Protecting and sharing data

As counterterrorism information-sharing projects increasingly gain traction within the Pentagon and the intelligence community via fundamental standards reforms, Government Computer News brought together several federal technologists for a roundtable on the technology's status and future.In a wide-ranging discussion that plumbed the technical underpinnings of an evolving ethos calling for 'responsibility to provide' intelligence to its end users, the federal technologists discussed how emerging tools will transform information-sharing systems.Joining the discussion were: We're not sure exactly what secure information sharing means, but it seems better than the two alternatives'unsecure information sharing, or secure information hoarding. I think you hit on a fundamental disconnect that we have. We do have sliding definitions of both of those terms. Secure is actually a sliding term, under the DNI CIO certification and accreditation revitalization effort, we're trying to standardize across the intelligence community in the DOD what the controls are for achieving a level of security. Some of those multiple definitions and those multiple controls, recessive controls, should be minimized to a standard set.I would [define] secure as the fact that you're providing the information only to those people who are authorized to see it. That's the best working definition because it's vague enough that you can apply it to almost anything, but it still covers the bases of what our biggest constraint is, and that's eating up the three areas of assurance confidentiality. Historically, ... when we had a bunch of stovepipe systems ... they all built and maintained their own cross-domain interfaces. I think you need to standardize on a term.We've kind of gone away from the term 'guard,' and they are either control interface or, actually, it's a cross-domain solution now. There's a reason for that, because a guard by implication is a specific one-processor device that has an [unclassified-network interface card] on one side and a secret NIC card on the other side of it. It's got some sort of filtering in it to manage information. ...It's a tally of that process of getting that information from one security domain to a cross-domain solution. We're trying to get away from the term 'guard.' Sure, and we define that in order to do that correctly. One of the reasons we've gone to that broader definition is in order to establish that the risk boundary or accreditation boundary is no longer just that single box. It extends to where the point of presence [at which] the data is being labeled, or a producer is writing it for a lease. ' That's where the integrity of the process stops and it usually goes back to a client. So if you're doing the risk assessment of assurance exchange, you cross security boundaries, and of course you want to look at the actual process of taking the bits, and re-labeling them. But you also want to look at it holistically, [reviewing] the entire process.So what we're doing is adjusting the risk process, and this is going to actually get even trickier. ... I would like to say we know what we're doing in that, as technology and implementation are evolving, the certification and accreditation and risk assessment process to effectively address that is evolving. We have an idea of how we're going to do that. To characterize it in one sentence: We're going to use a single set of controls that we haven't had before, one of the ideas is to maybe use the NIST controls as a basis and augment them with the DOD and [intelligence community] controls.I think the concept of the existing PLs, 1 through 5, is probably going to be refined into a wider, more encompassing set of controls that we can define based on a more operational environment, versus trying to force-fit all the technologies into meeting all of these arbitrary protection levels. We're trying to have the first set out by the summer. There's a good team working to try to [unify] and put that together. No, it would be a family; the idea of it is to be an enterprise service. So the way that you would look at it, is if you want to exchange information from [sensitive, compartmented information] down to secret, and you're out in Pacific theater, you stage it up as part of an enterprise service.Whether or not it goes through a cross-domain solution in the Pacific theater or it goes through one of the ones in Washington, or Europe, you don't care, as long as the information shows up on the low side within your time frame. And that's the way that we're moving with cross-domain as a service, not to point-to-point solutions, other than those areas like tactical arenas where point-to-point is necessary because you got to put it out where the information is actually needed. ...When you're talking about reducing the number [of cross-domain interfaces], you're talking about reducing the types as well. So in theory there could be as many numbers, but there won't be as many solutions because we have varying degrees of perfection and how we do cross-domain solutions that are built up over the years. I think it's interesting that the biggest advancement in the recent times with information security and information sharing has not been with the security products itself, it's the fact that we now have ability to persistently and accurately mark information associated with that, and marking with that information.Now, the multilevel technology can take advantage of that. Before, we never had that ability with the lower file level, and it was rudimentary at best. ... That's going to facilitate a better, more robust, a quicker, faster, information exchange that we hadn't had up to a few years ago. The paradigm has shifted to, it's no longer data owners, its data stewards. Nobody, other than the president, owns the data. ... I think it's a key difference, because stewardship means you protect it, you control it, but you disseminate it to the right people. I think the fact that you collect it doesn't necessarily mean that you own it.Remember, we're not just dealing with one piece of data. ... Even when we do specific reports ... we're not just using that one piece of data, but we're using multiple other databases with that same string. The definition of actionable intelligence is that it is accurate, it is timely. It gives you the ability to take some definitive action or to change an outcome. It has to be confidence building.The Department of State is working with the Department of Homeland Security ' and us, and many of these issues with sharing with foreign partners. We don't have the same laws in every country around the sphere. So respecting the laws in other governments that are sovereign, and the rights of their citizens, is a complex issue.I think we made a lot of strides forward, because we have learned ways to respect restrictions that they have, yet make the information available to the right people across the federal enterprise that need to have it. There's a lot of work to be done, but a lot of strides have been made. We're trying to work up a method with allies to use public-key certificates. DOD uses hard tokens in the intelligence community, and we use soft tokens. As far as the certificate, there's your unique identifying information. Trying to bring the allies in with that, they all have laws on what type of information can be put forth in their computer systems.What we have is our unique identifier, our unique address ' We're trying to integrate those disparate identification control mechanisms, in theater'in Iraq, Afghanistan'where we're supporting multiple allies. It has been a challenge on that level. We as a nation, just like what we do in our private lives, we are very much information consumers. Governmental agencies are no different. Particularly in the intelligence world, making use of publicly available information from across the globe in the historical context'that would be press releases, reporting from around the world.The difficulty that we often find in the intelligence business is that, once you associate the publicly available information with the highly classified information, as we get better and better at metadata tagging, you will see us able to separate and let the information flow in and out. Let me touch on cross-domain. We can look across different secure levels. We all talked about how the information's going to be tagged and collaboratively stored all in the same box, and go and get it, and the number of guards we have to use to move that data back and forth, like we use with the Coast Guard right now. We go back to our guard for our DOD counterparts, we go back to your guards for the boxes they have built in DIA. The crawl-walk-run approach comes full circle. Imagine the transformation of the world: In 1990, when I arrived at the Pentagon to work for DIA, it was the first time of my life where I heard the word LAN. It never even existed in my environment. In 17 short years'remember the stage when there were three separate computers on your desk? Nobody let you have any of that stuff touch each other? [We've had] a transformation of technology.The key is [that] we have created the capacity to go down. The bigger step is how are we going to create the capacity to go up? If I enter a search at the unclassified level, for instance, will it come back and tell me if there's some information or some place I can go to find information that's more than just unclassified?From a policy and a technology perspective, we're going to get there. It's moving very fast.

