Sharing: Easier said than done
When Cisco Systems Inc. found a flaw in its software that might have allowed hackers to shut down a substantial portion of the Internet, the company alerted customers and called on educational and research institutions, industry organizations and government agencies to help convey the urgency of the problem.
During the incident, which began July 17, the new National Cyber Security Division of the Homeland Security Department notified federal agencies and industry organizations of the vulnerability. A conference call that included representatives of 22 trade groups was one way the DHS unit communicated the need for fast workarounds and patches to head off denial-of-service attacks.
Andy Purdy, acting deputy director of the DHS division, cited the response to the July incident as an example of successful information sharing for homeland security in his remarks during the recent Government Security Expo and Conference in Washington, D.C.
It was a rare bright spot in an ongoing discussion of the difficulties of using information effectively in the war on terrorism. Few dispute that information sharing may strengthen defenses and improve efficiency. But July's reports, meetings, press conferences and hearings make it clear that progress in developing information-sharing relationships and mechanisms that cross organizational boundaries has been slow.
"We are leaders in technology, yet we seem unable to come to grips with how to share information," said Rep. Jim Turner (D-Texas), ranking member of the House Select Committee on Homeland Security, during a press conference in which the Bush administration's progress on homeland security came under fire.
A joint congressional committee reported that inadequate information sharing was a contributing factor in the terrorists' ability to catch the United States unprepared Sept. 11, 2001.
"Information was not sufficiently shared, not only between different intelligence community agencies but also within individual agencies and between the intelligence and the law enforcement agencies," according to the committee's report.
The tangle of rules that restrict the release of federal agencies' information got part of the blame from one expert at the GovSec conference, J. William Leonard.
Leonard, director of the Information Security Oversight Office in the National Archives and Records Administration, pointed to the creation of the "sensitive but unclassified" category in the 1987 Computer Security Act as a key example of layering new rules on top of old ones and failing to synchronize them.
Not only are there too many rules, but the definitions are unclear, Leonard said. "If you had 100 bureaucrats in a room, you'd get 101 definitions of 'sensitive but unclassified,' " he quipped.
"We have more varieties of classification in the federal government than Heinz's 57 varieties," Leonard said.
The government needs to share information and it needs to protect information, Leonard said, but it has yet to make clear to employees how to distinguish between what should be protected and what should be shared. Few are sure who is authorized to release information, and there should be an appeals mechanism for reviewing those decisions.
"The whole concept of need-to-know needs to be revisited," he said.
Aldona Valicenti, chief information officer for Kentucky, said it has been difficult to get security clearances for state officials who may need access to classified information.
Another barrier she cited is the lack of up-to-date technology in some local law enforcement and public health offices. For a sheriff's office in a small city, she said, "a fax machine is high technology."
Valicenti, former president of the National Association of State CIOs, said the association is developing an information-sharing center for states. She also held out hope that the enterprise architecture efforts under way in the states and the federal government will facilitate information sharing.
Information technology has a major role to play in homeland security, she said, but "it has not always been understood when the technology issues need to be at the table."
Valicenti also said information sharing among homeland security officials at the state and federal levels is improving, but the private sector is insufficiently involved in the information exchanges.
Purdy, Valicenti and others expressed hope that the information sharing and analysis centers being established in key industries with DHS' encouragement will prove to be useful vehicles for information sharing across the boundaries between government and the private sector.
Judi Hasson contributed to this story.