While the push forward for better collaboration and information-sharing capabilities will require technical advances, the experts at today’s NATO workshop in Brussels, Belgium, are struggling with an even bigger challenge than connecting the bits and bytes.

The complex policy, governance and legal issues that a single interoperability level creates must be resolved because, as workshop moderator Dag Wilhelmsen emphasized, real lives are involved. Wilhelmsen, the technical director of the NATO Communication and Information Systems Service Agency, opened the workshop by saying the aim is to establish a common language, vision and standards for identity management in a federated environment.

The banking industry, historically a broker of trust between transaction parties, had a prominent presence in the workshop. Perhaps the most widely recognized example of federated identity management is the ATMs that can be accessed from most bank terminals across the world. The closer you get to money, the higher the identity management level must be. It is about risk management too, not just technology, Hilary Ward, who heads the managed identity services, global transaction services for Citigroup, suggested to the participants.

Standards and accreditation organizations as well as NATO representatives and other industry thought leaders talked about various products and case studies. Clearly, one size does not fit all, yet there have to be mechanisms in place so that information can be shared and identities can be verified. The appropriate level of access can change in different scenarios–and the role of individuals can change as well.

Many questions and answers punctuated each presentation, with audience members offering insight and often adding to the conversation with their own expertise and recommendations. The AFCEA Europe office will be posting presentations on its Web site the first week of November so that the collaboration opportunity can continue.

This is my take on the AFCEA, Northcom and George Mason University conference on “Inter-agency, Allied and Coalition Information Sharing,” which was covered on SIGNAL Scape last week.

No, we still can’t connect the dots as well as hoped and never will, but conferees agreed that what matters most is the thoughtful and trusting use that humans could make of what information manages to flow through IT systems, however improperly they may be connected. Technology is neither the roadblock nor the solution to building an information sharing network.

Warfighters in conventional wars knew their expectations for information never would be fulfilled and that no plan survives first contact with the enemy. So they accepted the “fog of war,” switched to Plan B, realistically assessed residual risk and accepted the 80% solution.

Practitioners of this new form of warfare—be it unconventional, irregular, unrestricted, asymmetric, COIN, counter terrorism, whatever—who seek also to better serve the warfighter, should accept the inevitable fog (inadequate IA, lack of trust, et al.) and differentiate between desires of the warfighter—about which much was said in this conference—and their actual needs—about which little was said.

Technology didn’t connect the dots in 9/11—or Pearl Harbor either—nor is it likely to predict the next national emergency. The greatest challenge to  providing predictive, exploitable information in this new type of war will be coping with existential culture and the human behavior that it nurtures. And the new architectures will vary widely by mission.

To that end the label “national security” is not helpful. National security is not an enterprise. It is goal to be reached only through embracing a host of the dissimilar enterprises of agencies, allies and non-traditional partners. All of these enterprises are driven by unique cultures, processes and norms, and enforced by instincts of institutional survival.

The term “command and control” (C²) is not helpful when applied to the search for this new national security apparatus. The study reported by Dr. David Alberts (and reported on here) reveals a fundamental disconnect between how we organize for and practice management today and the new “complex endeavor challenges of the 21st Century.

What passes as acceptable practice in conventional war—where unity of command and centralized control is given—differs dramatically when allies are involved. C² rarely applies to coalition operations and becomes an oxymoron in humanitarian efforts, stabilization and national-building—all of which now fill the platter labeled national security. Perhaps, said one senior participant in the closing Town Hall session, it is time to face reality, accept a bottom-up approach and let user needs drive information sharing policy.

If today’s Internet is beyond technical repair —and not all conferees agreed that it is—does Web 2.0 promise relief? Will social software (informal, inter-personal, ad-hoc networks) be allowed to play? The digital natives from the 20-something generation are coming aboard with soaring expectations of unlimited collaboration and sharing, but their employers don’t necessarily share these views and will resist. It is one thing to preach the need to share rather than shield information, but information is power and that source of power will be zealously protected. Also, the Facebook generation may find their expectations tempered by organizational dictates for reward and promotion.

Finally, if the individual is the ultimate solution, is this not the same cohort who’s insensitivity to information security has put national security at risk? But, that’s the theme of the another SOLUTIONS series event, later this year.

