DRAFT
A Strategic Plan
for the
Development and Application
of
SAVANT
Version 4.0
Mar08
Dave Lush, CTO
GlobeTech Exchange
1
DRAFT
DRAFT
1.PURPOSE:
2.BACKGROUND:
a.Serious Problems with Threat Knowledge Management:
b.Model Driven Threat Assessment and SAVANT:
c.The Genesis of SAVANT:
1)AIPSS and Precursor Efforts:
2)AVIPSS and KPS, VPS, and VIPS:
d.Advent of the SAVANT Program:
e.SAVANT and Predecessor Accomplishments Thus Far:
1)Ground Breaking Info Model Driven Threat Database Capabilities
2)Next Generation EWIR System (NGES):
3)VPS IOC and Enterprise-wide Deployment of VPS:
4)Re-engineering of the AIPSS Knowledge Editor to Achieve JADE:
5)Development of IOC for VIPRE:
6)Establishment of an Information Model Development Environment (KILN):
7)Threat Domain Specific Applications of SAVANT:
f.SAVANT Problems/Issues:
1)Inadequate Operational Architecture and Requirements Baseline:
2)Aging Technical and System Architecture:
3)Fielding of Knowledge Bases and Associated Dynamic Products Takes Too Long:
4)Inadequate Conceptual Modeling Capabilities:
5)Threat Knowledge Authoring Tool Is Not Considered Easy to Use:
6)Limited VPS Virtual/Dynamic Product Features:
7)Lack of a Comprehensive Ad Hoc Query Tool:
8)Lack of Robust Intelligence Discovery/Delivery Capability:
g.Advent of a SAVANT Funding Program Line:
3.SOME VISION CIRCA 2013:
a.World Chaos:
b.Imperative for Information Sharing and Improved Threat Knowledge Management:
c.Net-centric Operations and Warfare:
d.NASIC Paradigm Shift:
d.Conceptual Model of the Threat:
e.Structured Threat Assessment:
f.Conceptual Models Are Facilitating Analysis and Threat Knowledge Capture:
g.Structured Threat Assessments Are Facilitating Completeness & Re-use:
h.Threat Knowledge Baseline:
i.Some Specific Scenarios:
j.Repetition Is One of the Principles of Learning:
k.State of NASIC Capabilities/Performance in 2013:
4.THREAT KNOWLEDGE MANAGEMENT IMPERATIVES:
5.TOP LEVEL REQUIREMENTS:
a.The Core Functional Requirement:
b.Derived Requirements:
6.THE PRIMARY SAVANT GOAL:
a.Complete Externalization/Capture/Management of NASIC Threat Knowledge:
b.Flexible and Agile Capability for Dynamic Product Development/Deployment:
c.Robust Intelligence Notification/Discovery/Delivery Services:
7.Major SAVANT OBJECTIVES:
a.Robust SAVANT Program at NASIC:
b.Improved, Enhanced, Re-engineered, Base-lined SAVANT System:
c.Establishment of a NASIC Threat Knowledge Baseline:
d.Acquisition/Development of a Conceptual Modeling Tool with Requisite Features:
e.Enhanced, More Integrated KILN Capability:
f.Enhanced, More Richly Featured Knowledge Authoring Tool (JADE):
g.Enhanced, Semantically Aided Intelligence Product Development/Management:
h.Generalized, Semantically Aided Query Tool:
i.Enhanced, Semantically Aided Discovery/Mash-up/Delivery Capabilities:
j.Robust Organizational Capability for SAVANT Applications:
8.REVIEW OF CORE CONCEPTS/TECHNOLOGIES/ARCHITECTURE:
a.The Basic Knowledge Management CONOPS and Core Ideas:
b.Some Building Block Technologies:
1)The Oracle Platform/Suite:
2)Service Oriented Architecture (SOA), Web Services, and BPM:
3)MS Office Related Capabilities:
4)Structured Authoring Capabilities:
5)Conceptual Modeling Methodologies/Tools:
6)Semantic Technologies:
c.Architecture:
1)Operational Architecture:
2)System Architecture:
3)Technical Architecture:
9.PROPOSED APPROACH:
a.Re-establish, Execute, Sustain an Explicit Formal SAVANT Program:
1)Vetted, Approved Program Charter and Program Plan:
2)Program Governance Structure:
b.Establish and Control a SAVANT System Baseline:
1)Functional and System Requirements:
2)Operational/Info, Technical, System Architectures:
c.Establish, Execute, Manage Portfolios of SAVANT Related Projects:
1)Two Kinds of SAVANT Project Portfolios:
2)Proposed SAVANT Capabilities Portfolio:
3)Proposed SAVANT Results Portfolio:
4)Portfolio/Project Management/Oversight:
d.Investigate and Leverage Selected Hot-Off-The-Shelf Technologies:
1)Possibly Obscure But Powerful Features of the Oracle Suite:
2)MS Office/Sharepoint:
3)SOA/ESB and Web Services:
4)Java Community Process (JCP) and Java Spec Request Driven Capabilities:
5)SysML Conceptual/System Modeling Tools:
6)Structured Authoring Tools (e.g. In.Vision Xpress Author):
7)Semantic Mash-up Technologies/Tools:
8)Semantic Query Capabilities:
e.Achieve Organizational Competencies/Capabilities to Rapidly Apply SAVANT:
10.Final Words:
1
DRAFT
DRAFT
1.PURPOSE:
- The purpose of this document is to communicate a strategic plan and a foundation for program planning for the continuing development, application, and maintenance of the NASIC SAVANT capability.
