1. SACMAT02-1 Information Sharing and Security in Dynamic Coalitions Information Sharing and Security in Dynamic Coalitions Profs. T.C. Ting and Steven A. Demurjian Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The University of Connecticut Storrs, Connecticut 06269-3155 http://www.engr.uconn.edu/~steve steve@engr.uconn.edu Charles E. Phillips, Jr. Computer Science & Engineering Department 191 Auditorium Road, Box U-155 The University of Connecticut Storrs, Connecticut 06269-3155 charlesp@engr.uconn.edu

2. SACMAT02-2 Overview of Presentation  Introduction  The Dynamic Coalition Problem  Civilian Organizations  Military Involvement/GCCS  Information Sharing and Security  Federating Resources  Data Integrity  Access Control (DAC and MAC)  Other Critical Security Issues  Candidate Security Approach  Conclusions and Future Work

3. SACMAT02-3 Introduction Crisis and Coalitions  A Crisis is Any Situation Requiring National or International Attention as Determined by the President of the United States or UN  A Coalition is an Alliance of Organizations: Military, Civilian, International or any Combination  A Dynamic Coalition is Formed in a Crisis and Changes as Crisis Develops, with the Key Concern Being the Most Effective way to Solve the Crisis  Dynamic Coalition Problem (DCP) is the Inherent Security, Resource, and/or Information Sharing Risks that Occur as a Result of the Coalition Being Formed Quickly

4. SACMAT02-4 Introduction Near Simultaneous Crises Ship Wreck (UK,SP) Olympic Games BOSNIA (NATO) KOSOVO (US,UK) Earthquake (United Nations) Crisis Point NATO Hq

5. SACMAT02-5 Evaluation vs. DCP Emergent Need for Coalitions  “Coalitions must be flexible and no one coalition is or has the answer to all situations.” »Secretary of Defense, Donald Rumsfeld   “Whenever possible we must seek to operate alongside alliance or coalition forces, integrating their capabilities and capitalizing on their strengths.” »U.S. National Security Strategy   “ Currently, there is no automated capability for passing command and control information and situational awareness information between nations except by liaison officer, fax, telephone, or loaning equipment.” »Undersecretary of Defense for Advanced Technology

6. SACMAT02-6 The Dynamic Coalition Problem  Dynamic Coalition Problem (DCP) is the Inherent Security, Resource, and/or Information Sharing Risks that Occur as a Result of the Coalition Being Formed Quickly  Private Organizations (PVO)  Doctors Without Boarders  Red Cross  Non-Government Organizations (NGO)  NYPD  Government Agencies  FBI  CIA  Military

7. SACMAT02-7 Supporting Advanced Applications DCP Objectives for Crisis  Federate Users Quickly and Dynamically  Bring Together Resources (Legacy, COTs, GOTs, DBs, etc.) Without Modification  Dynamically Realize/Manage Simultaneous Crises  Identify Users by Roles to Finely Tune Access  Authorize, Authenticate, and Enforce a Scalable Security Policy that is Flexible in Response to Collation Needs  Provide a Security Solution that is Portable, Extensible, and Redundant for Survivability  Include Management/Introspection Capabilities to Track and Monitor System Behavior

8. SACMAT02-8 The Dynamic Coalition Problem Coalition Architecture Resources Provide ServicesClients Using Services French Air Force Client U.S. Navy Client U.S. Army Client German COTS Client NATO Database Client U.S. Legacy System COTS GCCS (US) NGO/PVO Resource LFCS (Canada) SICF (France) HEROS (Germany) SIACCON (Italy) Federal Agencies (FEMA, FBI, CIA, etc.) Client NGO/PVO (Red Cross, NYPD, etc.) Client NATO SYS

9. SACMAT02-9 The Dynamic Coalition Problem Joint and Combined Information Flow GCCS-N JMCIS GCCS-AF TBMCS Common Operating Environment GCCS GCCS-A MCS BN CO FBCB2 BDE MCS BSATOC CORPS MCS ABCS MCS ASAS CSSCS FAADC2I AFATDS DIV MCS BN XX X | || Adjacent Joint Task Force X TCO GCCS-M NATO Systems Coalition Systems ARMY MarinesNavy Air ForceCoalition Partners Joint - Marines, Navy, Air Force, Army Combined: Many Countries

10. SACMAT02-10 The Dynamic Coalition Problem Combined Information Flow Logistics Air Defense/Air Operations Fire Support Network and Resource Management Intelligence GCCS - Joint/Coalition - Maneuver Combined Database

