Desktop System Streamlines Analysis Work
Server-based technology folds multiple secure networks into single architecture.
The Department of Defense Intelligence Information Systems Trusted Workstation (DTW) program is designed to improve intelligence analysts' workflow by allowing them to access multiple secure networks from their desktops.
An advanced thin-client station allows U.S. intelligence analysts to work more effectively by enabling them to share information efficiently on the same network. Data that once resided on multiple networks is now stored on a secure server providing material to individual desktop units. The equipment creates a smaller hardware footprint while improving workflow and reducing security risks.
Information sharing has become a vital component of intelligence analysis. While data was once stored in discrete, secure networks that never mingled, the war on terrorism requires the rapid dissemination of intelligence material to track and counter an elusive and adaptive enemy. By adopting technologies to streamline information exchange, the U.S. intelligence community is becoming more agile in dealing with 21st century threats.
The goal of the Department of Defense Intelligence Information Systems (DoDIIS) Trusted Workstation (DTW) program is to allow analysts with different security clearances to share data on the same network. According to Dr. Ryan Durante, DTW program manager, U.S. Air Force Research Laboratory (AFRL), Rome, New York, the DTW consists of a Sun Microsystems Trusted Solaris Server running Sun Ray Session Server software connected to Sun Ray thin-client desktop systems. The workstations allow users to access and post information simultaneously across many different security domains.
Durante believes that the most important advantage the DTW provides is that it reduces the number of individual computers and monitors on analysts’ desks. “If I’m an analyst and I need access to unclassified JWICS [joint worldwide intelligence communications system], SIPRNET [secret Internet protocol router network] and maybe a few other networks like Stone Ghost, I need to have a different box for each one under my desk. Not only am I going to have different boxes, but I also will have to pay for the software licenses in each box. If I have six boxes, that’s six copies of Windows, six copies of Microsoft Office and so on,” he says.
Each of these individual computers also must operate on a separate network. This arrangement creates infrastructure problems because each network requires its own set of routers, switches and other equipment. Durante notes that this architecture needs several teams of administrators to maintain it.
Operating multiple networks poses other problems. The initial impetus for the DTW program originated from severe space restrictions encountered by the U.S. Pacific Command. “They were running 13 networks, and they needed to add another. But there was no more room in the wire trays. They needed to do something because this was a show stopper,” Durante says.
The Pacific Command’s dilemma was solved by a firm called Trusted Computer Solutions, Herndon, Virginia, that installed the Sun systems. However, the firm had never installed the thin clients on a network larger than 10 computers. “While they had a very elegant solution for multidomain windowing and cross-domain connectivity, if you wanted to scale it to hundreds or thousands of users, it wasn’t going to happen,” he explains.
To resolve this problem, the Pacific Command’s Joint Intelligence Center (JICPAC) began a project with Trusted Solutions and the AFRL to scale the workstations to an enterprise-level solution. The U.S. Defense Information Agency (DIA) soon realized the value of this technology and expanded it to all of the commands under its jurisdiction. The DIA funds, and the U.S. Air Force through AFRL Rome executes, the DTW program.
Durante notes that the Sun Ray client servers are very effective for thin-client applications because they are capable and relatively inexpensive. When purchased in quantity, each unit costs less than $300, he says. The workstations are solid-state and have no moving parts, greatly reducing maintenance requirements. He adds that the DTW stations have an inherent security advantage because they do not contain memory. “If someone shoved it under a jacket and walked out of the SCIF [sensitive compartmented information facility] with it, you have lost nothing other than the hardware,” he maintains.
Besides the administrative benefits of requiring only two networks—one for secure information and one for nonsecure data—the system is very robust, Durante explains. Noting that the Solaris operating system is highly secure, he adds that the network is designed for redundancy to prevent a single-point failure.
Each DTW can run any Windows and Unix Solaris application simultaneously at different classification levels. Analysts can call up these different documents as individual windows on their desktops. The units are typically equipped with a 24-inch flat-screen monitor, which helps to conserve desk space. Because of the reduction in equipment, wiring and space, the Solaris system also provides savings through reduced air conditioning and power requirements. Durante maintains that money also is saved because organizations no longer need multiple computers at every analyst’s desk.
The reduced equipment footprint requires less maintenance. For example, because all data is stored on the server, individual desktop repairs are not needed. “No one will ever, ever, come to your desk again. Because there’s nothing there—there’s no computer to fix. Everything is running on the back-end server,” he says.
The Sun Ray stations are configured to perform a function called “hot desking.” Each workstation thin-client device has a slot for a user’s smart identification card. By inserting the card, users can call up documents and work on the system. This feature allows analysts to go to any other workstation in the same facility, insert their cards and immediately call up their session. Two analysts can share a workstation or information by calling up their individual desktops.
Part of the system’s ability to switch between networks is possible because of a software function called a trusted relabler. Users can move data between different security levels in a controlled, secure and audited manner. Durante explains that there are multiple ways to set up trusted enablers based on DIA and site-specific policy. Usually, a two-person review is necessary before any data is moved. He claims that trusted relablers can move data far more quickly than can other methods. “If there is a piece of secret e-mail that I need to mail out to the top secret network, I can move it with a few mouse clicks,” he says.
Durante adds that currently analysts can access everything but unclassified networks. This shortfall is a policy and not a technical issue. “They are not comfortable with hooking up unclassified systems just yet. There are some ideas on how we could do that. But as far as having a certified and accredited solution today, its not quite there yet,” he says.
But sharing intelligence information is now more vital than keeping it isolated, he notes. Historically, government agencies always chose security over sharing data, but the DTW opens new possibilities. “Defense intelligence is starting to come around to the idea that not sharing information is now a bigger threat than the people we’re trying to protect it from,” Durante says.
Impressed by the results of the pilot program at Pacific Command, the DIA director mandated that 80 percent of all analysts’ desktops have DTW systems by the end of the 2007 fiscal year. The remaining 20 percent of the workstations represent highly specialized equipment that is not compatible with the Solaris equipment. Durante is sanguine about the final results because he believes that the analysis process will be greatly improved by the new workstations. “It’s not just a matter of working well. It’s going to be better, faster and more secure,” he says.
DTW systems recently have been installed at U.S. Joint Forces Command’s Joint Forces Intelligence Command, Norfolk, Virginia. The workstations and servers also are deployed at facilities in Hawaii, Korea and Japan, and pilot sites are operating at U.S. Central Command, MacDill Air Force Base, Florida, and U.S. Strategic Command, Offutt Air Force Base, Nebraska. Durante adds that a site survey is underway at the Joint Analysis Center at Molesworth, England; U.S. European Command headquarters in Stuttgart, Germany; and facilities in Darmstadt, Germany.
Other facilities include U.S. Army Forces Command at Goodfellow Air Force Base, Texas; the Joint Interagency Task Force against terrorism in Hawaii; and the National Air and Space Intelligence Center at Wright-Patterson Air Force Base, Ohio. Durante explains that some of these sites are undergoing full installations, while others will have only a few seats installed. He adds that much of the new equipment will be installed in the fall because the spring and summer months were occupied with site surveys.
DoDIIS Trusted Workstation: www.rl.af.mil/tech/programs/afdi/
Trusted Computer Solutions: www.tcs-sec.com
Sun Microsystems: www.sun.com/sunray1/index.html