Managing Open Source Data in Cross-Domain Environments
The war in Ukraine has highlighted the importance of opensource intelligence (OSINT) data to military operations. While OSINT’s utility has been recognized by the U.S. military and intelligence communities for years, its ability to provide valuable and timely information in the form of video, social media posts, mobile device data and commercial satellite imagery has proven invaluable to Ukraine and the nations supporting it in the conflict.
OSINT’s ubiquity and advantages for timely analysis of quickly shifting situations has prompted the tech industry to launch cloud-based data-as-a-service platforms fusing open-source data from the public internet and curating it with machine learning tools. The Department of Defense is taking advantage of these capabilities through the U.S. Army Cyber Command’s partnership with the innovation hub, the Cyber Fusion Innovation Center, which issued a request for information that calls for industry input into the capabilities that data- as-a-service can offer.
Congress is also taking steps to support OSINT with the 2022 Intelligence Authorization Act directing agencies to build more open-source capabilities to help manage geopolitical competition from China.
“The intelligence community must reorient to engage in a strategic competition with the PRC [People’s Republic of China] while countering China’s malign activities globally,” the Senate report on the Intelligence Authorization Act stated. “To do so, it must continue to build open source intelligence capabilities and augment capacity; enhance sharing of intelligence capabilities; and strengthen the analytical and collection capabilities relating to non-military threats including technology competition,” the report added.
But while OSINT has great promise, its very open nature presents security threats and challenges for classified networks. When open-source data is transferred to classified or high side networks, there is the risk of connecting to the source, usually a High Threat Network (HTN), of malicious content (malware) being ingested and of secrets being exfiltrated. The techniques adopted to address these risks typically limit access to the sources resulting in a loss of interactivity, loss of operational tempo and potential loss of integrity.
Part of these losses can be attributed to infrastructure issues because allowing analysts to access the public internet from classified environments required agencies to create separate infrastructures and workflows or to demand that personnel leave those classified environments to use personal devices. The increasing speed and volume of incoming data and the need for quick turnarounds means that “swivel-chair” integration methods—where analysts must physically move from high-side networks to unclassified ones—does not meet the government’s needs anymore.
This integration issue has been mitigated somewhat by the adoption of Cross-Domain Transfer (CDS Transfer) solutions allowing information to be transferred between two or more networks with different classification levels. While they are useful, they present their own security concerns, such as the ability to be hacked or compromised by adversaries, said David Wallick, a security consultant with Garrison Technology. He notes that a drawback of such systems is that organizations must accept the potential for hacking through unknown vulnerabilities in software servers.
A further challenge is that much of this data exists in formats that can’t be filtered by current transfer guards, Wallick explained. This inability to effectively filter can be mitigated by using sandboxing techniques—but this approach still requires an open channel through the CDS Transfer solution. “So even if we stick it in a sandbox on the high side, we are still punching a hole through the software vulnerable guards, with lots of data that could contain malicious code in it,” Wallick said.
Hardware-Based, Cross-Domain Access Solutions
One way to greatly mitigate the cross-domain transfer security concerns in dealing with OSINT is by shifting to a cross-domain access paradigm and reducing the need to transfer all the data. Addressing the connectivity to HTN risk is achieved by using robust, hardware-based solutions, such as the one offered by Garrison. In contrast to software-based CDS, Garrison’s hardware-based offering provides a very low risk environment that completely isolates the classified system from the high-threat network.
Garrison avoids security issues by using a Cross-Domain Access model. Because they are hardware-based, they avoid the vulnerabilities of software-based systems, allowing analysts to get at OSINT data quickly and safely. The data can be accessed and viewed without risking the high side environment. If data is determined to be needed in the high side environment, then it can be transferred using a transfer CDS that has been evaluated to sufficiently handle that data format. If it is a data type that it is not filterable then that is a risk decision and can possibly be transferred using a one-way diode.
