Data sharing and security

Like the Bauer character, who himself is the fictional successor to an earlier superagent who liked his tipple 'shaken, not stirred,' federal IT users frequently will have to share information quickly if they hope to prevail or even survive in 2007.

The information-sharing conundrum is one of several that promise to stay on the desks of CIOs and other tech leaders, who already have their own 'day job' agency missions.

To frame this special report on federal IT in 2007, GCN reporters and editors met with a range of technology leaders and pooled their impressions of the most important agenda items shaping the year.

We chose, in honor of 2007, seven people, seven policies and seven programs that we believe will drive the pivotal issues in federal IT. Each of these 21 items will affect agencies differently, but surely will leave their mark before 2007 is in the books.

Against the background of the technical and policy issues that agencies will either seek to promote themselves or have forced onto their IT agendas, another overarching theme will continue to shade the arena: shaping appropriate information sharing.

So many official reports, speeches and commentators have soberly intoned the mantra of information sharing as the silver bullet for counterterrorism that a backlash has started.

One senior intelligence community official recently characterized the words information sharing as a 'bumper sticker' signaling lip service to the goal.

But at the technology level, CIOs and their strategic advisers have been weaving together systems that create data vines, so to speak, across which data can swing from one agency 'tree' to another.

They have laid the groundwork for common standards'from intelligence to medical to financial-management information'that will help agencies share data by standardizing various forms of metadata.

The intelligence community soon will release a group of seven IT security rule reforms designed to help agencies share data, partly by standardizing methods for defining the 'protection levels' that shield data from hijacking [GCN, Nov. 20, 2006, Page 17].

The related privacy protection issues also will garner heavy attention from Capitol Hill and private-sector advocates.

But there are a number of troublesome issues that must be corrected while dealing with privacy and security concerns.

'The privacy issue is going to be increasingly challenging,' said Ray Bjorklund, vice president for market intelligence and chief knowledge officer at Federal Sources Inc. of McLean, Va. 'The really gross instances of data being compromised, like the one at the Veterans' Affairs Department, have put that issue front and center for CIOs.'

In response to the VA data breach scandal, House Veterans' Affairs Committee chairman Steve Buyer (R-Ind.) pushed for IT centralization because of the agency's record of failed IT projects costing hundreds of millions of dollars.

Reforming VA technology put secretary Jim Nicholson in the role of challenging the 'centurions of status quo,' as Buyer calls them.

In late 2006, Nicholson signed a directive to fully centralize VA IT, including applications development, under CIO Robert Howard. Buyer calls VA's decision a model for other decentralized agencies to follow.

Consolidation Driver

James Carafano, senior fellow at the Heritage Foundation, calls that centralization trend, which is helping to drive data center consolidation, a move toward data-centricity similar to the Pentagon's drive to net-centricity.

Other agencies are moving toward centralization as a means of fostering information sharing and gaining control over information fiefdoms.

In the Homeland Security Department, G. Guy Thomas, the Coast Guard's science and technology adviser for the maritime domain awareness project, said the question of permission to access data lies at the core of the information-sharing issue.

'Technology is the easy part,' Thomas said. 'The problem is changing the policies so people understand that they have permission to share information, while at the same time making sure that they don't give away the store.'

Thomas said agencies' outlook on information sharing typically has been, 'What's mine is mine and what's yours is negotiable.' However, he cited two presidential documents, National Security Presidential Directive 21 and National Security Presidential Directive 41, that require agencies to improve information sharing.

Common and Collaborative

The ultimate goal that technologists and policy-makers should strive for is user-definable interfaces, which would provide a 'common operational picture that serves as an interface to a collaborative information environment,' Thomas said.

'I think the technology is there to build the system today,' Thomas said, 'but you clearly need the oversight as to who sees what information.'

The Coast Guard has worked with Johns Hopkins University and the Navy's Space and Naval Warfare Systems Command on the collaborative environment, Thomas said.

'Right now, we are trying to develop the investment strategy to develop the maritime domain awareness strategy,' Thomas said, foreshadowing 2007 as a pivotal year for decisions involving spending on the technology.

One of the most critical technology aspects of the information-sharing reform will be the gradual creation of standards for using 'High Assurance Guards [HAGs],' which are microchips that allow the transfer of information across various levels of classification.

And the Coast Guard is not alone in trying to improve their information-sharing abilities.

