Information sharing: Are we safer?
A decade after the 9/11 Commission identified agencies' reluctance to share information as a dangerous shortcoming, the government is moving in the right direction.
After the Sept. 11 disaster, the lack of appropriate information sharing within the federal government community was highlighted as a key weakness by the 9/11 Commission. Its final report states that "agencies uphold a 'need-to-know' culture of information protection rather than promoting a 'need-to-share' culture of integration."
Since then, there have been many changes, with the establishment of the Department of Homeland Security and the Office of the Director of National Intelligence being most significant and visible. But other changes have been implemented that have sought to help, including the Patriot Act's removal of some barriers that once restricted the sharing of information between the law enforcement and intelligence communities.
In addition, the Intelligence Reform and Terrorism Prevention Act (IRTPA) of 2004 established the multi-agency National Counterterrorism Center to analyze and integrate all intelligence pertaining to terrorism, including threats to U.S. interests at home and abroad.
And a collection of 78 fusion centers have been established throughout the U.S. to physically bring together federal, state and local law enforcement and first responders to deal with threats and disaster conditions.
In terms of information sharing, IRTPA also mandated that the president establish an Information Sharing Environment (ISE) as "a decentralized, distributed, and coordinated environment [that] to the greatest extent practicable...connects existing systems,...builds upon existing systems' capabilities currently in use across the government,...facilitates the sharing of information at and across all levels of security,...and incorporates protections for individuals' privacy and civil liberties."
Many federal agencies participate in and contribute to ISE, but the law further mandates that a program manager be designated to oversee it and that an Information Sharing Council be formed to advise the president and the program manager on the development of ISE policies, procedures, guidelines and standards, and to ensure proper coordination among federal departments and agencies participating in ISE.
A decade later, how has ISE fared? Can we effectively rate the government's improvements to intelligence, law enforcement and counterterrorism information sharing, and have they been made in a way that protects privacy and our civil liberties?
Or the more basic question: Are we safer now than before Sept. 11, 2001?
From a structural perspective, the program manager for ISE, Kshemendra Paul, and his organization report to the director of national intelligence but carry out the mission of ISE by coordinating across federal, state, local and tribal government organizations. The Information Sharing Council has been recast as the Information Sharing and Access Interagency Policy Committee (ISA IPC), which still carries out the primary coordination role.
In 2007, then-President George W. Bush issued the first National Strategy for Information Sharing. President Barack Obama issued the updated National Strategy for Information Sharing and Safeguarding in December 2012.
In the 2013 edition of PM-ISE's annual report, Paul reports on the organization's progress in implementing the objectives of the national strategy. Below are a few important highlights:
- One positive accomplishment has been the establishment and success of the Suspicious Activity Reporting program, which enables federal, state and local jurisdictions to readily and rapidly share information regarding suspicious activity. Nevertheless, a report published last year outlines ongoing issues and recommends improvements to the SAR program. The ISA IPC is overseeing the implementation of the recommendations.
- To support improved information discovery and access through common standards, the FBI's Criminal Justice Information Services Division expanded the capabilities of law enforcement's National Data Exchange to accommodate more records and users, and officials began sharing investigative reports in near-real time with criminal justice partners. Furthermore, the Defense Department took a major step forward in promoting common standards with the decision to adopt the National Information Exchange Model (NIEM) for standards-based data exchange.
- In light of the WikiLeaks and Edward Snowden incidents, sharing and safeguarding information requires enforcing the controls that are necessary to protect sensitive and classified information, as well as the privacy, civil rights and civil liberties of individuals. But it is also necessary to provide efficient access to mission-critical information so that analysts, operators and investigators can effectively perform their jobs. Striking the correct balance will continue to be a challenge for the members of ISE.
- As cybersecurity threats have grown, PM-ISE is playing a more direct role in government by working with DHS and critical infrastructure companies to help define governance and technical standards by which sensitive information regarding cybersecurity threats can be shared. DHS has expanded its Enhanced Cybersecurity Services program in accordance with Executive Order 13636 (Improving Critical Infrastructure Cybersecurity) to better assist critical infrastructure owners and operators with protecting their systems.
When I was DHS CIO from 2009 to 2013, I worked closely on information-sharing issues with PM-ISE; across the federal, state, local, tribal and territorial governments; and with groups such as the IJIS Institute and the International Association of Chiefs of Police. During that time, I saw tremendous improvements to information sharing and a deep concern for addressing privacy and civil liberties issues.
I found the dedication of people at all levels of government inspiring, especially given that trying to achieve consensus among multiple government bureaucracies can be truly daunting.
The highlights from PM-ISE's 2013 annual report give a sense of that progress and the maturation of our efforts to share and safeguard information. In particular, I would note that PM-ISE has helped spread the idea that innovation prospers when it is based on standards for sharing information. I can state emphatically that we are safer today because of efforts of many individuals at many departments and agencies in the federal government, along with partners at state and local governments and even in the private sector.
Yet there is still much that can and should be done. For example, there are significant gaps in information sharing. Some of them are cultural, but many could be addressed through the proper use of emerging technologies that help ensure that information is being properly shared with the proper partners, in the proper context and with the appropriate privacy protections in place.
In particular, we need:
- Greater support for programs that rely on federated identity, credential and access management. Those programs are crucial if we are to move to a higher level of information sharing, particularly as we wish to make information discoverable across the boundaries of government. ICAM systems must be interoperable and part of a larger ecosystem to enable cross-organizational identity management. We need a vibrant identity ecosystem that is privacy-enhancing, secure, resilient, interoperable, cost-effective and easy to use, as outlined in the National Strategy for Trusted Identities in Cyberspace.
- Further support for the maturation of community-driven XML data standards developed under NIEM to help overcome technical barriers to sharing information.
- Widespread adoption of the efforts of DHS and other agencies to set data-tagging standards to enable specific protections and limitations on data use or to handle special cases governed by law or regulation.
- Aggressive implementation of new technologies and the upgrade, consolidation and retirement of older systems to enable enhanced information sharing. The continued stovepiped nature of many government systems and the lack of unified IT infrastructure are the greatest inhibitors to properly sharing information.
In July, the former commission members issued "Reflections on the Tenth Anniversary of the 9/11 Commission Report." Regarding the threat of terrorism, the report states, "The 'generational struggle' against terrorism described in 'The 9/11 Commission Report' is far from over. Rather, it is entering a new and dangerous phase, and America cannot afford to let down its guard."
The report makes two recommendations with regard to information sharing:
- The director of national intelligence should focus on advancing interagency information sharing, unified IT capabilities and other communitywide initiatives.
- Congress should enact legislation to enable companies to collaborate with the government to counter cybersecurity threats. "Companies should be able to share cyber threat information with the government without fear of liability," the report states.
Let us hope the Obama administration and Congress heed the continued advice of the 9/11 Commission.