The Obama administration can take certain key steps to improve the ability to recognize and deal with national security threats, according to recommendations in “Nation at Risk,” a report issued by The Markle Foundation Task Force on National Security in the Information Age. Jeff Smith of Arnold & Porter LLP, a steering committee member for the report, presented it yesterday at the AFCEA SOLUTIONS conference on information sharing.

“We are still vulnerable because we cannot connect the dots,” Smith said. “The need-to-know principle is important, but it inhibits information sharing at a time when it’s needed. Information sharing practices are still a hodgepodge. We need stronger leadership and stronger direction.”

The task force had four recommendations to that end for the President and Congress: Recommit to information sharing, ensure information’s accessibility and discoverability, develop government-wide privacy policies, and find ways to overcome bureaucratic change.

Smith observed that the recommendations were straightforward enough but required a commitment from leadership to implement. Of significant concern, he continued, was that “the sense of urgency on information sharing has diminished in the last seven years.”

Download the report: “Nation at Risk” (pdf link)

The dramatic culture shift that needs to happen for government agencies to embrace change kept coming up at the SOLUTIONS conference like the refrain of a popular song: agencies must move from an emphasis on risk avoidance to a focus on risk management. Without that shift, the quest to achieve 100 percent risk avoidance is quixotic at best; more realistically, it hampers agencies’ ability to share information.

Addressing “Best Practices and Case Studies: The Framework for Allied/Coalition Information Sharing,” panelists at yesterday afternoon’s second track session weren’t able to come up with best practices in action so much as they made recommendations for what needs to happen to facilitate best practices. Among those points:

• “We have this mentality that we can control or eliminate risk with technology, but we can’t,” said Maj. Robert Castillo, USA, Branch Chief, US Southern Command. “We need to change culture and policy, and start with the individual operator first.”
• Elwood “Bud” Jones, Program Manager, MNIS, US Central Command, framed lawyers’ usual response to the question of permission a little differently. “They’ll tell me that we can’t do something. Their job is not to tell me what I can’t do—tell me how I can do it,” he said.
• Malcolm Green, Chief CAT 9, NATO C3 Agency, participated via distance technology, but even being on a video screen, he jumped right in with a perspective on how to manage security through identity assurance. “Our long-term goal is that information will have a security wrapper around it, then anyone with the right credentials will be able to unwrap the information,” he said.
• Bobbie Stempfley, CIO of DISA, said that there needed to be some streamlining of standards so that enterprise solutions will work for multiple agencies. That, she added, can’t happen, unless the agencies can “agree what the problem is with enough specificity that it will work” for all of them.

One of the biggest barriers of all, the panelists agreed, was the lethargic attitude toward the changes that need to happen. “We are hearing the cry for better answers technologically and procedurally, but it’s a painful and long process,” said Stempfley.

“Operators come to us with a good idea. Vendors come to us with good solutions. But we always run into the policy barrier that slows us down,” Jones added. “It’s always a six to 12 to 24 month process. If [the agency] was truly embracing information sharing, that policy would have been changed.”

Ultimately, they decided to weigh in with the biggest challenge in information sharing that is making little to no progress. Simply put, “Cultural changes and policy changes,” said Jones. “Embrace these changes to provide a common network for the warfighter so he can get the information he needs, when he needs it, to achive the mission.”

Chris Gunderson of the Naval Postgraduate School posited some interesting ideas during yesterday afternoon’s plenary sessions about why everyone keeps hearing the same things about changes that need to be made. Certain things, he suggested, we should just acknowledge and move past:

• Gunderson believes that we have all the policy we need; we don’t need to add more policy.
• He added that there is a federation issue. If you can’t federate systems, you can’t be netcentric.
• Considering the engineering and boundary perspectives, engineers just can’t bolt on security after the fact–have to make sure it’s in up front. David Minton of Raytheon, who partnered with Gunderson to create the World Wide Consortium for the Grid, explained this with a metaphor: Safety is built into commercial airplanes, because the models they are based on are built to high-end specifications. To make airplanes (or airlines) affordable for consumers, engineers have to consider what to take out, and it won’t be the safety features. Minton said this model can help us understand how to put security in the enterprise.
• Resonating with other panels at SOLUTIONS, Gunderson emphasized that there isn’t not a technology issue anymore. Service-oriented architecture, cloud technology, and open source communites can get us there.
• However, given facts of life with regard to scale, time and cost, there is no way to get there from here, as he put it, outside “Main Street.” Many times, the solutions we need are already on the shelf.
• Gunderson advocated for an integrated perspective in which the acquisition model is not segregated from the command and control it supports. “Continuing improvement of business is part of C²,” he said.