- More specifically this document (1) cites relevant background; (2) expresses vision regarding NASIC’s situation, ops scenarios, and capabilities circa the year 2013; (3) states associated goals/objectives and top level functional requirements; (4) reviews the core CONOPS/concepts, technologies, and architecture; (5) specifies the general approach; and (6) identifies key projects to be accomplished in order to realize the vision for NASIC’s threat assessment and knowledge management capabilities in the year 2013.
2.BACKGROUND:
a.Serious Problems with Threat Knowledge Management:
The IC, DOD, and DHS have had and still have serious problems with how they capture and manage our nation’s hard earned knowledge of the threat. The major facets of this problem are identified and discussed very briefly in the following.
1)Official Finished Threat Knowledge Is Not Baselined:
It would appear that our so called “finished” or “approved” threat knowledge is not baselined and managed as a baseline would be managed. This means that we don’t know for sure what the official assessment of the threat is, how it is updated, or how to acquire it rapidly. The implications of this are obvious and very serious.
2)Official Finished Threat Knowledge Does Not Support the Single Source Multi-purpose Paradigm:
Our threat knowledge is not single sourced and multi-purposed which means that there are multiple instances of possibly disparate knowledge about the same threat and that the knowledge on hand cannot be readily re-constituted to serve multiple purposes. Once again the implications are obvious and serious.
3)Official Finished Threat Knowledge Is Not Properly Structured, Detailed, Labeled (Tagged):
Our threat knowledge is not properly structured, detailed, and labeled so as to provide for the discovery and acquisition of the specific, precise knowledge required. This has serious implications for re-purposing, preparedness, and responsiveness in general and for net-centric operations in particular.
b.Model Driven Threat Assessment and SAVANT:
NASIC is responding to the threat knowledge management problem with a model driven threat assessment paradigm and a powerful capability for (1) the capture/management of threat knowledge; (2) the development/management of dynamic intelligence products; and (3) the discovery and delivery of those products. The capability is called SAVANT.
c.The Genesis of SAVANT:
1)AIPSS and Precursor Efforts:
Starting in the 70s under the leadership of Mr. Don Quigley and Ms. Suzi Barber, NASIC began to develop unique threat database capabilities which featured an information model driven approach which was ahead of its time. This approach was successfully applied to a number of threat database requirements with the most noteworthy being the requirements for the Electronic Warfare Integrated Reprogramming (EWIR) capability, the NASIC DIODE product, and the NASIC SCACS product. These applications of early info model driven capability had profound implications and all that has transpired since traces back to this work and the vision and efforts of folks like Don Quigley and Suzi Barber.
2)AVIPSS and KPS, VPS, and VIPS:
In 1999, NASIC initiated an official program managed by NASIC/SC to develop a new intelligence paradigm and comprehensive capability for the ontology driven capture/management of threat knowledge (KPS), the subsequent development/capture of dynamic intelligence product components (VPS), and the discovery and dissemination of products and threat knowledge that draw from the underlying knowledge and product component bases to meet client requirements (VIPS).
d.Advent of the SAVANT Program:
In 2004 the KPS/VPS/VIPS program was transferred to the newly created Advanced Programs Directorate (AP) and was renamed SAVANT. This was an important event because the program was now viewed as a truly “corporate” venture at NASIC as opposed to just an IT thing.
