Originally published in Geospatial Intelligence Forum
The application of cross-domain security technologies to the world of GEOINT is not new. High-priority missions, innovative system designers and forward-leaning security officials have from time to time created the opportunity to apply these specialized and highly restricted technologies to the flow of particular kinds of data between particular networks for particular purposes.
For far too long, however, information sharing in this manner was considered an exception, not a rule. As such, this class of technologies was thought of, and even engineered, as point solutions without broader and more extensible application.
Those days must now come to an end. It is time for the era of cross-domain GEOINT to begin.
Achieving geospatial situational awareness across the extended national security community demands that data from many networks of differing classifications comes together seamlessly. While the average citizen assumes that such seamless geospatial situational awareness is provided to national security leaders, military commanders, operators and analysts as a matter of course, everyone in the business understands that this is simply not the case.
In the face of a host of commercially available cross-domain technologies, the establishment of the Unified Cross Domain Management Office (UCDMO), and executive orders that give the highest priority to solutions that will allow for the ability to share national security information, the lack of cross-domain security has led the level of geospatial situational awareness to be inexcusably thin. As GEOINT matures as a discipline and cross-cutting framework for intelligence and national security integration, it is time for it to become inherently cross-domain.
The president of the United States should be able to draw a bounding box on a map, declare a slice of time, and discover, browse, access and exploit everything that the extended national security enterprise knows about a topic of interest over that location, at that moment in time. The president should be able to do this, at the click of a button, despite the fact that the source data resides on servers hidden behind a blinding array of unconnected/ balkanized networks of different classifications.
While the commander in chief has many other demands on his time, it should be possible when crises hit to demand instantaneous access to everything on the situation room map. Sadly, he and his staff cannot—and it’s not even close. Perhaps worse, the president’s national security team, military commanders, warfighters/operators and intelligence analysts suffer from the same challenge.
Technology, Law, Policy and Culture
Many in Washington love to explain how the problems we experience with information sharing are due not to a lack of technology, but rather to culturally induced legal and policy limitations. It is said that since various agencies and their personnel are rewarded for hoarding information and breaking new intelligence, there is no incentive to reform the micro- and macro-level legal and policy frameworks that could improve information sharing, and in the world of GEOINT, geospatial situational awareness.
For the past decade or more, those voicing this worldview have often paid short shrift to the major technology challenges that have plagued the sharing of information across security domains. Point solutions have wrongly been touted as being wildly extensible to every possible cross-domain challenge. Innovation in the field has too often been neglected, and it certainly has not been the focus of widespread acquisition.
Despite this lack of attention to the technology challenges, a new class of cross-domain solutions has emerged that makes it possible to deploy bi-directional ICD 503 PL4/PL5 cross-domain solutions that are agnostic as to the data source, and capable of real-time streams of big data. That is, despite the system, technology pioneers have succeeded at rendering the technology issues moot. It is now time for leaders to demand the enterprise-wide adoption of their innovations.
Paralysis by Jargon
One of the reasons for the slow adoption of cross-domain security solutions across the National System for GEOINT, and the national security community more broadly, has been the arcane technical and policy jargon one must master for the successful deployment of these solutions. In the course of crossing security domains, it is not enough just to master the nuances of Director of Central Intelligence Directive 6/3-DCID 6/3 PL4/PL5 (or is it now Intelligence Community Directive 503 PL4/PL5?) documentation, configuration and mitigations.
You also master the DoD Information Technology Security Certification and Accreditation Process/DoD Information Assurance Certification and Accreditation Process criteria; DoD Intelligence Information System accreditation process support and documentation; DoD Directive 8570.1 compliant training and support; and Secret and Below Interoperability and Top Secret and Below Interoperability, as well as the current state of thinking at any moment in time within the UCDMO.
Even worse, one must master the distinctions between Multiple Independent Levels of Security (MILS), Multiple Levels of Security (MLS) for the purposes of data access, and MLS for the purposes of transfer.
