Data sharing is the core of protection

Air Force Maj. Gen. Dale W. Meyerrose is a two-hatter. He's both the director of command control systems for the North American Aerospace Defense Command and director of architectures and integration for the Northern Command at Peterson Air Force Base, Colo. He is CIO for the two commands as well.NORAD, formed during the Cold War, protects U.S. airspace from enemy attack, while the Northern Command, formed in the wake of the Sept. 11, 2001, terrorist attacks, helps both military and civilian agencies during domestic disasters.An Air Force Academy graduate, Meyerrose joined the service in 1975. He has held several air and communications commands. He earned the master communications and master parachutist badges.GCN executive editor Thomas R. Temin interviewed Meyerrose during a visit to Maxwell Air Force Base, Ala.MEYERROSE: NORAD is a 45-year-old command, established by treaty between the United States and Canada.Northern Command is a new combatant command set up to deter, prevent and defeat acts of aggression, not limited to air or space, but in all domains.Northern Command has one other mission: upon direction of the president, and approval of the secretary of Defense, provide support to other lead federal agencies in terms of military assistance to civil authorities. That could be the Homeland Security Department, the FBI or a state government.Most of the staff, myself included, have a position as a NORAD official as well as a NORTHCOM hat.MEYERROSE: If you mean infrastructure such as fiber in the ground, servers, routers, those kinds of things, NORAD and NORTHCOM are largely outsourced to our components. Both have mission applications that ride those infrastructures.We share many applications as they relate to air [activities]. But NORTHCOM has a set of collaborative and information exchange environment tools that ride the same infrastructure but are a different set of mission applications to take into account ground, Coast Guard and other federal agencies.MEYERROSE: We were the integrator, and many of them were existing programs, such as the Combatant Commanders Information Command and Control System. It started out in NORAD. It provides several air feeds and things like that into our baseline.MEYERROSE: In the Defense Department, much of our information sharing is based on a need-to-know and security classification basis. Many of our command and control systems are not exposed to the Internet.So we've adopted a mantra of 'need to share.' We talk about that a lot. We're very, very serious about need to share and how to protect information in the sense of only the people who need it, get it.We share information on a minute-by-minute, hourly and daily basis with many agencies within Homeland Security. Many of these relationships were established a long time ago, before the creation of Northern Command and before DHS inherited many of its agencies.MEYERROSE: The first thing we did'and most folks may not identify it as pure architecture work'was to develop a concept of operations for the command. It doesn't do you any good to develop an operations architecture if you don't have a conops.The second thing we did was build the joint essential mission task list of all responsibilities that take place within the command, the JEMTL. We mapped all the mission-essential tasks to all of our mission sets.So you've got the conops, which outlines the why, the JEMTL, which outlines the what. Then, the architecture ends up being the how.MEYERROSE: As a matter of fact, our first test came two days after we were formed. On Feb. 2, Hurricane Lilly hit the Texas and Louisiana coasts, creating a situation where within 48 hours of standing up, we needed to orchestrate military assistance to civil authorities.MEYERROSE: Correct. When the space shuttle crashed on Feb. 1, we helped both the investigative part as well as the recovery part. There were many military actions.MEYERROSE: It is a Web-enabled environment that rides on two elements. One is the Global Command and Control System, the classified side, and the other resides on a geographic information system, which other parts of the government use for putting maps and location items in a common picture.We've provided the venue for that information exchange. We've not integrated them in a great way, but we have brought them together in such a way that we can procedurally resolve and pass information from the DOD command and control environment to non-DOD environments.We can import information about forest fires. From the weather service, storms and tornadoes and hurricanes'all of that information available to them, we can portray in our environment.At some point, we'll get it to where machine talks to the machine. That's part of our architecture.MEYERROSE: Our first detection happened to be on the cyber side of the house because we noticed servers and routers losing power and turning red. That was our first indication. Of course, we had no idea what it was. It could have been a virus or a worm.Our first questions were: What military facilities does it affect? Does it affect any of our defense capabilities? We do a lot of what-if drills for virtually everything you see that happens of newsworthy importance.MEYERROSE: We will leverage other agency and service acquisition contracts.I've got two axioms besides the fact that I don't acquire systems per se. The first is that we tend to focus on the commonality that already exists.The second axiom is that, in every action we do with respect to creating the information exchange environment, we think big, start small and scale fast. We will do things on 16-week turnarounds. We call them spirals, a narrowly-focused problem in which we capture it and resolve how we're going to take care of it all within 16 weeks. And then we change the baseline.MEYERROSE: The most difficult thing is how do you provide the motivation for an external agency or organization to share information and for them to feel that they can trust you with whatever they share with you.MEYERROSE: To some extent, the American people will judge us by how secure they feel, and, when situations arise, how well we respond to them and take care of them.We have a trained, proficient staff capable of commanding and controlling chaos, if you will. How well we play as a team with other agencies is also how we'll be measured.If we're able to dynamically create that information exchange environment and have it operate in the full spectrum of the operation or the crisis, and we save a single life, or we mitigate damage to American property, that's how we'll be measured.