11. SACMAT02-11 The Dynamic Coalition Problem Coalition Artifacts and Information Flow Marine Corps NavyAir Force Army GCCS FADD AFATDS GCCS-A MCS ASAS CSSCS Other ABCS Battle Management System Joint Command System Army Battle Command System Combat Operations System U.N. U.S.A NGO/ PVO NATO GOAL: Leverage information in a fluid, dynamic environment Dynamic Coalition U.S. Global C2 Systems Army C2

12. SACMAT02-12 The Dynamic Coalition Problem Global Command and Control System Client/Server INTEL SUPPORT MISSION PLANNING TOPO ARTY AIR DEFENCE ARTY MOBILE SUBSCRIBER EQUIPMENT DATA RADIO X X Situational Awareness MOBILE SUBSCRIBER EQUIPMENT ARTY SUPPORT TOPO SUPPORT MISSION PLANNING MET GCCS Provides: - Horizontal and Vertical Integration of Information to Produce a Common Picture of the Battlefield - 20 separate automated systems - 625 locations worldwide - private network SATCOM MET Company Platoon Squad FBCB2 /EBC BATTLEFIELD C2 SYSTEM EMBEDDED BATTLE COMMAND FBCB2 /EBC Tactical Internet Client/Server GLOBAL C2 SYSTEMS MANEUVER CONTROL SATELLITE AIR DEFENCE INTEL MANEUVER CONTROL MANEUVER CONTROL

13. SACMAT02-13 The Dynamic Coalition Problem Global Command and Control System Joint Services:a.k.a WeatherMETOC Video TeleconferenceTLCF Joint Operations Planning and Execution SystemJOPES Common Operational PictureCOP Transportation Flow AnalysisJFAST Logistics Planning ToolLOGSAFE Defense Message SystemDMS NATO Message SystemCRONOS Component Services: Army Battle Command System ABCS Air Force Battle Management System TBMCS Marine Combat Operations System TCO Navy Command System JMCIS

14. SACMAT02-14 The Dynamic Coalition Problem Global Command and Control System Common Picture Common Operational Picture

15. SACMAT02-15 The Dynamic Coalition Problem GCCS Shortfalls: User Roles  Currently, GCCS Users have Static Profile Based on Position/Supervisor/Clearance Level  Granularity Gives “Too Much Access”  Profile Changes are Difficult to Make - Changes Done by System Admin. Not Security Officer  What Can User Roles Offer to GCCS?  User Roles are Valuable Since They Allow Privileges to be Based on Responsibilities  Security Officer Controls Requirements  Support for Dynamic Changes in Privileges  Towards Least Privilege

16. SACMAT02-16 The Dynamic Coalition Problem GCCS Shortfalls: Time Controlled Access  Currently, in GCCS, User Profiles are Indefinite with Respect to Time  Longer than a Single Crisis  Difficult to Distinguish in Multiple Crises  No Time Controllable Access on Users or GCCS Resources  What can Time Constrained Access offer GCCS?  Junior Planners - Air Movements of Equipment Weeks before Deployment  Senior Planners - Adjustment in Air Movements Near and During Deployment  Similar Actions are Constrained by Time Based on Role

17. SACMAT02-17 The Dynamic Coalition Problem GCCS Shortfalls: Value Based Access  Currently, in GCCS, Controlled Access Based on Information Values Difficult to Achieve  Unlimited Viewing of Common Operational Picture (COP)  Unlimited Access to Movement Information  Attempts to Constrain would have to be Programmatic - which is Problematic!  What can Value-Based Access Offer to GCCS?  In COP  Constrain Display of Friendly and Enemy Positions  Limit Map Coordinates Displayed  Limit Tier of Display (Deployment, Weather, etc.)

18. SACMAT02-18 The Dynamic Coalition Problem GCCS Shortfalls: Federation Needs  Currently, GCCS is Difficult to Use for DCP  Difficult to Federate Users and Resources  U.S. Only system  Incompatibility in Joint and Common Contexts  Private Network (Not Multi-Level Secure)  What are Security/Federation Needs for GCCS?  Quick Admin. While Still Constraining US and Non-US Access  Employ Middleware for Flexibility/Robustness  Security Definition/Enforcement Framework  Extend GCCS for Coalition Compatibility that Respects Coalition and US Security Policies