^{Gunderson focused on the acquisition piece for the rest of his presentation, noting that there were ways of accelerating the process that included using more off-the-shelf solutions. “If the government aims at closing the gaps in technology for military missions … the competitive process will ensure that more off-the-shelf solutions are available,” he said.}

^{One of the problems Gunderson observed with the current acquisition process is that by the time an off-the-shelf solution is available, its already out of date. As a result, “After many years and  billions of dollars spent,  the promise of SOA in DoD is largely unfulfilled,” Gunderson said.}

^{What really needs to change is that perspectives must broaden, Gunderson said. It’s no longer enough to monitor quality and security, “It’s not just quality, but value, which is reliability and trusted significant content with continuous improvement. Information assurance is not just security, Assurance includes supportabilty and availability as well,” he said.}

Command and control (C²) still hasn’t evolved with the times, according to an afternoon plenary session at AFCEA SOLUTIONS today. Dr. David S. Alberts, director of research for the Office of the Assistant Secretary of Defense, networks and information integration, spoke on the maturity and agility of C². Alberts explained missions are increasingly complex, with implications on command and control:

• There will not be a unified chain of command.
• Each entity involved will have its own interest and intent.
• The situation will be in part unfamiliar to each entity.
• There will be multiple planning processes.
• Critical information and expertise necessary to understand the situation will be non-organic.
• To be effective, actions will require developing synergies between and among entities.

Addressing this complexity requires a spectrum of C² maturity, Alberts continued, that starts out with conflicted, progresses to deconflicted, then to cooperative, then to collaborative, and lastly, at the “top,” what he calls “Edge C². It isn’t so much that each level is better than the other so much as it is qualitatively different and more difficult to achieve. “There is no one-size-fits-all solution,” Alberts said. “There is a level of maturity that is appropriate to every situation.”

Moving on to agility, Alberts noted that agility is more than just flexibility–it also includes adaptability, responsiveness, robustness, resilience and innovativeness. “C² agility is the ability to maintain effective command and control as a function of changing circumstances and stresses,” he said.

This agility and understanding how to best apply it and the C² spectrum will help us better understand how to prevail in complex mission environments, and will help us shift from entity command and control to collective command and control, Alberts said, and ultimately help us improve our net-centricity.

Although there has been a great deal of progress in streamlining information sharing among allied forces over the past decade, many impediments remain. As the panelists at this morning’s session on the challenges surrounding information sharing in a coalition environment noted, the devil is in the details.

One point of discussion was how difficulties with coalition information sharing were mirrored by the lack of information assurance standards throughout the U.S. military services and intelligence agencies. History is a key factor behind this situation, said Steven Pitcher, chief of the Joint Staff’s information sharing branch. He explained that when the services set up information sharing arrangements, they focus on the joint or interoperability aspects first, but rarely manage the process to include coalition forces. A key challenge is a lack of uniform certifications across the Defense Department.

An area where some progress is being made is in federated identity and secure collaboration systems. Social networking tools can be very effective in unclassified networks for stability operations and humanitarian work, said Pitcher. Although there has been a lot of work done on the technology and policy aspects of information sharing, the challenge remains in properly merging the two aspects in ways that military personnel can use effectively.

Col. Mark Nickson, U.S. Africa Command’s (AFRICOM’s) Deputy Director for C4 systems, offered the example of his command where technology is vital for information sharing. A key part of his job, the colonel explained, is working through the tactics, procedures and process for sharing information with African nations. He noted that social networking sites such as Facebook and Twitter have great potential with AFRICOM and its partners, but policies must first be put in place to need to use them.

When asked if social networking at the personal level is even desirable, Theresa Ramsey, executive advisor to the Office of the Undersecretary of Defense Intelligence, replied that identification—who someone is and what their role is—remains a challenge in coalition environments. She added that there is currently no mechanism for role-based identification in government level international networks. A trusted coalition/multinational operating environment would have enormous potential, she said.

The operational and intelligence communities also have very different perspectives on network security and risk. Pitcher explained that strong authentication is a key because military users on the ground by the nature of their mission must take risks. He noted that the intelligence and operational groups often don’t understand each other very well and that both need to work together to better need their mutual needs. However, he said that trust and cultural differences will be the greatest hurdles to overcome.

