DOD works to protect essential collaboration technology

Across the Defense Department, videoconferencing is now widely used to facilitate real-time decision making for command and control applications, as well as to improve combat effectiveness all the way up to the tactical edge.

As videoconferencing—video-teleconferencing (VTC) in DOD-speak—assumes its place as a routine and essential collaboration technology, protecting sessions from unauthorized access and attacks becomes increasingly vital. DOD views IP network security as a holistic wrapper that envelops all types of data transport and the applications running on terrestrial and wireless mediums. The agency has adopted a wide range of policies, procedures, guidelines, security tests and mandates related to maintaining videoconferencing security.

When securing videoconferencing sessions, the DOD needs to carefully balance protection and interoperability requirements to ensure that content will be both safe and compatible with end-user devices, said Brad Curran, an aerospace and defense industry analyst at research firm Frost & Sullivan in San Antonio, Texas. "The technology has to be industry standards-based so that it will be able to interoperate with existing systems," he explained.

Requirements and Standards

“The military uses the same basic VTC [technologies] as commercial, civilian or enterprise organizations for interoperability and use of commercial off the shelf (COTS) products," said Charles Crawford, senior vice president of strategy and technology for Ultra Electronics Criticom, a military-grade secure videoconferencing systems and service provider located in Lanham, Maryland. "However, DOD has four unique requirements which are typical for classified communications."

Military-grade encryption (Type 1) is aimed at securing network traffic between VTC systems and is external to the VTC system itself. "Built-in VTC encryption does not meet Type 1 standards, so external devices are used to secure the videoconference network transmission," Crawford said.

Tactical packaging, meanwhile, is required for forward deployed uses. "Unique packaging may be needed to support tactical requirements for harsh or extreme environments or portability for transport and use in mobile command centers," Crawford explained.

A third requirement is an ability to support multiple security classifications. "Each VTC call may require using a different unique security classification and network to communicate to the remote system," Crawford said. "To facilitate using a single VTC with different levels of secure networks, an Information Assurance (IA) process needs to be performed to clear the VTC system before using another classification level network."

For highly secure videoconference sessions, Tempet requirements must be met. Tempest is a technology for shielding devices that emit electromagnetic radiation in a manner that can be used to reconstruct intelligible data. "There are operational areas where communication emanations are still a concern," Crawford said. "VTC systems used in areas where network encryption is not sufficient security may require Tempest packaging upgrades to eliminate RF radiation for electronic scanning."

To ensure interoperability, the military uses accepted industry videoconferencing standards, such as H.320 for ISDN, H.323 for IP, and Session Initiation Protocol (SIP) or AS-SIP (Assured Services SIP) for video. "Newer video-compression standards (H.264 SVC) are of interest to the military, since they support higher resolution, better motion handling, support lower-data-rate networks, and have improved techniques for data packet loss recovery to optimize running over congested or low-speed networks," Crawford said.

Security Guidelines

The most important security document for military videoconferencing users is DOD's Video Tele-Conference Security Technical Implementation Guide (STIG), which includes guidelines for preventing unauthorized access to videoconference endpoints and the disclosure of sensitive or classified information when using data sharing capabilities. The STIG also describes how to secure point-to-point, multipoint and ad-hoc communication sessions and presents methods for maintaining network security, including LAN service segregation, wireless LAN access and IP-based boundary crossing issues.

Since DOD views videoconferencing as an element within a unified communications (UC) environment, rather than a standalone application, the technology is subject to the terms, conditions, requirements and recommendations specified within the Unified Capabilities Requirements (UCRs). The UCRs expand on the recommendations provided within the STIGs, focusing on products, services and systems that offer videoconferencing (point-to-point and multipoint), as well as webconferencing/collaboration, instant messaging and chat, e-mail/calendaring, unified messaging and mobility.

The UCRs also outline the testing and validation steps a videoconferencing product must be put through in order to be approved for use in secure environments and added to the appropriate DOD Approved Product List.