Zaid Hamid

TALKING INTEL: From top, the Coast Guard's Michael Payne, DIA's Mark Morrison, ODNI's Richard Russell and TCS' Edward Hammersla.







  • Michael Payne, the Coast Guard's chief of the Office of Intelligence, Surveillance, and Reconnaissance Systems and Technology, and assistant commandant for the Intelligence and Criminal Investigations Directorate.
  • Richard Russell, deputy associate director for National Intelligence, Information Sharing Customer Outreach, in the Office of the Director of National Intelligence.
  • Mark Morrison, chief information assurance officer, Defense Intelligence Agency.
  • Edward Hammersla, chief operating officer, Trusted Computer Solutions of Herndon,
    Va.

GCN: How do you define secure information sharing?

Hammersla:

Morrison:



GCN: There's a push on to vastly reduce the number of filters or high-assurance guards or cross-domain solutions lying between the various classification levels of databases. What is your viewpoint of the worthiness of that approach, and its likely benefits?

Morrison:




GCN: In this progression toward secure information sharing, what are you doing about risk assessment of the different security measures you're putting in place, and who's going to be responsible for taking on that risk? Everything's about risk assessment these days.

Morrison:



GCN: One of the, perhaps, five things that [the Director of National Intelligence CIO Dale Meyerrose and Pentagon CIO John Grimes] are going to have in their pending release on the C&A (See page 7) remake is this harmonization of the protection levels (PLs). If you could, comment on how that will make everyone happy. How would you go about defining these protection rules anyway?

Morrison:



GCN: Is there a time frame for when that will happen?

Morrison:

GCN: Can you realistically get down to a single portal, or does that concentrate the risk so much that, since you can never get risk down to zero, you wouldn't want to take a chance on your single portal being disabled.

Morrison:





GCN: How about whole idea of using embedded metadata, to have a document that can decide whether it wants to open up, to a specific user, or on a specific computer, or cross a specific cross-domain solution?

Morrison:



GCN: When you get into a shared environment, you're changing that definition into ownership, and the definition of validity. How do you do that in a secure environment?

Morrison:



Russell:





Morrison:



GCN: On integrating open-source or public-source information into classified information, how do you make better use of publicly available information and how that gets filtered in, and what happens when it does?

Russell:



Payne:

Russell:




NEXT STORY: Patch tactics

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.