Figuring out what information should be classified and controlling access to it has been an eternal headache for defense and national security organizations—a headache that got a lot of attention during the investigation into former Secretary of State Hillary Clinton’s use of personal emails. Even people with a more clear understanding of sensitive data classification may have difficulty determining when information needs to be marked and restricted in circulation. So the Department of Defense is looking for some help from machine-learning systems.
The DOD has issued a request for information from industry in a quest for technology that will prevent the mislabeling and accidental (or deliberate) access and sharing of sensitive documents and data. In an announcement posted in May by the Defense Information Systems Agency (DISA), the Pentagon stated that the DOD CIO’s office—part of the Office of the Secretary of Defense—is “investigating the use of commercial solutions for labeling and controlling access to sensitive information.”
Defense IT officials are seeking software that “must be able to make real-time decisions about the classification level of the information and an individual’s ability to access, change, delete, receive, or forward the information based on the credentials of the sending and/or receiving individual, facility, and system.”
In other words, DOD is looking for a classification Clippy. In a response to questions regarding the RFI issued in late June, DOD officials said that the system should be able to ideally protect “any file type on a Microsoft operating system (OS) file system and active directory domain.”
Rather than an autonomous machine-learning system, the DOD is looking for an expert system that will advise humans and “prevent… marking mistakes and inadvertent disclosure/sharing” by offering suggestions. But the system would ultimately leave the classification decision to the user. Once a decision is made about classification, the tool “will perform all enforcement functions to prevent unauthorized access,” DOD officials wrote in response to a question from an industry source.
The DOD also wants the system to properly assign “security attributes” to non-human readable data formats—binary files, including image, video, and audio files—so that the system can properly determine whether a given user should be allowed access. And the whole system will need to provide an audit trail of user actions—including who initially marked the classification level, where, and when, as well as classification upgrades and downgrades. The audit data should be exportable into a Security Incident and Event Management (SIEM) system for tracking. And the classification markings for all types of files need to be readable by users “much like other file metadata (e.g., file name, file size, date modified, etc.),” DOD officials noted.
The system need not be built directly into the operating system, however. Rather than being built into the OS or the network itself, DOD officials said, the system should intergrate with “software collaboration tools” rather than sit on the network and protect specific points of access. “If the software protects files at the OS level, that information should automatically update any attachment of the files to the collaboration software,” the response to questions noted. “But, at a minimum, the software must work with Microsoft Office products, including Outlook/Exchange, SharePoint, and Lync.” DISA supplies Exchange email, SharePoint, and Lync as enterprise services to the DOD.