Tuesday, August 9, 2011
Protecting the systems and processes Federal, State, and local entities use to exchange information may seem to be a trade-off in terms of effective sharing, in which more security and privacy would appear to restrict the free flow of information; yet in
Protecting the systems and processes Federal, State, and local entities use to exchange information may seem to be a trade-off in terms of effective sharing, in which more security and privacy would appear to restrict the free flow of information; yet in the long term, data protection is a key enabler for the ISE.

The ability of Federal agencies to share information on effective practices, as well as issues of concern, has become a central mission goal for law enforcement, homeland security, intelligence, and computer security.  The Information Sharing Environment (ISE) (www.ise.gov) – a US Government office -- promotes and coordinates activities to improve and increase the transfer of data among Federal, State, local, international, and private sector stakeholders.  The Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA), Section 1016 (http://www.nctc.gov/docs/irtpa.pdf), authorizes the ISE to achieve this mission for information related to terrorism and homeland security, but ISE partners span a across broad spectrum of information that impacts citizens, businesses and governments each day. The ISE is led by Program Manager Kshemendra Paul, and supported by a strong staff and governance network that includes leaders at all levels of government.

Clearly, getting the right information to the right place at the right time can help to prevent incidents before they occur, respond more quickly when they occur, and develop a proactive posture among government and industry.  At the same time, much of this information is personally identifiable, and thus needs protection to respect law and norms around privacy.  Moreover, the systems that carry information from agency to agency and from Washington to the States need a level of security that inhibits the ability of harmful actors to do damage. 

A conventional view of privacy, security, and information sharing might hold that the three goals involve a trade-off, where more of one means less of the others.  However, the long term success of the ISE depends critically on an integrating privacy and security into the fabric of sharing – not as an afterthought but as a foundational element, a principle reinforced in Guideline  5 of the President’s memorandum implementing IRTPA, “Protect the Information Privacy Rights and Other Legal Rights of Americans”  (http://www.ise.gov/sites/default/files/Memo_on_Guidelines_and_Rqmts_in_Support_of_the_ISE.pdf).

I recently moderated a panel at the Integrated Justice Information System (IJIS) (www.ijis.org) Summer Industry Briefing (http://www.ijis.org/_newsroom/briefing_2011_summer.html) that addressed this question.  The panel, which included Director of the Nationwide Suspicious Activity Reporting (SAR) Office (http://nsi.ncirc.gov) Thomas O’Reilly and IJIS Vice-President Mary Ellen Condon, discussed a number of factors that support the integration of privacy and security into information sharing. These factors include:

  • Make security and privacy part of the basic architecture for information sharing.  When identifying data, systems, processes, analytics, and other elements of a strategy to exchange data, address how the information will be protected as part of the initial design – rather than establishing flow first and worrying about protection later.
  • Conversely, point to sharing as part of the agency’s security and privacy programs.  Many data protection programs focus on the inner workings of security and privacy, as well as compliance with law and policy – better to frame the programs to start as enabling key mission goals, like the ISE.
  • As information sharing programs mature, raise the level of data protection.  With more players who send and receive information, and with greater sensitivity of that information – especially PII – comes the need for strengthening policy, process, and technology used to safeguard the data.

By taking steps like those above, government and industry can build stronger sharing regimes that leverage security and privacy to strengthen outcomes at the strategic, operational, and tactical levels.  Rather than simply asking “how should we secure”, this approach encourages questions like “what is the best way to secure while still getting the information to the right place at the right time”. 

This approach is especially important as key ISE stakeholders look to the Internet, social media, and other open sources as ways to identify and exchange information.  Traditional systems that are locked from public view present traditional challenges for security and privacy.   Open systems require increased attention to fair information privacy principles like minimizing the amount of data collected, as well as internet-based security protections like careful and continuous monitoring of the interfaces between government and public databases.

The ISE represents a major step forward in terms of cross-government and industry collaboration to make the nation safer.  Its goals and principles are being picked up in other settings that involve multiple parties that exchange high-stakes information, like health care.  In all of these areas, an increased focus on security and privacy will both improve the functioning of the system as a whole, and build public confidence and trust that their sensitive personal information is being treated with proper care.

Stay tuned to this space for more on this critical issue.