Protecting and sharing data
Experts discuss cross-domain intelligence swapping
- By Wilson P. Dizard III, Patience Wait
- Mar 30, 2007
TALKING INTEL: From top, the Coast Guard's Michael Payne, DIA's Mark Morrison, ODNI's Richard Russell and TCS' Edward Hammersla.
As counterterrorism information-sharing projects increasingly gain traction within the Pentagon and the intelligence community via fundamental standards reforms, Government Computer News brought together several federal technologists for a roundtable on the technology's status and future.
In a wide-ranging discussion that plumbed the technical underpinnings of an evolving ethos calling for 'responsibility to provide' intelligence to its end users, the federal technologists discussed how emerging tools will transform information-sharing systems.
Joining the discussion were:
GCN: How do you define secure information sharing?Hammersla:
- Michael Payne, the Coast Guard's chief of the Office of Intelligence, Surveillance, and Reconnaissance Systems and Technology, and assistant commandant for the Intelligence and Criminal Investigations Directorate.
- Richard Russell, deputy associate director for National Intelligence, Information Sharing Customer Outreach, in the Office of the Director of National Intelligence.
- Mark Morrison, chief information assurance officer, Defense Intelligence Agency.
- Edward Hammersla, chief operating officer, Trusted Computer Solutions of Herndon,
We're not sure exactly what secure information sharing means, but it seems better than the two alternatives'unsecure information sharing, or secure information hoarding.Morrison:
I think you hit on a fundamental disconnect that we have. We do have sliding definitions of both of those terms. Secure is actually a sliding term, under the DNI CIO certification and accreditation revitalization effort, we're trying to standardize across the intelligence community in the DOD what the controls are for achieving a level of security. Some of those multiple definitions and those multiple controls, recessive controls, should be minimized to a standard set.
I would [define] secure as the fact that you're providing the information only to those people who are authorized to see it. That's the best working definition because it's vague enough that you can apply it to almost anything, but it still covers the bases of what our biggest constraint is, and that's eating up the three areas of assurance confidentiality.GCN: There's a push on to vastly reduce the number of filters or high-assurance guards or cross-domain solutions lying between the various classification levels of databases. What is your viewpoint of the worthiness of that approach, and its likely benefits? Morrison:
Historically, ... when we had a bunch of stovepipe systems ... they all built and maintained their own cross-domain interfaces. I think you need to standardize on a term.
We've kind of gone away from the term 'guard,' and they are either control interface or, actually, it's a cross-domain solution now. There's a reason for that, because a guard by implication is a specific one-processor device that has an [unclassified-network interface card] on one side and a secret NIC card on the other side of it. It's got some sort of filtering in it to manage information. ...
It's a tally of that process of getting that information from one security domain to a cross-domain solution. We're trying to get away from the term 'guard.'GCN: In this progression toward secure information sharing, what are you doing about risk assessment of the different security measures you're putting in place, and who's going to be responsible for taking on that risk? Everything's about risk assessment these days. Morrison:
Sure, and we define that in order to do that correctly. One of the reasons we've gone to that broader definition is in order to establish that the risk boundary or accreditation boundary is no longer just that single box. It extends to where the point of presence [at which] the data is being labeled, or a producer is writing it for a lease. ' That's where the integrity of the process stops and it usually goes back to a client. So if you're doing the risk assessment of assurance exchange, you cross security boundaries, and of course you want to look at the actual process of taking the bits, and re-labeling them. But you also want to look at it holistically, [reviewing] the entire process.
So what we're doing is adjusting the risk process, and this is going to actually get even trickier. ... I would like to say we know what we're doing in that, as technology and implementation are evolving, the certification and accreditation and risk assessment process to effectively address that is evolving.GCN: One of the, perhaps, five things that [the Director of National Intelligence CIO Dale Meyerrose and Pentagon CIO John Grimes] are going to have in their pending release on the C&A (See page 7) remake is this harmonization of the protection levels (PLs). If you could, comment on how that will make everyone happy. How would you go about defining these protection rules anyway?Morrison:
We have an idea of how we're going to do that. To characterize it in one sentence: We're going to use a single set of controls that we haven't had before, one of the ideas is to maybe use the NIST controls as a basis and augment them with the DOD and [intelligence community] controls.
I think the concept of the existing PLs, 1 through 5, is probably going to be refined into a wider, more encompassing set of controls that we can define based on a more operational environment, versus trying to force-fit all the technologies into meeting all of these arbitrary protection levels.GCN: Is there a time frame for when that will happen?Morrison:
We're trying to have the first set out by the summer. There's a good team working to try to [unify] and put that together.GCN: Can you realistically get down to a single portal, or does that concentrate the risk so much that, since you can never get risk down to zero, you wouldn't want to take a chance on your single portal being disabled.Morrison:
No, it would be a family; the idea of it is to be an enterprise service. So the way that you would look at it, is if you want to exchange information from [sensitive, compartmented information] down to secret, and you're out in Pacific theater, you stage it up as part of an enterprise service.
