Imagine you’re part of an international military campaign to defeat a violent quasi-state, and it takes as long as six hours for coalition partners to share a single piece of data. That was the situation during Operation Inherent Resolve, a combined task force led by the U.S. and joined by more than 10 nations to fight the terrorist group ISIS.
It’s that kind of mission-undermining problem that led the U.S. Department of Defense to launch its Mission Partner Environment initiative as part of its connect-everything effort, Joint All-Domain Command and Control, or JADC2. MPE is intended to allow joint forces to share data – quickly and persistently.
In military campaigns, information also needs to be shared securely. In the past, such security was achieved through a network-centric approach focused on hardening the periphery against attack. Not all networks are compatible, and not all connected devices are secure. And as coalitions form, evolve and dissolve, the periphery never remains stable. So a network-centric approach is no longer adequate.
‘Never trust, always verify’
What MPE requires is a data-centric cybersecurity model. As long as the data itself is ironclad, information assets remain protected – even if enemy actors steal devices or hack into the network. In fact, data-level security is central to the DoD’s Zero Trust Reference Architecture, built around the precept “never trust, always verify.”
Given the disparate nature of coalition networks, for data-centric security to work, it needs to be built on open standards that function across various technology environments. Fortunately for MPE, there’s a proven and achievable solution: Trusted Data Format, or TDF.
Created at the National Security Agency, TDF is an open standard for protecting data with military-grade encryption. It’s approved by the Office of the Director of National Intelligence and is already used extensively by the U.S. military and intelligence communities.
TDF offers several compelling features. For starters, it’s an open standard, so it doesn’t lock the DoD or coalition partners into proprietary technology. Think of it as a secure envelope for sensitive data. The address, return address, stamp and seal all go in standard places, so all participants can use it the same way.
What’s more, TDF uses a single approach to encrypting multiple types of data, including Microsoft documents, PDFs, email, images and video. In the past, each type of data would require its own specialized encryption. But with TDF, coalition partners can wrap all these data types (and more) in the same protection.
In addition, TDF is available in a lightweight variant (under 100 bytes) called NanoTDF. NanoTDF encrypts sensor data traveling over low-bandwidth networks, such as 5G or SATCOM, without slowing transfer rates. That’s vital as coalition partners share more and more sensor-generated information.
Finally, TDF lets data creators specify attributes for who need access to the data. Those attributes might be nation, coalition member, program member, clearance level and so on. If a coalition partner meets all those criteria, it can access the data. But if the partner is no longer a member of a specific program, say, it automatically loses access to that specific data. The access control persists no matter where the data is shared, for as long as the data exists. And the data creator can revoke that access at any time.
How can data be shared securely with Ukraine?
Think about where these features could be vital to the DoD and our allies. One recent example is supporting Ukraine in defending itself against Russia. The DoD might want to securely share data with Ukraine, but without allowing Ukraine onto its networks. TDF offers a solution. Another example is Finland and Sweden seeking to join NATO. If approved, the process of enabling those nations to access sensitive NATO data will be lengthy and cumbersome. TDF can automate many of those steps, in a more secure manner and with fewer manual errors.
Achieving data-centric security for MPE won’t be without its challenges. One is enabling coalition users to tag pieces of data with appropriate access controls at scale. But TDF has an attribute-based approach that enables solutions to this problem, as well. A simple example is that a TDF-based email interface can allow users to manually check a box to apply access controls before the email is sent. A more sophisticated example is using artificial intelligence to automatically tag sensor data in fine-grained detail.
The DoD will increasingly need to share data with foreign militaries, intelligence communities, and other federal and municipal agencies. MPE is an ambitious and tangible mechanism for enabling that collaboration. But data-centric cybersecurity will be crucial. TDF provides the ironclad safeguards to make MPE secure at the data level, with the openness and flexibility to ensure those protections as DoD coalitions evolve with changing demands.
Will Ackerly is the Chief Technology Officer and Co-Founder of Virtru, a provider of data protection services. Prior to founding Virtru in 2012, he spent eight years at the National Security Agency where he specialized in cross-agency cloud analytics and security architecture.
Have an Opinion?
This article is an Op-Ed and the opinions expressed are those of the author. If you would like to respond, or have an editorial of your own you would like to submit, please email C4ISRNET Senior Managing Editor Cary O’Reilly.