Each has been a valuable step in the evolution of information sharing. MILS desktops have enabled organizations and users to conserve on the hardware required to access data on different networks, with a MILS workstation that could be rebooted to access networks of different classifications. MLS desktops have enabled users to have views into data (“access”) from different security domains on the same desktop at the same time, requiring no reboot or switching.
Even so, neither technology path enables the necessary transfer of data across security domains in order to enable actual processing and exploitation. What is missing in the MLS desktop is the ability to transfer information, data and images from one application/security level to another (“transfer”).
Now that analysts are experiencing the benefits of access, their desire to transfer has become manifest. And, when operators and analysts discover that they can see and think in MLS, they immediately want to transfer in MLS. But this requires an enterprise that is cross domain at its very core.
An implementer not only must understand these disparate languages, but also must master the complex kabuki dance of dealing with multiple accrediting authorities, each with a different jargon and process. This even holds true when the domains being crossed are unclassified in nature (for example, NIPRnet to the World Wide Web), as everything is considered a “national security system,” leading to costly and crippling processes. For many years, it has been unrealistic to think that any such cross-domain solution could be deployed generically across the enterprise when plagued by all of this technical and policy jargon.
Point to Point Misses the Point
While the executive orders demanding information sharing are clear in their mandate, the difficulties of achieving a multilevel secure enterprise that provides near-ubiquitous access and is operationally seamless to the user between disparate environments are significantly more complex than current point-to-point cross-domain security solutions can handle. The history of ICD 503 PL4 and PL5 controlled interfaces is not one of agility.
Historically, such controlled interfaces have been designed as single purpose devices deployed to secure the flow of particular data types for a single application between particular networks, and so have not been engineered to support the dynamism required by today’s time-dominant information sharing challenges. There are presently commercially available controlled interfaces, however, that can be used as the keystone of an agile enterprise security infrastructure deployed on elastic cloud computing infrastructures.
It will not be enough to simply use more of the point-to-point PL4 and PL5 cross-domain solutions that we have used in the past. We must move to a new generation of cross-domain controlled interfaces, and the architectural concepts that underpin the future agile enterprise.
Enabled in All Directions
In order to achieve an agile enterprise, cross-domain data flows have to be enabled in every direction. It must be possible for applications/users on a high-side network to transparently request data from a low-side resource (reach down). It must be possible for an application/user on a high-side network to transact data from the high-side via a low-side web service into a low-side database (transact down).
It also must be possible for applications/users on a low-side network to request data via a low-side web service into a high-side, label-aware database (reach up), and for client applications/users on a low-side network to transact data via a low-side web service into a high-side, label-aware database (transact up).
Obviously, only data of the appropriate classification should be able to move in any of these directions. In addition, no data spillage downward or insertion of malicious code upwards can be tolerated. Particularly since Army Private First Class Bradley Manning’s alleged disclosure of classified data to WikiLeaks, it is critical that data be label secured, and that such PL5 controlled interfaces be in place as gateways to any data movement. Cross-domain controlled interfaces should be considered a key part of the strategy for mitigating the “Manning effect,” rather than an enabler for future intentional or unintentional spills/leaks.
Legitimate, high-mission-value GEOINT workflows demand that each of these flows be enabled at the core of the enterprise. At the most basic level, data would ideally exist only once across the enterprise—albeit with appropriate redundancy—on the network of the data’s classification, and accessible to all users on higher classification networks.
Analysts need to be able to dynamically and seamlessly bring low-side, time-dominant GEOINT resources into their high-side exploitation environments. Operators need to be able to dynamically and seamlessly release appropriately classified data resources from high-side environments to low-side users when crises occur.
In the case that data of different classifications reside in high-side repositories, there will be occasions when operators without clearances require the ability to reach up into that repository and access the data appropriate to their needs. Operators with no clearances, or operating from exposed environments, also must be able to contribute data into high-side exploitation environments by transacting data upward.
What is needed is to deploy an agile enterprise cross-domain architecture that can flexibly enable any such flow without developing an entirely new System Security Plan and the continual deployment of additional engineering resources. The GEOINT enterprise must be cross-domain down to its very core.