Pages: pp. 8-11
The US government's executive and legislative branches have quickly heeded recommendations from the National Commission on Terrorist Attacks Upon the United States (the "9/11 Commission") to improve information-sharing capabilities between federal agencies and among federal, state, and local officials. Both the legislative and executive branches have for the first time established firm deadlines for agency heads to submit plans for architectures and procedures that will enhance data sharing.
The commission released its final report, which included its recommendations for a shared intelligence network, in late July 2004 ( www.9-11commission.gov/report/911Report_Ch13.pdf). On 27 August, President George W. Bush signed an executive order establishing a timetable in which agency heads must begin planning for such a network ( www.whitehouse.gov/news/releases/2004/08/20040827-4.html). Two weeks later, Senators John McCain (R-Ariz.) and Joseph Lieberman (D-Conn.) introduced a 281-page omnibus antiterrorism bill with 17 pages dedicated to establishing a new information-sharing network and stipulating deadlines for agency heads to report on their efforts to build it ( http://govt-aff.senate.gov/_files/090704bill911commission.pdf).
The executive order gives a newly formed Information Systems Council 120 days to submit a seven-step plan for building the network.
The proposed legislation, in turn, orders the president to submit a "system design and implementation plan" for the network to Congress within 270 days of the bill's passage.
The 9/11 Commission's report isn't the real impetus of the recent governmental action, however. The commission took much of its technology ideas from a report that the nonprofit and nonpartisan Markle Foundation wrote in December 2003. This report is acknowledged as the wellspring inspiring current consensus on enhancing information sharing ( www.markle.org/downloadable_assets/nstf_report2_part1_homepage.pdf).
"The commission was influenced to a fair degree by the foundation report," says James Lewis, director of the technology program at the Center for Strategic and International Studies. "There was a lot of overlap, most significant being that the executive director of the commission, Phil Zelikow, had been the first executive director of the Markle Foundation," says Lewis, who worked on the report. "I think Bush was responding to the commission, but the commission was responding to the foundation."
Lewis believes the commission report's timing—as the 2004 presidential campaign began in earnest—was also responsible for the quick action.
"Most of this is politics. There's a real problem, but the problem has been around for a few years, and the sudden attention and rush has more to do with worrying about outcomes in November. Neither side wants to hand the other guys a club they can be beaten over the head with. The Bush guys have tried to encourage information sharing. The Markle [report] had an effect even before the commission report. People knew it was a problem, and they've been working on it."
However, Lewis also says establishing a timetable for submitting plans is fine, but actually detailing the technological, procedural, and cultural attributes of data sharing that bridges multiple federal agencies as well as state and local entities will be extremely difficult.
"It's nice to get a Presidential Decision Directive or an executive order, but it doesn't count for much unless you put people in who are going to implement it and pursue it," Lewis says. "Right now, that would fall on the FBI director, the director of Central Intelligence, and a little bit on the secretary of defense. My question is, what are those guys going to do to make sure the order's carried out? To be fair, FBI Director Robert Mueller and former CIA Director George Tenet have made a strong push to get the two agencies to work together better. The question now is what more needs to be done? The Markle report notes that on the federal level, the FBI and CIA have been working together better, but pumping information down to state and local levels is still a problem. They haven't figured out how to do that."
Lewis says an overall lack of funding means it's likely that agencies will try to piggyback law enforcement communications onto state and regional high-speed networks already existing or under construction.
Even if street-level information can be bootstrapped onto existing networks, Lewis says technological integration would be just part of the problem.
"The issue we haven't resolved is how much of this is a law enforcement problem and how much is a traditional counterintelligence problem. Linking those two together has been the hard part."
Another obstacle to establishing better data sharing has been balancing civil liberties and the government's asserted need for information. Lara Flint, staff counsel for the Center for Democracy and Technology, says the new flood of emphasis on better data sharing might also help encourage wider debate about new technological capabilities' privacy implications.
"I think the public, as we get further away from 9/11, is becoming more concerned with the privacy implications of the fight against terrorism, and I think that's started to be reflected in government policy," Flint says.
Greg Goth is a freelance writer based in Connecticut.
The mission for vendors of real-time operating systems (RTOS), should they choose to accept it, is to increase safety and security while meeting government-imposed certification requirements and keeping costs down. Although this is a tall order, most vendors appear to be meeting it.
"We see [the security-cost conundrum] as more of a continuum rather than two mutually exclusive requirements," says Joe Wlad, certification manager for Wind River Systems in Alameda, Calif. "Our challenge is to create a foundation that supports both objectives, but if a common foundation is used along with some of the artifacts from previous certification activities, the process is simplified."
John Carbone, vice president of Express Logic in San Diego, Calif., says that keeping it simple also keeps it safer and cheaper. "By keeping solutions simple, cost can be contained and many of the largest problems facing developers can be solved," he says.
In demanding more security for less money while meeting more stringent certification standards, the military has made clear its desire for commercial off-the-shelf products. But rather than providing even more of a challenge, the insistence on COTS products has actually gone hand-in-hand with other considerations.
"From our vantage point, the COTS reusability question is answered by use of standard interfaces such as ARINC 653 and Posix," Wlad says. "These standards are the foundation for modularity and reusability."
Carbone agrees, saying that standards such as ARINC 653, MILS, and DO 178B combine to provide strong protection against hackers, viruses, and sabotage. This leads to certifiable versions of COTS products that successfully address the military's certification and security needs.
Carbone also says that while this issue is much less severe outside of military design, it exists to some extent in other government agencies—such as the FDA—and commercial groups, in the automotive sector in particular.
Kevin Nilsen, chief technology officer for Aonix, an international military vendor, says that with the war on terrorism and the Iraq war, military spending has increased, but not necessarily with respect to research and development.
Nilsen says that as products are used across different industries, their cost is born across them as well. This lets the military use security technology that commercial industries have already used and paid for.
Take Java use, for example. "There is a sense of the military catching up to the commercial space," Nilsen says.
In terms of security, different vendors cite different areas on which they're focusing.
For instance, Wind River Systems is building a version of VxWorks AE653 for the C130 program that requires a separation kernel to comply with Common Criteria EAL 7 requirements (see the related article on p. 28). Another military RTOS vendor, Weber Shandwick, is developing a separation kernel for which the operating system will have multiple partitions or virtual machines, where applications of different security levels can coexist on the same hardware and operating system.
But they all agree on the importance of partitioning with respect to developing RTOS security measures.
According to Roger Villareal, group manager at Weber Shandwick, "Hacking has not yet been a real problem, but with the battlefield becoming net-centric, there would be more opportunities for the red forces [hackers] to make an electronic attack. The military is making sure that does not happen through the use of partitioning to ensure separation."
Benjamin Alfonsi is a freelance writer based in New York.