If you buy or rent a DVD and try to fast forward past the initial producer credits, technology built into the DVD will prevent it. It may just be annoying to you, but someday a variation of that technology may make it easier for government officials to share information on potential threats—and harder for it to fall into the wrong hands.

MITRE is exploring how to apply commercial Digital Rights Management (DRM) technology for controlled information sharing (CIS) to the government's evolving information sharing needs. The objective of the research is to develop a novel solution for "assured information sharing," that is, simultaneously sharing information while retaining responsible control over who sees it. The results of our work could have implications across the services, law enforcement agencies, and coalitions with other nations who may join with the U.S. to protect mutual interests in hot spots throughout the world.

"DRM could be a big piece of the information sharing puzzle," says Richard Games, chief engineer for MITRE's Center for Integrated Intelligence Systems (CIIS). "The promise of DRM is that it will allow a more spontaneous kind of information sharing. The protection of the information would be incorporated with the information itself. The threats we face today require more flexibility and agility in our information architectures. DRM may be more compatible with an architecture that has those qualities."

This and other information-sharing efforts come at a time when the military is learning to master a delicate balancing act. On the one hand, 9/11 and its aftermath have made clear that the U.S. needs to find a better way of sharing intelligence about potential threats with local law enforcement and public safety officials so that they and the intelligence community can work together more effectively to "connect the dots." On the other hand, the military wants to retain some safeguards on who sees sensitive information. Assured sharing marks an effort to achieve this balance.

"There's a globalization of communications going on," says Carlos Vera, division chief for network security services at Lackland Air Force Base in San Antonio, Texas. "We are in the process of essentially linking up the terrestrial, air, and space realms. The warfighter wants to be able to move data effectively among those three different domains, because we have folks all over the world."

But this has become harder to do because today's environment places new demands on existing means of controlling access to data. For example, multi-national coalitions are formed, often with member nations that vary depending on the specific conflict situation. The very meaning of key concepts—such as the definition of secret information—may differ among members.

"The fact that you've got groups that dynamically change themselves makes it hard to say, 'How do you really achieve information sharing among such groups?'" says Richard Pietravalle, principal investigator for the CIS project in CIIS. "This begs the question, 'So what are some new ways we can apply technology to help in that problem?'"

Giving Users Greater Control

This question led Pietravalle to propose researching DRM technology as a new approach to the assured-sharing problem. While DRM is used primarily in the media and entertainment industries, it's gradually spreading elsewhere in the private sector for commercial enterprise environments. Organizations as diverse as Microsoft and the Harvard Business School have used DRM to protect the rights to their products or control their information at the point of use—the function MITRE is researching.

"DRM is starting to hit in the commercial sector, but it's certainly in the early-adopter phase of the market life cycle," Pietravalle says. "But it hasn't been adapted from the point of view of information sharing. It's usually used for rights protection—hence the 'DRM' term itself."

Among the attributes MITRE researchers think may offer promise:

• Control at the point of use: In information sharing, the goal is to push some aspects of control and counterchecks right down to the point when a user tries to access information—similar to the limits on a consumer's ability to perform certain operations with the DVD. DRM carries with it the capability for computer auditing, which controls access to information to minimize the risk that it will be seen by a user who shouldn't have access to it. Moreover, these controlling mechanisms remain in effect whenever someone tries to access a file, not just the first time.
• Granularity of control: "Granularity" refers to the range of options someone has in using a file. MITRE researchers are looking into how DRM technology can help secure sensitive or classified information if an outsider somehow gained access to the host containing that information (which happened recently in Great Britain when a laptop containing sensitive information was left in a car and then stolen). With DRM, such information would be encrypted, and a user would have his or her credentials to view the information automatically rechecked—with access being denied at the point of use if the user isn't properly authorized.
• Scalability: As users gain the ability to perform more functions on their end, government networks would have much more traffic, and any attempt to run security checks from a central point would likely create bottlenecks on the network. In contrast, if users are making decisions about access, it becomes easier to make adjustments at the point of use than in a centralized location.

If successful, control at the point of use could give the military a major part of what it's looking for in the post-9/11 era—a means of sharing important information that allows for more flexibility within coalitions, especially because coalition members often change depending on the nature of the threat.

"I think everybody understands that there's this migration to a more joint coalition-type environment," Vera says. "There's also an issue of declining budgets. Part of what we gain as a function of being able to accelerate decisions and reduce the time for deploying munitions to targets is that you fight wars a lot better. You also reduce the costs involved as a function of reducing the time to fight wars."

How Big a Piece of the Puzzle?

Information sharing is "a Herculean task," in Vera's words, and determining the extent to which CIS can be part of the solution will likely take years. But MITRE is attempting to make a start on two levels: (1) picking possible short and long-term application scenarios, and (2) bringing together potential users to explore other ways DRM can be applied to their needs and determine how the information architecture can be changed to meet future needs.

In both the short and long term, benefits gained from DRM technology must conform to the requirements of an evolving IT infrastructure. In the short term, looking at one or more Air Force portal applications helped to arrive at approaches to achieve the right balance. Over the long term, DRM applications will be affected by the military's emerging Global Information Grid (GIG) architecture—which parts of the GIG can be used to support DRM concepts, and which parts of the infrastructure will need to be augmented for that support. "This context is not trivial," Pietravalle says. "You're trying to have some greater flexibility in information sharing and control. But there's a tradeoff: you've complicated how you've designed this application and client-side software that's going to open up the content. And of course, there's the consideration for the threat environment: Does the security of the resulting information match the threat model?"

In the short term, MITRE is discussing DRM technology applications with the Air Force and other customers, and also with a number of commercial vendors. That dialogue about requirements and commercially available products will be central to having DRM as a viable solution in the future. As Pietravalle points out, government agencies looking at new technology often have requirements that are different from those commercial products are designed to meet. But the only way commercial vendors will clearly understand those needs is to interact directly with potential government users to determine their requirements.

MITRE has also set up a Cross-Boundary Information Sharing Demonstration Facility on the McLean, Va. campus. We will host demonstrations of potential DRM and other technology applications as they emerge in a setting where our employees and sponsors can understand the various dimensions of this issue.

"The jury is still out; our work with CIS is still only at the research level," Games says. "But Rich has done a good job of looking at where things are going in the commercial sector, and also seeing areas where it can possibly be applied to our sponsors."

—by Russell Woolard

Related Information

Articles and News

• Need-To-Know vs. Need-To-Share

Websites

• The Center for Integrated Intelligence Systems (CIIS)

Solutions That Make a Difference.®
Copyright © 1997-2013, The MITRE Corporation. All rights reserved.
MITRE is a registered trademark of The MITRE Corporation.
Material on this site may be copied and distributed with permission only.

Privacy Policy | Contact Us