Defense in a wiki world

Information sharing, the drumbeat phrase of national defense for seven years, is being matched these days with technologies capable of elevating it from a bumper-sticker slogan to a tool of great power ' and commensurate risk.In their pursuit of those technologies, military and intelligence leaders have been trying to balance their efforts with caution, looking to improve information sharing while keeping a hold on security.Dale Meyerrose, chief information officer at the Office of the Director of National Intelligence, said one key is to develop consistent data standards across the military agencies to help eliminate barriers caused by incompatible data.The process calls for harmonizing the dozens of standards and protocols military and intelligence agencies use, in a process partially described in periodic reports.One such harmonization agreement between the intelligence agencies and the Defense Department sets out rules for semantic data interoperability, which involves merging varying approaches to metadata tags.'It is one of the 37 major initiatives [DOD and the DNI] have undertaken' to reform military and intelligence technologies, Meyerrose said in a recent interview. 'We have 12 or 14 of them done, and we will probably have twice that many done before the end of this administration.'The risks in adopting new information-sharing technology are partially caused by the added power that system users get with Web 2.0 applications such as social-networking mashups and wikis. To maintain information security in the new environment, military leaders are building safeguards into enterprise architecture.'I think the answer to the security issues is in the platform,' Defense Information Systems Agency CIO John Garing said at the recent AFCEA Defense 2.0 conference in Arlington, Va. 'If we don't secure the platforms, the young people will run right past us.''If we have a platform that is inherently secure, that is the way to go,' Garing said.At the same conference, Navy CIO Robert Carey pointed out the risk barrier inherent in the transition to Web 2.0 technologies. 'The question is how do you bring these [Web 2.0] technologies inside the secure environment,' Carey said.Some Web 2.0 technologies pose such severe security risks that they won't make the cut for inclusion in DOD's architecture. For one, Carey said, 'we don't like peer-to-peer file sharing.'For technologies the military will use, Carey said, support will be important. 'It's like many things in the IT world. It's not generally about the technology, it's about the culture and reducing people's fear levels and getting them to change. They have to have the confidence to move into some unknown territory.'Even as the military services and agencies stake claims to some technologies in the Web 2.0 information-sharing terrain, they emphasize the need for specific technology safeguards that often take the form of governance features.For example, service-oriented architectures (SOA) shatter the chains between data and the systems in which they reside, allowing authenticated users with the correct clearances to access and potentially copy, store and change data in various systems. The key is making data system agnostic, or indifferent to the networks and computers through which it travels, Meyerrose said.'But when you make the data system agnostic, it doesn't mean you make the data accessible' to all the people who use each network or computer, he added.'The thing that makes this go, the fundamental underpinning, is that we will work with a common identification and authentication management construct,' Meyerrose said.That construct will rely on role-based access to the data flowing through the networks. Once that security risk is controlled, authenticated users can gain the benefits of collaboration.Andre Etherly, vice president of federal solutions at Keane, cited the importance of defining user roles. 'In an SOA system, it is increasingly important to have governance and security around the data, as well as governance on the system,' Etherly said.Chris Daly, technical competency lead for security at IBM Federal, cited the potential for new types of malicious exploits that Web 2.0 technologies can introduce into military networks. 'At least with Web 1.0 you had a single security architecture,' Daly said during the AFCEA conference. He singled out the risks that result from social networks.Those networks, along with similar mashup technologies, introduce security risks partly because they pull information from various sources, such as Web sites, enterprise databases and e-mail.IBM has conducted research into a technology known as Secure Mashup, or Smash, Daly said. Smash allows information from different sources to communicate with one another while keeping the respective sources separate to prevent the transfer of malicious code.IBM has contributed Smash to the Open- Ajax Alliance, which promotes Asynchronous Javascript and Extensible Markup Language interoperability, a feature known as Ajax.The Ajax open-source organization included Smash in the OpenAjax Hub 1.1 release this summer. That specification helps software developers take advantage of Java and XML functions.A fundamental characteristic of the Smash technology is that it keeps the application code separate from the data that flows through it.In recent months, Meyerrose has been spreading the message to the contractor community that the era of massive, multiyear systems integration projects that feature many milestones is drawing to a close. 'We are going to do less integration of systems end-to-end,' Meyerrose said. 'So we are going to have technologies that protect data and data streams' as information is shared across agencies and systems.DOD and the intelligence community have been building up their expertise in operating secure Web 2.0 information-sharing systems along those lines for more than a decade. One of the largest such networks is Army Knowledge Online (AKO), which went live in 2001. It has served as the foundation for Defense Knowledge Online.AKO's scale, its plans for growth across the military and intelligence arena, and its role as an information-sharing template have profoundly influenced its users among the uniformed services, federal and contractor civilian employees, and the retirees and families who use it.Col. Earl Noble, AKO project manager, said younger military officers and enlisted troops quickly adapt the tools that the network provides for creating their own applications. He cited a group of West Point cadets who had worked in the AKO office who focused on building applications for sharing information.Noble said one of the biggest barriers to achieving the appropriate level of information sharing is many users' desire to hoard their knowledge.The AKO architecture relies on role-based access and authentication to assure the integrity and availability of the right information to the appropriate users, Noble said.When a user accesses AKO, via a single sign-on function that provides access to many systems, the system affords information in accord with the person's role. For example, Noble said, 'I have a Web page for people who are in AKO. Within that page, I have information that can be accessed or changed only by people who are in the military.'The AKO information-sharing framework has generated an evolving information-sharing governance model in seven years of operation that now is ready for implementation across other DOD systems, Noble said. AKO has more than 2 million users and spawned thousands of user communities.Noble cited DOD's massive Future Combat Systems program as a major AKO user. Participants in that program work at sites nationwide, he said. 'The only way they can get their jobs done is to collaborate via a virtual office and to get the information via AKO,' Noble said.Project members collaborate via virtual meetings, file sharing, community pages and Web pages dedicated to their parts of the program, Noble said.'We already have video, blogging and threaded discussions, and we are going to add other features like wikis,' Noble said.One of the most influential Web 2.0 information-sharing projects in the military and intelligence communities has been the Intellipedia project, which uses wiki technology as the basis of intelligence information sharing. Intellipedia encountered initial resistance, followed immediately by efforts to use it to foil information sharing rather than promote it across the intelligence community.Now, Intellipedia has about 75,000 contributors and about 250,000 users, said John Hale of Meyerrose's office. Hale worked with the team that brought the wiki to life in the intelligence community, as part of a group of analysts who adopted the sobriquet 'Intellipedians.'Hale, whose title is chief of solutions delivery for the Intelligence Community Enterprise Solutions arm, said one method for speeding approval of information- sharing projects has been to embed certification and accreditation teams into developer groups from the beginning.In that fashion, certification and accreditation can go forward quickly.The ultimate motives and imperatives for finessing the information-sharing problems arise from the shifting array of national security threats the country faces now and will face in the future.'The people who want to do this nation harm are really good at manipulating data and using the Internet as their command-and-control system,' the Navy's Carey said. Using Web 2.0 technologies to promote information sharing as a means to improve decision-making is critical, he added.Reflecting the caution that many defense IT leaders show when evaluating the security risks of Web 2.0 technology, Carey said, 'We are tapping into this. We are not embedded into this, but we are dipping into it.'