a collaborative process. People are all brought together at quarterly meetings, they publish what they are going to do, they ask for comments, so on and so forth. So, there are formal mechanisms like that.

Once you establish a community of interest and people say, “Hey, this is great, but I am doing something specific,” then those kind of take on a life of their own, and we have spawned activities like that. They are not formal committees, if you will, but they are informal working groups among the agencies.

FEDTECH: You mentioned data center consolidation a little earlier. Can you go into more detail?

MESTROVICH: From DIA’s perspective, this started with something called the DoDIIS [Department of Defense Intelligence Information System] Way Ahead, which was established around 2005–2006. In the past, each individual combatant command had a data center and provided data services and application services for that local community that they had there.

As part of the DoDIIS Way Ahead, the concept was that we were going to focus on providing an enterprise construct for those applications and services. For example, the Special Operations Command may have had a digital production tool for delivering content and products, and that tool might have been totally different than the one the Pacific Command had. The concept was, why don’t we have one tool that is effective for all of the combatant commands, and let’s host that from a central or multiple central locations so that we can scale it up to the needs of the larger community.

That’s really where we have gone with these data center consolidation activities — moving applications and services from multiple smaller data centers into larger enterprise-class data centers. It doesn’t preclude us from needing to offer services closer to the customer — certainly that opportunity exists — but now that we have a virtual environment in our data centers, we can seamlessly move VMs from, say, St. Louis to Tampa, and it doesn’t really matter. The customer doesn’t know the difference.

FEDTECH: DIA started that before OMB mandated that agencies reduce hundreds and hundreds of data centers. Has the OMB mandate affected your efforts at all?

MESTROVICH: I think it certainly gave credence to what we were discussing. It certainly hasn’t hurt our activities in any way, shape or form. As you know, we started the process long before that ever came out, recognizing there was a critical need to go ahead and do that, and so we have been on that path. I can't say it has necessarily harmed the effort in any way. I think it certainly validated the concept.

FEDTECH: How has DIA advanced its use of unified communications?

MESTROVICH: In the past, that video teleconference system and that Voice over IP phone, both on same network, didn’t have the ability to “talk” to one another, so I couldn’t call one from the other. We are at the final phases of upgrading our Voice over IP infrastructure. The last area is the National Capital Region, and once those upgrades are done, we will have the ability to link these two systems together, so that they can call one another. The nice part about that is now I will only have to have one device on a desktop. I don’t have to have two. And my phone can call a Tandberg, and that communication can happen at the voice-only level, because, obviously, the phone doesn’t have a video screen.

The second piece of that is going to be trying to integrate those video teleconferencing systems and Voice over IP systems into our computer desktops, whether they are thick clients or thin clients. Once we kind of finish our rollout of the thin clients, we will delve more deeply into making that integration possible.

FEDTECH: Have you started planning that yet?

MESTROVICH: Well, I don’t know that we have a planned deployment necessarily, but we have certainly gone through some reviews of the architecture. There are multiple different systems out there, and part of this is also trying to stay compliant or in sync with what some of our other mission partners are doing. For example, we find our customers are more and more on SIPRNet as opposed to top-secret networks, and there the tool of choice for collaboration is DISA’s offering of Defense Connect Online, which is Adobe Connect, if I am not mistaken. Part of our thought process is, Do we have the same requirements on the top-secret side that we have on the SIPR side, and should we maintain a sense of integration with the products and services that we are offering on the SIPRNet side?

We have gone through racking and stacking requirements, understanding the different products that are out there, and we are going through a value judgment of where we want to be in that space. We have done a lot of research on what the capabilities of the products are. We really haven’t done an implementation plan per se. We are waiting on this final stage of the upgrade to move forward with that.

FEDTECH: We haven't discussed security much yet. One of the things you mentioned earlier was mobility, which definitely increases the degree of difficulty on security. What are you doing in that arena?

MESTROVICH: I will reiterate that, from the mobility perspective, if we focus on “bringing your own device” to the unclassified side, we are obviously focused on all the DISA STIGs and the FIPS requirements for attaching to a network. There are FIPS 140 compliance standards that we are obviously looking to maintain in that regard. We will certainly hold true to all those specifications.

