Last Tuesday, March 10, The Markle Foundation Task Force on National Security in the Information Age released a report titled: Nation At Risk: Policy Makers Need Better Information to Protect the Country. (PDF here)
Members of the Task Force who prepared this report included: William Crowell, Bryan Cunningham, Jim Dempsey, John Gordon, Slade Gorton, Jeff Jonas (me!), Judith Miller, Jeffrey Smith, Abraham Sofaer, Rick White, and Richard Wilhelm.
We made the following five recommendations, calling for the accelerated creation of an information sharing framework:
1. Reaffirm Information Sharing as a Top Priority
2. Make Government Information Discoverable and Accessible to Authorized Users by Increasing the Use of Commercially Available Off-the-Shelf Technology
3. Enhance Security and Privacy Protections to Match the Increased Power of Shared Information
4. Transform the Information Sharing Culture with Metrics and Incentives
5. Empower Users to Drive Information Sharing by Forming Communities of Interest
The report is relatively short and to the point, just 27 pages long. It includes a handy four page appendix summarizing all of the recommendations (pages 22-25).
Here are a few elements I would like to bring to the attention of my readers:
Recommendation 2 speaks to "Discoverability." Our Task Force built on our earlier recommendations (in prior reports) to use data indices – much like the card catalog at the library. Using indices, users can locate data in the enterprise and if qualified for authorized use, they can limit access to the records of relevance. Notably, this model means less data is being transferred around, therefore less data must be kept in synch. The risk of unintended disclosure is mitigated to a degree because fewer copies of data are being made. In short, indices allow users to locate just what they need and no more.
In recommendation 3, the Task Force makes a number of specific security and privacy recommendations. One of my favorite examples is:
"… including implementation of real-time audits of user compliance and behavior and immutable audit logs that record how a system has been used …"
These Immutable Audit Logs are clever little inventions that allow oversight and accountability groups to see exactly how a system has been used. Even a system administrator cannot secretly change the past by altering the log. Imaging every time someone peeks into the card catalog whether they find something, or not, this is recorded in an indelible manner. What cards they saw, what books they looked at, and so on … all accounted for with no way to hide the facts.
The use of the term "metrics" in recommendation 4 is also worth special mention. One such metric the Task Force would like to see is reporting what percent of a system’s information is discoverable i.e., percentage of records that have corresponding cards in the card catalog. Case in point; what is the value of a book on the shelf at the library if there is no related card in the catalog?
Finally, as indices are going to be the way information sharing gets accomplished … in my opinion, the essential policy debate must immediately begin considering the following:
1. How many indices? There are benefits for fewer. And there are different benefits for more. One index for law enforcement and one for intelligence? Or, one index for foreign collections and another for open source? One index, 20 indices, or 100?
2. Where will these indices physically reside? At Google? (Note: Google is an index already used for open source).
3. Which key attributes will be placed in the index? While the library uses subject, title and author … maybe one index will need to contain who, what, where, when.
4. How much latency between data changes in source systems and their corresponding change in the index? For example, if a watch list record is deleted in a source system, what is the maximum amount of time one would want to wait until the same record is redacted from the card catalog?
5. When a user searches the card catalog, who do you notify when an index card is found?
a. Only the inquirer?
b. Only the owner?
c. Both?
d. Neither, only a third party is notified?
e. No one can be told?
6. When there is any notification, what information is revealed about the index card to the inquirer and/or data owner?
a. All the attributes related to the index card?
b. Some of the other attributes on the card (e.g., search author and see title)?
c. No other attributes are revealed?
d. The custodian organization of the data record?
e. The custodian source system of the record?
f. The actual record number used to identify this piece of data in the source system?
g. The user, if any, associated with this record, e.g., the analyst’s name and phone number?
7. When there is a notification to a data owner, what information is revealed about the inquirer?
a. All the attributes related to the search?
b. Some of the other attributes on the search?
c. No other attributes are revealed?
d. The inquirer’s organization?
e. The inquirer’s source system?
f. The actual session number used to initiate the inquirer’s search?
g. The inquirer’s name and phone number?
8. What user audit standards and processes will be required to ensure the system is being used in accordance with law and policy?
9. What metrics will be kept and who can see which metrics?
RELATED POSTS:
Discoverability: The First Information Sharing Principle
Information Sharing: Got Directory?
No Need to "Over Share" – Thoughts on Information Sharing
It’s All About the Librarian! New Paradigms in Enterprise Discovery and Awareness
Federated Discovery vs. Persistent Context – Enterprise Intelligence Requires the Later
Full Attribution, Don’t Leave Home Without It
Out-bound Record-level Accountability in Information Sharing Systems
Hi Jeff,
With sincere apologies to Sean Connery, I am dismayed that people are still bringing a knife to an information sharing gun fight—the importance of information sharing, data discoverability, security protections, metrics and incentives, and empowerment have been documented many times over since I became involved in information sharing in 1999 and have proved to be of little value to making information sharing happen.
I believe a significant reason for this is that information sharing has been seen as the "main thing." Information sharing should NEVER be seen as the main thing; it is simply a means to an end. I have never forgotten what Scott McNealy of Sun Microsystems said—“The main thing is to keep the main thing the main thing.” And, the main thing for government is safe streets, clean air and water, a strong economy, etc…NOT information sharing.
