Last Tuesday, March 10, The Markle Foundation Task Force on National Security in the Information Age released a report titled: Nation At Risk: Policy Makers Need Better Information to Protect the Country. (PDF here)
Members of the Task Force who prepared this report included: William Crowell, Bryan Cunningham, Jim Dempsey, John Gordon, Slade Gorton, Jeff Jonas (me!), Judith Miller, Jeffrey Smith, Abraham Sofaer, Rick White, and Richard Wilhelm.
We made the following five recommendations, calling for the accelerated creation of an information sharing framework:
1. Reaffirm Information Sharing as a Top Priority
2. Make Government Information Discoverable and Accessible to Authorized Users by Increasing the Use of Commercially Available Off-the-Shelf Technology
3. Enhance Security and Privacy Protections to Match the Increased Power of Shared Information
4. Transform the Information Sharing Culture with Metrics and Incentives
5. Empower Users to Drive Information Sharing by Forming Communities of Interest
The report is relatively short and to the point, just 27 pages long. It includes a handy four page appendix summarizing all of the recommendations (pages 22-25).
Here are a few elements I would like to bring to the attention of my readers:
Recommendation 2 speaks to "Discoverability." Our Task Force built on our earlier recommendations (in prior reports) to use data indices – much like the card catalog at the library. Using indices, users can locate data in the enterprise and if qualified for authorized use, they can limit access to the records of relevance. Notably, this model means less data is being transferred around, therefore less data must be kept in synch. The risk of unintended disclosure is mitigated to a degree because fewer copies of data are being made. In short, indices allow users to locate just what they need and no more.
In recommendation 3, the Task Force makes a number of specific security and privacy recommendations. One of my favorite examples is:
"… including implementation of real-time audits of user compliance and behavior and immutable audit logs that record how a system has been used …"
These Immutable Audit Logs are clever little inventions that allow oversight and accountability groups to see exactly how a system has been used. Even a system administrator cannot secretly change the past by altering the log. Imaging every time someone peeks into the card catalog whether they find something, or not, this is recorded in an indelible manner. What cards they saw, what books they looked at, and so on … all accounted for with no way to hide the facts.
The use of the term "metrics" in recommendation 4 is also worth special mention. One such metric the Task Force would like to see is reporting what percent of a system’s information is discoverable i.e., percentage of records that have corresponding cards in the card catalog. Case in point; what is the value of a book on the shelf at the library if there is no related card in the catalog?
Finally, as indices are going to be the way information sharing gets accomplished … in my opinion, the essential policy debate must immediately begin considering the following:
1. How many indices? There are benefits for fewer. And there are different benefits for more. One index for law enforcement and one for intelligence? Or, one index for foreign collections and another for open source? One index, 20 indices, or 100?
2. Where will these indices physically reside? At Google? (Note: Google is an index already used for open source).
3. Which key attributes will be placed in the index? While the library uses subject, title and author … maybe one index will need to contain who, what, where, when.
4. How much latency between data changes in source systems and their corresponding change in the index? For example, if a watch list record is deleted in a source system, what is the maximum amount of time one would want to wait until the same record is redacted from the card catalog?
5. When a user searches the card catalog, who do you notify when an index card is found?
a. Only the inquirer?
b. Only the owner?
d. Neither, only a third party is notified?
e. No one can be told?
6. When there is any notification, what information is revealed about the index card to the inquirer and/or data owner?
a. All the attributes related to the index card?
b. Some of the other attributes on the card (e.g., search author and see title)?
c. No other attributes are revealed?
d. The custodian organization of the data record?
e. The custodian source system of the record?
f. The actual record number used to identify this piece of data in the source system?
g. The user, if any, associated with this record, e.g., the analyst’s name and phone number?
7. When there is a notification to a data owner, what information is revealed about the inquirer?
a. All the attributes related to the search?
b. Some of the other attributes on the search?
c. No other attributes are revealed?
d. The inquirer’s organization?
e. The inquirer’s source system?
f. The actual session number used to initiate the inquirer’s search?
g. The inquirer’s name and phone number?
8. What user audit standards and processes will be required to ensure the system is being used in accordance with law and policy?
9. What metrics will be kept and who can see which metrics?