On the classified side, there have been a number of different activities, one of which is that the intelligence community as a whole got together and started off with a process by which we have the ability to collectively see the security posture of other agencies’ networks. For example, there is a central repository whereby we can see the patch compliance or information assurance vulnerability alert compliance of NSA versus NRO versus NGA versus DIA, so on. All of that data then can be rolled up to one central site. If there is a request from DNI to establish what the security posture looks like with regards to this particular threat or patch or something, we can now see that. There is a reporting mechanism that allows that to happen.

That being the case, we also recognize that we have to stay ahead of the security curve, and so we are implementing such things as host intrusion protection and device control. How do we manage the various different USB devices that show up, and how do we verify that they are the right USB devices that we want to have? Or if we need to lock down USB ports to make sure that they don’t have access when we don’t want them to have access? There is a whole suite of tools and technologies that we are employing with regard to that to increase the security posture of our networks, and that’s an ongoing process.

FEDTECH: The thin clients provide more control over USB.

MESTROVICH: They do significantly, as does our virtualization activity. In the virtual desktop environment, if there was a security concern with an operating system, I don’t have to physically touch 20,000 machines to patch that. I just touch my one gold image, people log out, log back in, and I am done. From a security perspective and from an effectiveness perspective, I have increased dramatically not only my effectiveness in patching desktops, but my customer’s effectiveness has also skyrocketed because I don’t have to have a human going around fixing a desktop if all of a sudden a patch breaks something. They can just simply log back out, log into the last known good copy, and they proceed on. So there is a whole massive productivity effect to all of these activities as well.

FEDTECH: What’s coming up in the next few years? How does DIA stay ahead of the technology curve?

MESTROVICH: That’s a tough one. As you know, technology changes all the time and we find ourselves from a product space really in a nine-month run cycle. I mean, there is always going to be something new every nine months. One of the challenges for us — it’s the same across the board in every industry, I am quite sure — is trying to understand the technology cycle and not getting caught up in this hype cycle or this leapfrog cycle. We can't be in a position where we are constantly swapping out technologies or products because the next thing is the best thing. So that takes a little bit of discipline, and it takes a little bit of business cognizance.

You want to make sure that the technologies and the products you are employing are going to be there for a time and you get your money’s worth out of them. There is going to be a natural break point by which you say, I have gotten my investment out of this, now this is my opportunity to look at the next possible thing, I will make an investment in that. That doesn’t necessarily speak to the products per se, but it kind of speaks to the business model that we find ourselves evolving to.

From a technology perspective, I think we are going to have to see ever-increasing improvements in virtualization. We have not, to date, done a lot with storage virtualization. I think there are some significant inroads to be made within the storage virtualization space.

Application and desktop virtualization are relatively new. I think that we will find ever-increasing benefits to those and improvements in those technologies. We have made a significant investment in WAN optimization and seen some incredible returns on investment with regard to that. I think that that will only improve over time, and I think those products and those technologies will morph over time. I can't say how, but I just see it on the horizon as those WAN optimization technologies move into different products — as they roll out as an embedded service. So we will have to watch how that transitions over time.

You could say that IPv6 from a networking perspective has some huge potential. There are significant enhancements with regard to mobility native to the protocol. That will be something that we have to watch and look for. I don’t think we will be one of the first out of the gate with an IPv6 construct, but we are certainly going to partner with DISA —  and understand from our industry partners as well — what that looks like and what opportunities are afforded in that regard.

FEDTECH: Going back to cybersecurity: One of the things that you frequently hear is how information sharing among various federal agencies is essential to establishing an effective cybersecurity posture among all of them. How do you work with those other agencies in that regard?

MESTROVICH: We work really well. The common sentiment across the board is that all of us want to share products. No one is opposed to sharing. But much like when you are a small child, if I give you my toy car, I want to make sure that you are going to protect my toy car and give it back to me when I say I want it back.

It's no different in this space. We all have products that we produce, and we want to give them out. But we want the assurance that the people we give them to are going to treat them with the respect that we think they deserve. So that’s kind of the challenge. From a technological perspective, how do I guarantee that the people I’m giving the information to are going to treat it the way that I expect it to be treated? And, if I need to get it back, how do I make sure that they are going to give it back to me? And, that they are only going to give it to the people that we know and both agree need to have access to it? So there are some technological challenges in that.

Many of those issues have theoretically been solved. We get into this issue of how do you scale that up to an enterprise level to make sure there is an enterprise construct that follows that? So, we will continue to work through that. At least two meetings every single week are on that type of discussion. We have made significant progress thus far, and we will continue pushing the envelope on that for sure.

<p>Drake Sorey</p>
Feb 14 2012