19. SACMAT02-19 Information Sharing and Security Federated Resources JSTARS Unmanned Aerial Vehicle Satellites Bradley / EBC Embedded Battle Command ABCS Fwd Support Element Ammo/Fuel Refit AIR DEFENCE Embedded Battle Command INTEL FUSION Embedded Battle Command MANEUVER CONTROL Embedded Battle Command PERSONNEL AND LOGISTICS Embedded Battle Command FIELD ARTILLERY Embedded Battle Command Common Picture RESOURCES Command&Control Vehicles Army Airborne Command & Control System Army Battle Command System Embedded Command System

20. SACMAT02-20 Information Sharing and Security Syntactic Considerations  Syntax is Structure and Format of the Information That is Needed to Support a Coalition  Incorrect Structure or Format Could Result in Simple Error Message to Catastrophic Event  For Sharing, Strict Formats Need to be Maintained  In US Military, Message Formats Include  Heading and Ending Section  United States Message Text Formats (USMTF)  128 Different Message Formats  Text Body of Actual Message  Problem: Formats Non-Standard Across Different Branches of Military and Countries

21. SACMAT02-21 Information Sharing and Security Semantics Concerns  Semantics (Meaning and Interpretation)  USMTF - Different Format, Different Meaning  Each of 128 Messages has Semantic Interpretation  Communicate Logistical, Intelligence, and Operational Information  Semantic Problems  NATO and US - Different Message Formats  Different Interpretation of Values  Distances (Miles vs. Kilometers)  Grid Coordinates (Mils, Degrees)  Maps (Grid, True, and Magnetic North)

22. SACMAT02-22 Information Sharing and Security Pragmatics Issues  Pragmatics - The Way that Information is Utilized and Understood in its Specific Context  For Example, in GCCS

23. SACMAT02-23 Information Sharing and Security Pragmatics Issues  Pragmatics in GCCS X X XXX XX XXX DSCS A2C2S DIV CDR C2V DIV CDR SINCGARS (FS) EPLRS (AD) Info/Intel/Plans DIV REAR VTel SINCGARS (FS) EPLRS (AD) Sustainment Mobility TGT/Fires BVTC DMAIN BVTC SINCGARS (FS) EPLRS (AD) BVTC Relay DR SINCGARS (FS) EPLRS (AD) Division Slice 404 ASB Theater Injection Point (TIP) HCLOS Note: 3rd BDE not part of 1DD in Sep 2000. DR Relay SEN Relay DR CMDR BCV GBS DR TAC DR MVR BN GBS DR MVR BN GBS DR MVR BN GBS DR 4 ENG DR GBS DR GBS DR 3rd BDE BVTC SEN GBS 64 FSB DR GBS 3-29FA 1/10 CAV CMDR BCV DR 1/10 CAV Sqdn DR GBS SEN CMDR BCV GBS DR TAC DR MVR BN GBS DR MVR BN GBS DR MVR BN GBS DR 588 ENG DR GBS DR GBS DR 2nd BDE BVTC SEN GBS 4 FSB DR GBS 3-16FA SEN CMDR BCV GBS DR TAC DR MVR BN GBS DR MVR BN GBS DR MVR BN GBS DR 299 ENG DR GBS DR GBS DR 1st BDE BVTC SEN GBS 204FSB DR GBS 4-42FA SEN DR GBS DR DTAC 1 BVTC DR GBS 9-1FA DR GBS 2/4 AVN BN SEN DR GBS DR 4th BDE BVTC DR GBS 1/4 AVN BN SEN GBS SEN GBS DR VTel DR GBS DR 124th SIG BN GBSDR SINCGARS (FS) EPLRS (AD) SEN GBS DR DISCOM BVTC SEN GBS DR 704MSB SENLEN GBS SEN GBS DR DIVARTY BVTC SINCGARS (FS) EPLRS (AD) GBS Node Estimate Current FDD laydown has 53 autonomous Command Post/TOCs (i.e., nodes) For a full Corps >200 nodes Node Estimate Current FDD laydown has 53 autonomous Command Post/TOCs (i.e., nodes) For a full Corps >200 nodes Basic Distribution Requirement Distribution Polices Automation & Notification User Controls Transport Mechanisms System and Process Monitors Security, Logs, and Archives Basic Distribution Requirement Distribution Polices Automation & Notification User Controls Transport Mechanisms System and Process Monitors Security, Logs, and Archives How - Prioritized - Encrypted - Network Distribution Policy What When Where

