Learning to share

A dramatic shift is taking place in the federal intelligence community. Historically, those agencies thought that keeping investigative information and systems hidden from sight, even from one another, was the most effective way to fight crime or keep an eye on the nation's enemies. Various legal and technical barriers contributed to the long-standing divide, not to mention the occasional turf battle.

Now, with unprecedented security threats making coordinated intelligence and law enforcement operations more important than ever, those departments are working with one another, as well as with state and local agencies, to improve the flow of security-related data.

Four initiatives are under way to open up government agencies' internal networks so data can move more freely from employee to employee (see "Web of intelligence data expands"). The CIA is responsible for Intelink, the FBI for Law Enforcement Online (LEO), the State Department for OpenNet and the Justice Department for the Regional Information Sharing Systems (RISS) network.

While these networks now enable hundreds of thousands of government users to access classified and unclassified information, a great deal of work remains to be done before all of the data needed during an investigation is available via a few keystrokes.

The remaining tasks have less to do with daunting technical challenges and more to do with getting greater interagency coordination, amendments to current laws, new agency procedures and changes in employees' outlooks.

The ultimate goal is to connect different intelligence networks and outfit users with Web-based interfaces so they can easily find and examine pertinent information.

The easy flow of information should cut the time officers need to piece together snippets of data and locate criminals. Ideally, a police officer would know a person apprehended in a theft had had his visa revoked. Also, any changes would be available to all users immediately so that, for example, a state trooper would know that a motorist stopped for a speeding ticket one afternoon was wanted by the FBI for a murder committed that morning.

The desire for better integration among law agencies' systems is not new and these networks have been in place for years — for decades, in a few cases. However, a number of factors have made integration efforts more noticeable.

Changes Made, More Needed

The evolution of technology and the acceptance of standard protocols, such as IP and virtual private networks, have made it simpler for agencies to exchange information securely using widely available networks. But more importantly, there has been a growing recognition that different government groups need to share information. Historically, officers in one jurisdiction often did not know that data that could assist them in an investigation was available in another department's system.

Recent events forced government agencies to look at ways of easing information transfers. "We knew that information sharing was necessary for years, but the events on [Sept. 11, 2001] drove the point home emphatically," said Angelo Fiumara, deputy director, RISS Office of Information Technology.

In the aftermath of the terrorist attacks, it became clear that better information exchanges were needed not only among federal government agencies — such as the FBI and the former Immigration and Naturalization Service (now the Bureau of Citizen and Immigration Services) — but also at the state and municipal levels at which police, firefighters and EMTs responded to the attacks.

Although the four network integration initiatives had been under way before Sept. 11, 2001, they had been having some problems attracting attention and funding. The terrorist attacks changed that.

"Since [Sept. 11], Congress and the administration have made funding the different integration projects a top priority," said James Holmes, director of the office of eDiplomacy at the State Department.

With the attention and funding have come the nitty-gritty logistics, such as how to connect the different groups.

First, the intelligence groups have classified information with very specific limits on access: Top Secret is data limited to select officials in agencies such as the CIA and FBI; Sensitive is information of a military nature and is handled by the Defense Department; Policy designates data intended for people who develop the policies that outline who should have access to what; and then there is unclassified data. These classifications can be programmed into agency systems to control user access to records.

The agencies must define the network and system interfaces to move data from place to place. There had been some talk initially about setting up a grandiose set of proprietary interfaces that would link systems in a one-to-one style of connections, but that was shelved because such connections would have been too complex and too expensive to develop and maintain.

Instead, the government is focusing on using existing industry standards such as Secure Sockets Layer, X.509 digital certificates, public-key infrastructures, Standard Generalized Markup Language and Web browsers. The idea is to provide pointers to data locations rather than extracts of the data itself.

That means that individual agencies would be responsible for providing authorized users with access to specific data on their systems, rather than supplying their data, or exporting it, to a system maintained elsewhere.

Sharing Private Information

A big challenge stems from designing policies about what personal information should be shared and which users can access it.

The U.S. Constitution affords citizens with basic protections, such as a right to privacy, so agencies have to be extremely careful about safeguarding information. Who should be granted access to sensitive data — from police chiefs or patrol officers at the local level to FBI agents or regional directors at the federal — is an ongoing debate in the law enforcement field.

For instance, the State Department is now struggling with how much information can be shared about immigrants in the United States. "The current statute [221.F of the Immigration and Naturalization Act] is written so visa data is confidential unless a person is already subject to a criminal or visa violation," said a spokesperson for the agency.

Some of the issues have already been addressed. For example, the government is now collecting potentially sensitive information from private organizations, such as electric companies, airlines and chemical factories.

"Corporations were concerned that if they made their vulnerabilities known, someone could use the Freedom of Information Act to gain that data and damage their public image," said Ron Dick, director of information assurance strategic initiatives at Computer Sciences Corp., based in El Segundo, Calif.

In response to this concern, Congress included a provision in the USA Patriot Act that exempts critical infrastructure information from FOIA requests.

Although law enforcement communications face many challenges, most observers think a great deal of progress has been made. "The communications among different law enforcement groups have been rapidly improving," said State's Holmes. "It's not perfect yet, but it is much better than it was a few years ago."

Korzeniowski is a freelance writer in Sudbury, Mass., who specializes in IT issues. He can be reached at paulkorzen@aol.com.

***

Secure access to information

Participating agencies: The agencies with the primary responsibility for designing and maintaining the links are the CIA, the FBI, and the State and Justice departments. A large number of other federal agencies, including elements of the departments of Agriculture, Commerce, Defense, Homeland Security and Treasury, as well as agencies such as the National Security Council and the Peace Corps, make some of their information available to others. In addition, approximately 35,000 state and municipal law enforcement agencies can view the information.

Nature of information exchange: The various agencies have put a wide range of data about law enforcement matters on file. The information includes unclassified data, such as the contact information for a city's police department, to highly sensitive data, such as an organized crime boss' complete profile.

IT solution: The network connections are based largely on a series of standard IP protocols, such as Secure Sockets Layer, X.509 digital certificates, public-key infrastructure and Standard Generalized Markup Language. The federal government has added to these standards where necessary to ensure that the proper level of security is given to confidential and public documents.

Cost: The costs are spread across the participating agencies.