A core issues is data ownership, which is in the hands of the organizations that collect the data. Ramsey said that the a major inhibitor to coalition information sharing is the third agency rule—data must be approved by a third agency before it can be shared by two coalition partners. She added that the agencies and services are fighting this rule by developing their own workarounds. But workarounds break down trust because each party does not trust the other with its information.

One way to solve this issue is to take steps to mark and label data to ensure information sharing, said Pitcher. He observes that it took nearly 50 years of agency stove piping to get to this state of affairs. Coalitions allies will not share their data if its security is in doubt.  “A lot of the policies out there were written by people who never had to implement them. If they had to, they would change them,” he said.

Ongoing exercises at the national level are the key to improving inter-agency homeland security processes, according to panelists at Tuesday morning’s Defense Support of Civil Authorities (DSCA) panel at AFCEA SOLUTIONS. Such exercises contributed to the successful security implementation at the inauguration in January, said Col. Ken McNeill, ARNG, NGB/J-6.

Stumbling blocks can occur in technology and policy, but the obstacles tend not to be in technology, the colonel said. “With technology we can create whatever we need. More often [the roadblocks] are in policy and understanding different organizations.” He continued to explain another area where roadblocks commonly happen that is often overlooked. “National exercises and the exercises the states do, at local and parish level is the formula for improving a process. As we go through exercises and real-world events, we learn something each time. That’s a positive,” Col. McNeill said.

Edmon Begoli, Oak Ridge National Laboratory, described some of the scenarios that he had helped plan, and said no matter what we think the obstacles are, every technology should meet two requirements. “The first mission how easy is it get to the informoation, then how secure is it. These two missions should be in front of all the technologists. These are the trends for years to come,” Begoli said.

As the panel unfolded, with moderator Bob Melissinos, Vice President, Ezenia, bringing audience perspectives into the conversation, it became clear that identity assurance was another major concern for agencies on the ground. Ensuring that the people who needed the information would be the people accessing the information is one of the biggest challenges of coordinating multilevel cooperative efforts. And as one person posited via the web, how are we going to get to collaboration when we can’t agree on authentication?

Collecting requirements is another ongoing issue. As Begoli noted, it’s not enough to plan for a natural disaster or a terrorist attack—what if there are two simultaneous natural disasters or terrorist attacks? This kind of scenario planning is an art, Begoli said. “Trying to work with agencies to extract specifications requires an enthusiasm for not sitting and waiting for requirements.”

The panelists agreed that cooperation and collaboration between federal defense and civic agencies has come a long way since the days of Hurricane Katrina, but that there remains much to do.

(For an interesting look at the Joint CONUS Communications Support Environment with comments from Col. McNeill, see Henry Kenyon’s article in SIGNAL from last July, National Guard Looks to Connect Nationwide.)

General Victor E. Renuart Jr., USAF, commander, North American Aerospace Defense Command and U.S. Northern Command, opened the AFCEA Solutions conference on Inter-Agency, Allied and Coalition Information Sharing with a resounding endorsement of the need for continuing conversation about information sharing. But conversation isn’t enough, he continued. “Discussions don’t move to real solutions very rapidly. Discussion is wonderful, but action is what we need.”

Gen. Renuart discussed the nature of NORAD/NORTHCOM as two commands that are separate but integrated, with a mission to provide support in disaster relief and support of major special events in coordination with other homeland security and law enforcement agencies. Even since Katrina, the general noted, we’ve come a long way in being able to collaborate and coordinate efforts among disparate groups. He explained that the support they provide is like having a “village with 120 flags in it,” each associated with another command structure.

“Information sharing enables everything we do,” Gen. Renuart said. “It sounds a little trite, but everything of substance that occurs in our world revolves around our ability to move data around to allow a leader to make a decision about an operation.”

One example he cited was a Google Maps application that had been extended to allow disaster recovery workers to find the closest sources of relief supplies.

But one caveat Gen. Renuart offered was the ongoing need to address cyber security issues.”Security and access don’t compete with one another—they need to complement one another,” he said. “But we’ve grown up thinking of networks as convenient, as opposed to an essential way we do business. [Cyber security] is not just a defense issue; it’s not just a government issue; it’s not just one nation’s issue.”

And that, the general stated, is what the AFCEA SOLUTIONS conference is all about. “We need a collaborative way to defend our networks while preserving access,” he said. “Dot-mil, dot-net, dot-com and dot-gov all need to be able to talk together, so if any of you have a solution for that one, we would like that quickly.”