24. SACMAT02-24 Information Sharing and Security Data Integrity  Concerns: Consistency, Accuracy, Reliability  Accidental Errors  Crashes, Concurrent Access, Logical Errors  Actions:  Integrity Constraints  GUIs  Redundancy  Malicious Errors  Not Totally Preventable  Actions:  Authorization, Authentication, Enforcement Policy  Concurrent Updates to Backup DBs  Dual Homing

25. SACMAT02-25 Information Sharing and Security Discretionary Access Control  What is Discretionary Access Control (DAC)?  Restricts Access to Objects Based on the Identity of Group and /or Subject  Discretion with Access Permissions Supports the Ability to “Pass-on” Permissions  DAC and DCP  Pass on from Subject to Subject is a Problem  Information Could be Passed from Subject (Owner) to Subject to Party Who Should be Restricted  For Example,  Local Commanders Can’t Release Information  Rely on Discretion by Foreign Disclosure Officer  Pass on of DAC Must be Carefully Controlled!

26. SACMAT02-26 Information Sharing and Security Role Based Access Control  What is Role Based Access Control (RBAC)?  Roles Provide Means for Permissions to Objects, Resources, Based on Responsibilities  Users May have Multiple Roles Each with Different Set of Permissions  Role-Based Security Policy Flexible in both Management and Usage  Issues for RBAC and DCP  Who Creates the Roles?  Who Determines Permissions (Access)?  Who Assigns Users to Roles?  Are there Constraints Placed on Users Within Those Roles?

27. SACMAT02-27 Information Sharing and Security Mandatory Access Control  What is Mandatory Access Control (MAC)?  Restrict Access to Information, Resources, Based on Sensitivity Level (Classification) Classified Information - MAC Required  If Clearance (of User) Dominates Classification, Access is Allowed  MAC and DCP  MAC will be Present in Coalition Assets  Need to Support MAC of US and Partners  Partners have Different Levels/Labels  Need to Reconcile Levels/Labels of Coalition Partners (which Include Past Adversaries!)

28. SACMAT02-28 Information Sharing and Security Other Issues  Intrusion Detection  Not Prevention  Intrusion Types:  Trojan Horse, Data Manipulation, Snooping  Defense:  Tracking and Accountability  Survivability  Reliability and Accessibility  Defense:  Redundancy  Cryptography  Fundamental to Security  Implementation Details (key distribution)

29. SACMAT02-29 Candidate Security Approach Software Architecture Wrapped Resource for Legacy Application Wrapped Resource for Database Application Lookup Service General Resource Wrapped Resource for COTS Application Java Client Legacy Client Database Client Software Agent COTS Client Lookup Service Security Authorization Client (SAC) Security Policy Client (SPC) Global Clock Resource (GCR) Security Registration Services Unified Security Resource (USR) Security Policy Services Security Authorization Services Security Analysis and Tracking (SAT)

30. SACMAT02-30 Security Authorization Services Security Registration Services Lookup Service GCCS Client 1 Register_Client(DoRight,100.150.200.250, ArmyLogCR1) 10 Return Result of Check_Privileges(…) 4 Return Result,Create_Token(DoRight,ArmyLogCR1,Token) 6 CrisisPicture(Token,CR1, NA20, NC40) 3 Client OK? 11 Return Result,CrisisPicture(…) 5. Discover/Lookup(GCCS,Joint,CrisisPicture) Returns Proxy to Course Client 7 IsClient_Registered(Token) 9 Check_Privileges(Token, GCCS, Joint, CrisisPicture, [NA20,NC40]) 2 Verify_UR(DoRight,ArmyLogCR1) Security Policy Services GCCS Resource 8 Return Result of IsClient_Registered(…) USR Candidate Security Approach Enforcement Framework Tracking Tool Global Clock

31. SACMAT02-31 Candidate Security Approach Security Assurance Checks Start Constraint-Based Assurance Checks Authentication Unsuccessful (to error handler) No Yes No Yes Required User-Authentication Check Authentication Successful Mandatory Access Control Check Value Constraint Check Time Constraint Check Authorization Unsuccessful (to error handler) Authorization Successful (continue process) Yes

32. SACMAT02-32 Conclusions and Ongoing Work  Explored Information Sharing Issues  Defined the Dynamic Coalition Problem  Discussed Coalition Participants  Examined GCCS and Needed Improvements  Offered Candidate Security Approach  Related/Ongoing Research Includes  Support for Mandatory Access Controls  Role Deconfliction and Mutual Exclusion  User Constraints  User Role Delegation Authority  www.engr.uconn.edu/~steve/DSEC/dsec.html