Sensitive information protection remains tough

The government’s ability to share sensitive but unclassified information data securely has become central to coordinating counterterrorism efforts, in part because many local officials don't have the security clearances needed to make use of classified information.

The information technology challenges to securing SBU networks are complex, especially for those that cross jurisidictional boundaries. Unlike classified networks that sit behind lock and key and are accessible only to users with security clearances, people who sign on to SBU networks come from a variety of different organizations with different missions, needs and security standards.

Last month, Federal Computer Week reported that someone hacked into the Homeland Security Information Network (HSIN), a Homeland Security Department platform for sharing SBU data with state and local authorities. Although a DHS official said the amount of compromised data was relatively minor, the incident underscores the complexities of securing SBU networks.

Even before the intrusion, DHS had been in the process of upgrading HSIN to better meet user needs and improve security. That upgrade is complicated by the myriad requirements that different users have for the system. Meanwhile, in addition to HSIN, state and local authorities also use platforms such as the FBI’s Law Enforcement Online network and the Justice Department-funded Regional Information Sharing System to share SBU data.

In coming months, the Office of the Director of National Intelligence’s Program Manager for the Information Sharing Environment (PM-ISE) plans to examine the different systems to ensure that the various SBU networks are interoperable and secure. Then the PM-ISE plans to publish a segment architecture for the interoperability of SBU systems that support the federal information sharing environment related to terrorism-related data.

“You’ve got these different systems, and they serve different communities of interest, groups — sometimes those groups overlap, but many times, they have their own purposes, their own needs, their own business processes,” said Clark Smith, PM-ISE’s executive for programs and technology.

Smith said PM-ISE is interested in determining how the systems interoperate securely. User authentication is one of the major security questions PM-ISE needs to resolve, he said.

“We would be looking at things like identity management and the levels of assurance you need on identity for those systems,” Smith added.

In addition to technology concerns, different systems use different languages to describe SBU data. Federal agencies have more than 100 unique identifiers for SBU data and more than 130 methods for handling SBU information.

“In the absence of a single, comprehensive framework that is fully implemented, the persistence of multiple categories of SBU, together with institutional and perceived technological obstacles to moving toward an information-sharing culture, continues to impede collaboration and the otherwise authorized sharing of SBU information among agencies, as well as between the federal government and its partners in state, local, and tribal governments and the private sector,” President Barack Obama said May 27 in a memo directing a review of the framework for categorizing SBU data.

“There’s two parts of this puzzle," said John Cohen, senior adviser to PM-ISE. "One is process and policy and the other is technology,”

Meanwhile, Stephen Serrao, a former high-ranking intelligence official at the New Jersey State Police and now Memex’s product manager for the Americas region, said the situation is also complicated by how multijurisdictional information-sharing centers across the country manage IT.

Memex provides data management, analysis, information-sharing and intelligence management solutions to several state and local intelligence fusion centers, which are the primary users of SBU networks. In his role with Memex, Serrao visited several fusion centers and other information-sharing centers. He found that the agencies involved in collaborative efforts often divide up responsibility for various IT functions, rather than designating one agency to coordinate all of it.

“I don’t think enough attention is being paid to infrastructure and the IT aspects of these fusion centers and these multijurisdictional task forces,” he said. “There’s no one dedicated overall to manage the network, to serve as the security officer, and to provide the type of cohesive strategy or security strategy that might be necessary.”

Serrao said assigning responsibility for various IT aspects to different agencies in a multijurisdictional task force or fusion center is a recipe for disaster.

“Full-time IT resources have to be part of any fusion center or any multijurisdictional task force,” he said.