“The key takeaway is that we’ve just moved from transferring all the data to only portions that are absolutely necessary, and there is a human review process that provides some assurance the data is benign. You can open and look at the data that you want to access without the need to ingest. We’re not just going to suck all that data in because we have no other options,” Wallick explained, adding that organizations can use a combination of third-party transfer CDSs and one-way data diodes in parallel with CDS Access for when data must be moved.
“We’re basically providing a better approach, a much less risky approach for accessing that data, manipulating and adjusting it,” Wallick said.
Don’t Get Burnt by Your Own Tools
While secure, simple and therefore ubiquitous access to HTNs are becoming easier for analysts to use, they present a danger to the unwary, said David Flanagan, vice president for secure consulting at Garrison Technology. The threat is that as open-source intelligence tools become easier to work with, they attract more users who might not be as highly trained as DoD or intelligence analysts or as versed in tradecraft.
Flanagan cites the hypothetical example of an analyst with a new tool that allows them to browse safely from their secure environment into the open internet. That analyst opens Facebook to view a subject of interest’s profile. Then in the very same window, the analyst opens Google and asks for restaurant times for an establishment immediately outside their facility. This creates a potential series of breadcrumbs for hostile operators to trace.
“That’s what we mean by getting burned,” Flanagan said. “It’s an element of tradecraft and there are a whole bunch of people who absolutely understand this, and they know what to do. One of the things making it easier to do this stuff is that there will be a whole bunch of other people who will now need to learn how to do that again, and themselves become expert in asking sensible questions in sensible spaces.”
Managing the Fire Hose
Another challenge is managing massive incoming flows of data. Collecting terabytes to then process and analyze for perhaps a few minutes or seconds of information is time consuming and inefficient, especially in time-sensitive operations. The DoD and intelligence communities get around this issue by using edge computing—having the device or platform collecting the data do the rough analysis and filtering to only send back what is needed.
The use of edge-based devices supported by artificial intelligence are critical to enabling the DoD’s Joint All-Domain Command and Control program and other modernization efforts, Lisa Costa, chief technology and innovation officer for the U.S. Space Force, said at a recent industry event. Costa added that it is one of the service’s goals to use edge-based devices on satellites and other space platforms to do most of the computation.
“You only move the data when you have to,” Flanagan said. “You deal with it in situ [original place] when you can. Deploying analytics to the edge allows high-volume data to be filtered at source, extracting information/value from the data noise.” He also noted that it’s up to organizations to moderate and mitigate whether that tool is classified or not.
One example of this might be collecting data from highway cameras. Twenty-four hours’ worth of camera footage might only provide a few minutes of images involving certain vehicles. Asking for a type of truck rather than a license plate number can avoid a question that might be classified or alert adversaries, Flanagan said. “But if I can eliminate all of the nontruck footage, then I’m down to a smaller amount of data to ingest into my sensitive environment, and then look for a truck with this given number plate.”
A confluence of novel technologies provides the means for this to happen, Flanagan said, adding that these advanced systems also work in conjunction with necessary commercial technologies such as edge computing and distributed machine learning systems to help with the analysis. But expanding the volume of incoming data and being able to look at it doesn’t necessarily mean having to ingest more data. “It’s about extracting content, extracting value at the point where the data exists.”
Safe, Efficient Cross-Domain Access
Switching from CDS Transfer to CDS Access offers an efficient way to realize the potential of OSINT for gaining competitive advantage. Following executive office direction to employ hardware-based cross-domain solutions allows this to be done safely and widely.
There are a huge number of tools and services emerging at the edge that can be used alongside the existing and evolving classified tools and techniques. This is a previously unachievable level of access that brings with it some behavioral and procedural risks. There is ample expertise available with the knowledge of how to use OSINT securely, Flanagan said. By bringing this knowhow together with these new tools, users can make the most out of the groundbreaking capabilities available on today’s market.
The next article will examine combining CDS Transfer and Access to enable missions and analysis.
For more information: https://www.garrison.com/en/cross-domain