The "guns" that we need to bring to the information sharing table are simply engaged executive leadership and accountability for mission results.
Of the many significant information sharing projects around the country that I have been a part of, I can tell you that the most important ingredient for successful information sharing is: “An agency executive who actively communicates an operational imperative for mission success and then holds their managers accountable for using information sharing as a critical enabler for achieving desired mission results.” [I have a few blog posts on the subject at http://www/nowheretohide.org/wordpress]
While I agree that good security, good technology, good project management, good metrics and the like are necessary, none of this will matter if the need for information sharing is relegated two or three levels down the organization chart or is just seen as an edict from above—federal, state, and municipal agencies are already choking on multiple (and often conflicting and unfunded) mandates.
With my apologies to our President, the PM-ISE, and the Markle Foundation there is nothing more they can print on a sheet of paper to make information sharing happen—hundreds of executive orders, national strategies, task force reports, and security policies have been published—what more could they possibly say?
I believe it now comes down to the individual will of executive leadership in those federal, state and municipal agencies who hold the information that should be made shareable and their capacity to make it happen within their respective agencies. And that Jeff is the one area where I do believe that President Obama and our Congress can help—by simply ensuring that the people they choose to lead those agencies a) truly embody the will, character, and leadership qualities to achieve the mission and b) understand the value that information sharing brings to help make that happen.
r/Chuck Georgo
[email protected]
www.nowheretohide.org
Posted by: Chuck Georgo | March 17, 2009 at 06:43 AM
Jeff and Chuck--
As a Member of the Markle Foundation Task force on National Security in the Information Age, former Deputy Legal Adviser to the National Security Council, career CIA office and federal prosecutor, and information security and privacy lawyer, I couldn't agree more with the priority you place on leadership and holding people accountable. Though I'm speaking only for myself here, I strongly believe that this understanding is why the VERY FIRST recommendation in the latest Markle report is for the President and Congress to exert precisely that type of leadership.
That said, I know from personal experience two additional things:
First, it was not until quite recently that the COTS technology was easily and affordably available to fully enable our vital national interests -- protecting against another terrorist attack, systemic risk analysis to protect the economy, enabling the President's vision of fully electronicized (word creation alert) health care records -- that also fully protect our privacy and civil liberties. So, it's worth informing/reminding folks of that fact.
Second, having weathered the bureaucracies of three Administrations of both political parties, I can say with certainty that:
-- the need to inform new (or returning after eight years of technology and world change) policymakers at all levels of the key lessons cited in the Markle report is real and vital; and
-- unfortunately, the constant requirement to push back (like Sisyphus up the rock) the tireless arguments of the legion of recalcitrant bureaucrats, like "technology's not there," "privacy laws prevent it," etc., etc., etc., is, unfortunately, still a reality.
I think a careful read of the report Jonas cites will show that, in most ways, Chuck's note and the Markle report are in violent agreement.
Cheers.
Bryan Cunningham
www.morgancunningham.net
Posted by: BC | March 17, 2009 at 06:13 PM
Being able to locate, share and use in formation can make a difference only if information is "available" in the first place. Poorly concieved classification practices, and the proliferation of even more poorly concieved pseudo classification devices have grown to epidemic proportions since 2001. Until this is fixed, policies, technologies and metrics that miss this sad fact also will miss the mark.
Posted by: Chuck Brownstein | March 18, 2009 at 10:49 AM
An essential component of this national challenge can indeed be found in the technological and systems acquisition arenas. Leadership, accountability, strong cultural underpinnings and relevant processes and measure for sharing and collaboration are all important, of course - and should receive continual focus, as the Markle report outlines.
But, over the last decade or more we've architected ourselves into IP network and governance stovepipes across the fabric of USG organizations and these islands of IT capability conspire to thwart the best intentions of even the most enlightened senior leaders and mid-tier supervisors who might otherwise be inclined to open their organizational kimono and start building a culture of horizontal, community-of-interest-based sharing and collaboration. Part of the problem is the onerous regulatory environment that Congress has created -- essentially driving federal program planning, budgeting, systems architecture, systems engineering and technology acquisition processes into organizationally-bounded vertical structures. From stovepiped CIO and Senior Acquisition Executive (SAE) structures come stovepiped IP-based systems. No surprise.
A commenter above said the USG really can not put much more to paper that would move us in the direction of solving some of these intractable challenges. I'm not sure I agree. I think the next Markle study on this set of challenges should be about acquisition reform and taking a critical look at Clinger-Cohen (ITMRA) and the various OMB Circulars that drive these onerous, bureaucratic and "born-stovepiped" technology procurement models. It has been my sense for years, having watched these dynamics from the inside, that regulatory reform and acquisition reform are essential first steps to solving this.
Posted by: Dave McDonald | March 22, 2009 at 02:39 PM
Jeff, I am trying to contact you regarding a possible speaking engagement. Please call me at 1-800-308-9034 ASAP.
Jeff Tobe
President
Infinite Speakers Agency
Posted by: Jeff Tobe | July 16, 2009 at 07:09 AM