MoD plans secure email system based on TSCP specification

The Ministry of Defence is hoping a new, secure email system will improve its supply chain communication, but rollout is proving slow.

The Ministry of Defence is working on implementing a secure email system that it hopes will free its supply chain from byzantine controls meant to keep government secrets secret. But delays to the MoD's £5 billion Defence Information Infrastructure (DII) programme could make rollout of the secure email system difficult.

Behind the secure email specification is the Transglobal Secure Collaboration Programme (TSCP), a group that includes the U.S. Department of Defense (DoD), U.K. Ministry of Defence (MoD), BAE Systems, Boeing, EADS, Lockheed Martin, Northrop Grumman, Raytheon and Rolls-Royce. It published the technical specifications for the DII system in December after five years of development. This small mark of progress illustrates how challenging the project has been and how far it has yet to go.

 We are still waiting for the MOD to implement it
Vijay Takanti
Design lead for TSCP and policy chair at Certipath

Experts say the trend for large defence contracts to be given to international consortia, like TSCP, with long supply chains that consist of thousands of small firms has created a communications problem that is costing money. A firm making land mines in Texas can't very well send its specifications to a firm making land mine widgets way down the supply chain in Cumbria without making sure they aren't going to go missing in transit.

TSCP's new system proposes to tighten up the links in the supply chain using a public key infrastructure. One of the first things the association did was create Certipath, a commercial public key bridge that quickly got a US federal certification. Certipath acts in turn as a certifying authority for large defence firms who then act as certifying authorities for small companies in the supply chain, who act as certifying authorities for those employees who are given access to the secure email system.

Vijay Takanti, design lead for TSCP and policy chair at Certipath, says he is still waiting to give the MOD its certification, a six to twelve month process the Minsitry has started but appears to have put to one side while it catches up with its DII schedule. Takanti expects the MOD to get its certification "some time in 2008". Its policy has been checked off, "but we are still waiting for the MOD to implement it".

Boeing, meanwhile, has part implemented the system as lead contractor on the US Department of Defence's $340 billion Future Combat System (FCS), according to Michael Daly, corporate director of information security at Raytheon, a TSCP and FCS consortium member. But when supply chain partners want to unlock one another's TSCP-encrypted email, they have to do it manually. The whole process is supposed to be automated - that's another aspect TSCP is looking to complete this year.

TSCP has been able to establish an authentication process it reckons can be trusted up and down the supply chains of participating countries. The certifying authorities have to satisfy 160 measures that TSCP thinks everyone has in common.

Nevertheless, the system has to work with existing email systems and, says Wayne Grundy, TSCP director, Microsoft is the only vendor to have made its email system compatible.

Then TSCP has to persuade small firms down the supply chain that it is worth their while participating.

Other countries too must sign up to TSCPS's system. US and UK backing is certain and Grundy says the Netherlands has joined as well. France is rumoured to have joined and Grundy is courting Australia and Japan. But Germany, Spain, Italy and China are also needed if the effort is to succeed..

If these countries do sign up, they need to adopt treaties to allow the system to operate, says Grundy. Even the recent transatlantic update, the Defence Co-operation Treaty, only goes so far, he says. It all helps put the DII's problems in perspective.

The MOD is due to begin adoption of the secure email system in August, "as long as DII doesn't slip anymore," Grundy says.


Read more on Application security and coding requirements