e.SAVANT and Predecessor Accomplishments Thus Far:
There have been a number of very significant initial accomplishments which were lead by NASIC folks like Sharon Cain, Dave Sanders, Dave Drake, and Chris Colliver. These include:
1)Ground Breaking Info Model Driven Threat Database Capabilities:
2)Next Generation EWIR System (NGES):
3)VPS IOC and Enterprise-wide Deployment of VPS:
4)Re-engineering of the AIPSS Knowledge Editor to Achieve JADE:
5)Development of IOC for VIPRE:
6)Establishment of an Information Model Development Environment (KILN):
7)Threat Domain Specific Applications of SAVANT:
f.SAVANT Problems/Issues:
We will cite major issues/problems with SAVANT in the following. Many of these are a result of the fact that SAVANT and its immediate predecessor program have been under funded since inception. As such obvious enhancements to the core capabilities could not be developed/implemented.
1)Inadequate Operational Architecture and Requirements Baseline:
2)Aging Technical and System Architecture:
3)Fielding of Knowledge Bases and Associated Dynamic Products Takes Too Long:
4)InadequateConceptual Modeling Capabilities:
5)Threat Knowledge Authoring Tool Is Not Considered Easy to Use:
6)Limited VPS Virtual/Dynamic Product Features:
7)Lack of a Comprehensive Ad Hoc Query Tool:
8)Lack of Robust Intelligence Discovery/Delivery Capability:
g.Advent of a SAVANT Funding Program Line:
Starting in FY09 a significant SAVANT funding line will be in place. This will enable a more concerted and systematic program of SAVANT development and implementation and ultimately our vision of a new model driven threat assessment and knowledge management paradigm.
3.SOME VISION CIRCA 2013:
In the following, a vision of sorts is presented regarding how NASIC would ideally operate in the context of a very complex intelligence picture and our nation’s paradigm for net-centric operations and warfare (NCOW). Please note that the concepts presented are not meant to constitute exact and precise direction regarding what NASIC should do and/or become. But we do believe that the core concepts of model driven threat assessment and knowledge management are fundamental.
a.World Chaos:
It is the year 2013. Afghanistan and Iraq are in chaos. Global terrorism is rapidly increasing with two attacks on the US homeland and several serious attacks in Europe, Asia, and Africa since 9-11. In the context of a struggling US economy and overextended military, China and Russia are flexing their economic and military muscle more than ever. There have been major cyber attacks on facets of the US cyber infrastructure both civilian and military. The threats to our national security are quite multi-faceted and complex. Demands on our intelligence apparatus are severe.
b.Imperative for Information Sharing and Improved Threat Knowledge Management:
1)Following 9-11 it became apparent that our nation’s will and capabilities for information sharing were suspect. As such initiatives for information sharing have been launched at multiple levels of our security and law enforcement apparatus.
2)A few years ago (circa 2008) NASIC had an epiphany when a critical masse of its leadership realized that proper knowledge management is a necessary condition for effective information sharing. In other words if the information to be shared has not been captured and managed properly then it will not be as readily re-purposed and shared and it will not be as valuable once it is shared.
3)Since 2008 NASIC has internalized and has applied some basic tenants regarding its threat knowledge as follows:
a)A Comprehensive Threat Knowledge Baseline Must Be Established and Maintained:
b)The Baseline Must Support a SingleSource, Multiple Purpose Paradigm:
c)The Baseline Must Provide Requisite Scope, Structure, Detail, and Labeling:
c.Net-centric Operations and Warfare:
Out of necessity, our Nation’s defense and homeland security apparatus is operating more and more in context of a net-centric operations and warfare (NCOW) paradigm and associated environments and infrastructures. Various communities of interest are executing their operational architectures in a net-centric fashion with each player having its prescribed roles, processes, and requisite data, info, and knowledge appropriately pre-positioned. Machine-to-machine flows of data, info, and knowledge are quite prevalent.
d.NASIC Paradigm Shift:
1)NASIC’s basic, top level operational architecture is portrayed in Figure 1.
2)Back in 2008, NASICrealized that demand for highly tailored, just-in-time intelligence would be increasing dramatically and that it would be increasingly “playing” in the context of net-centric operations and warfare (NCOW). So, as a result, NASIC instituted a new paradigm for threat assessment and threat knowledge management.
3)In this new approach, NASIC intelligence analysts execute a model driven analysis/assessment paradigm (see Figure 2) which produces “structured” threat assessments in accordance with the appropriate conceptual models of the threat (see Figures 3a, 3b).