Whether or not it goes through a cross-domain solution in the Pacific theater or it goes through one of the ones in Washington, or Europe, you don't care, as long as the information shows up on the low side within your time frame. And that's the way that we're moving with cross-domain as a service, not to point-to-point solutions, other than those areas like tactical arenas where point-to-point is necessary because you got to put it out where the information is actually needed. ...
When you're talking about reducing the number [of cross-domain interfaces], you're talking about reducing the types as well. So in theory there could be as many numbers, but there won't be as many solutions because we have varying degrees of perfection and how we do cross-domain solutions that are built up over the years.GCN: How about whole idea of using embedded metadata, to have a document that can decide whether it wants to open up, to a specific user, or on a specific computer, or cross a specific cross-domain solution? Morrison:
I think it's interesting that the biggest advancement in the recent times with information security and information sharing has not been with the security products itself, it's the fact that we now have ability to persistently and accurately mark information associated with that, and marking with that information.
Now, the multilevel technology can take advantage of that. Before, we never had that ability with the lower file level, and it was rudimentary at best. ... That's going to facilitate a better, more robust, a quicker, faster, information exchange that we hadn't had up to a few years ago.GCN: When you get into a shared environment, you're changing that definition into ownership, and the definition of validity. How do you do that in a secure environment?Morrison:
The paradigm has shifted to, it's no longer data owners, its data stewards. Nobody, other than the president, owns the data. ... I think it's a key difference, because stewardship means you protect it, you control it, but you disseminate it to the right people. I think the fact that you collect it doesn't necessarily mean that you own it.
Remember, we're not just dealing with one piece of data. ... Even when we do specific reports ... we're not just using that one piece of data, but we're using multiple other databases with that same string.Russell:
The definition of actionable intelligence is that it is accurate, it is timely. It gives you the ability to take some definitive action or to change an outcome. It has to be confidence building.
The Department of State is working with the Department of Homeland Security ' and us, and many of these issues with sharing with foreign partners. We don't have the same laws in every country around the sphere. So respecting the laws in other governments that are sovereign, and the rights of their citizens, is a complex issue.
I think we made a lot of strides forward, because we have learned ways to respect restrictions that they have, yet make the information available to the right people across the federal enterprise that need to have it. There's a lot of work to be done, but a lot of strides have been made.Morrison:
We're trying to work up a method with allies to use public-key certificates. DOD uses hard tokens in the intelligence community, and we use soft tokens. As far as the certificate, there's your unique identifying information. Trying to bring the allies in with that, they all have laws on what type of information can be put forth in their computer systems.
What we have is our unique identifier, our unique address ' We're trying to integrate those disparate identification control mechanisms, in theater'in Iraq, Afghanistan'where we're supporting multiple allies. It has been a challenge on that level.GCN: On integrating open-source or public-source information into classified information, how do you make better use of publicly available information and how that gets filtered in, and what happens when it does?Russell:
We as a nation, just like what we do in our private lives, we are very much information consumers. Governmental agencies are no different. Particularly in the intelligence world, making use of publicly available information from across the globe in the historical context'that would be press releases, reporting from around the world.
The difficulty that we often find in the intelligence business is that, once you associate the publicly available information with the highly classified information, as we get better and better at metadata tagging, you will see us able to separate and let the information flow in and out.Payne:
Let me touch on cross-domain. We can look across different secure levels. We all talked about how the information's going to be tagged and collaboratively stored all in the same box, and go and get it, and the number of guards we have to use to move that data back and forth, like we use with the Coast Guard right now. We go back to our guard for our DOD counterparts, we go back to your guards for the boxes they have built in DIA. The crawl-walk-run approach comes full circle.Russell:
Imagine the transformation of the world: In 1990, when I arrived at the Pentagon to work for DIA, it was the first time of my life where I heard the word LAN. It never even existed in my environment. In 17 short years'remember the stage when there were three separate computers on your desk? Nobody let you have any of that stuff touch each other? [We've had] a transformation of technology.
The key is [that] we have created the capacity to go down. The bigger step is how are we going to create the capacity to go up? If I enter a search at the unclassified level, for instance, will it come back and tell me if there's some information or some place I can go to find information that's more than just unclassified?
From a policy and a technology perspective, we're going to get there. It's moving very fast.