4)Development of the conceptual models of the threat is initiated at the start of the assessment process and the models are continuously vetted and refined throughout the threat assessment process.
5)When the threat assessment process is completed, the resulting conceptual models and the model instantiations (see Figure 4.) that result by incorporating into the model the INT data and assessment results are at hand. These then become a core part of the overall threat assessments (see Figures 5a, 5b) which are readily imparted to the SAVANT threat knowledge base.
6)In all of this (see Figure 6.) the conceptual model of the threat under study is at the heart of the matter.
d.Conceptual Model of the Threat:
More specifically, the conceptual models of the threat (see Figures 1a, 1b) are patterned after the OMG SysML meta-model for systems modeling and consist of specifications of:
- structure;
- behavior/signatures;
- parametrics; and
- summary of capabilities.
e.Structured Threat Assessment:
And, the structured threat assessments (See Figures 3a, 3b) are made up of :
- the intelligence requirements driving the assessment i.e. the questions that must be answered;
- the key assumptions and constraints;
- a summary/description of data sources;
- a conceptual model of the threat (as described above);
- the instantiated model of the threat (including key findings in terms of projected purposes, capabilities, and vulnerabilities);
- key findings, implications, predictions; and
- key arguments and rationales for the analysis and findings.
f.Conceptual Models Are Facilitating Analysis and Threat Knowledge Capture:
In this new model driven threat assessment paradigm, the development, vetting, and distillation of the threat assessments areguided by the concurrent development and iterative refinement of externalized conceptual models of the threat. These conceptual models serve to focus the analytic effort and facilitate the communication and vetting of the threat assessments and ultimately when the finalized models are “instantiated” with data, information, and threat analysis/assessment results, they become an invaluable characterization of the threat.
g.Structured Threat Assessments Are FacilitatingCompleteness & Re-use:
The resulting structured threat assessmentswhich include the finalized instantiated conceptual models as the core element also include other important facets of a threat assessment which are not often included in the typical intelligence product. These structured threat assessments because of their structure arereadily captured and managed in the NASIC SAVANT threat knowledge base via the SAVANT system’s powerful model driven knowledge authoring/editing tool. Capturing the threat knowledge in this fashion enables the rapid provisioning of the exact data, information, and knowledge that is required by a multiplicity of national security players.
h.Threat Knowledge Baseline:
So, in the context of the preceding, NASIC has established a robust intelligence baseline containing the structured threat assessments, threat models (ontologies), intelligence business rules, and instantiated threat models for the domains, countries, systems, and systems of systems that it is responsible for. As such NASIC is totally prepared to respond rapidly to ad hoc requests for data, information, and knowledge from virtually any client (including machines) operating in context of net-centric operations and warfare.
i.Some Specific Scenarios:
We envision some specific scenarios that exemplify how NASIC might be operating circa 2013 in the context of a robust fully fielded capability for threat knowledge management and digital production and an established current threat knowledge baseline.
1)First of all, NASIC analysts routinely and with greatly reduced effort develop and field “standing” or “scheduled” intelligence products which are continuously updated from appropriate facets of the overall KPS-based threat baseline which the analysts keep current as new information and assessment results are available. The analysts involved simply keep their facet of the threat baseline current and the derived products are therefore current by definition.
2)A very important acquisition customer requires comprehensive and appropriately structured threat knowledge on an entire class of threat systems. A few years ago a similar request was rejected because the knowledge, while contained in the heads of analysts, was not available in a form which could satisfy the requirement. Now given the existence of the threat baseline the appropriate queries and product style sheets are rapidly developed and the required product is readily produced. This happens in a very few days if not hours.
3)US cyber operations capabilities aregoverned by the cyber control system which includes a highly structured knowledge base which is patterned after a federated ontology of cyber space, the cyber threat, and cyber operations. The cyber operations knowledge base receives cyber threat knowledge from NASIC in a machine to machine manner from the NASIC knowledge base where it was posited in accordance with the appropriate conceptual threat models of the cyber threat. The cyber control system uses ontologies of the cyber threat developed by NASIC.
4)At the same time, NASIC’s IADS threat knowledge is delivered in machine to machine web services based fashion to the operational and warfighting environments to help achieve requisite situational awareness and formulate the common operating picture. Once again ontologies of IADS related concepts are also provided by NASIC and used to semantically aid net-centric operations and warfare.