Departing director of national intelligence John Negroponte has been working through his CIO, retired Air Force Lt. Gen. Dale Meyerrose, to reshape the use of HAGs so police patrol officers, for example, can have access to certain classified information.

DOD and Intel also have taken small steps to better coordinate data, while civilian agencies, such as the Health and Human Services Department and the Office of Personnel Management are working on standards that will improve data sharing for medical and human resources data.

As the executive branch wrangles with its own issues, CIOs can expect much tougher scrutiny from a source that has been generally docile for six years: Congress, now controlled by the Democratic Party.

Leaders in Congress have signaled that they expect to increase oversight.
For example, Rep. Henry Waxman (D-Calif.), new chairman of the House Government Reform Committee, is working with his staff to arrange a series of oversight hearings on federal procurement and waste, fraud and abuse, sources said.

The House Homeland Security Committee, which has a history of relatively bipartisan oversight hearings, will hold federal IT accountable, according to its new chairman Bennie Thompson (D-La.).

As for actually passing laws, congressional Republicans have quickly found themselves in the same soundproof, locked room that they originally built for Democratic members.

Rep. Peter King (R-N.Y.) former chairman and now ranking member of the Homeland Security Committee, issued a letter to new speaker Nancy Pelosi (D-Calif.) citing her plans to move quickly on some homeland security legislation, especially that regarding the allocation of grant funds.

'Speaker-elect Nancy Pelosi has indicated that Democrats plan to bring legislation directly to the floor without first allowing subcommittees or committees to hold any hearings or markups,' King wrote. 'The legislation is expected to include several important and far-reaching homeland security measures, drafts of which we have not yet been allowed to view.'

Alongside lawmakers' competition for headlines, agencies' IT executives likely will have to approach Congress with their hats in hand to secure funding for a number of programs, including smart identification cards for federal employees and contractors under Homeland Security Presidential Directive-12 and
e-government, and Defense Department transformation projects as Future Combat Systems.

Dealing the Cards

HSPD-12 mandates the completion of background checks by next October for all employees and contractors with fewer than 15 years in their jobs. Since last October, agencies slowly have been issuing cards to employees and contractors and getting their infrastructure in place to use the cards.

Procurement policy and organizational changes, some of which could attract Hill scrutiny, also promise to complicate CIOs' business operations this year.

Interagency contracting will come into focus, and Office of Federal Procurement Policy administrator Paul Denett likely will review how agencies develop and implement multiple-award contracts and increase the oversight of these acquisition vehicles.

Along with Denett's attention to acquisition, industry experts say Waxman; Rep. Tom Davis (R-Va.), ranking member of the Government Reform Committee; and the House and Senate Armed Services committees will closely watch the Services Acquisition Reform Act panel's recommendations to improve service contracting.
The General Services Administration's ongoing reorganization promises to affect the ways federal agencies run acquisition projects. This could inspire agencies to use GSA's services again, by restoring trust in GSA's operations.

Amid the general concern about security, private companies finally got what they have been clamoring for over the past few years: a DHS assistant secretary for cybersecurity. Greg Garcia, who took over the position in September, will use his position to evangelize the importance of IT security as well as raising the expectations of federal agencies.

Meanwhile, OMB is approaching security via its Lines of Business approach. It likely will tap six agencies as centers of excellence'three to oversee Federal Information Security Management Act compliance and three in training.
On the military side, the Air Force's new Cyberspace Command will draw attention to the growing threat.

'The story that is really going to grow is this massive Chinese intrusion,' Carafano said, citing Chinese hacks at military service academies and other national security targets. 'At some point, somebody is really going to hold hearings on that.'

IT security also likely will focus on the spread of robust botnets or webs of zombie computers that are becoming increasingly difficult to crush.

As for the Chinese hacking threat and the possibility of Beijing or another foreign power mounting a similar attack linked with a physical attack, Uncle Sam will have to rely on the Jack Bauers of this world to quickly gather and share the information needed to finesse the threat.

'We are not the Pentagon,' said one federal homeland security official. 'I had 39 years with the Pentagon, and this is a different problem set that won't respond to the Pentagon approach of barging in and laying down the law. It has to be approached by a carefully built and orchestrated coalition of forces.'

A typical example of a coalition problem is the task of fielding technology to secure the borders, a task that calls for unprecedented data sharing.

'The more you merge and federate data, the more requirements you have for data security,' Carafano said. 'That means the different communities of interest each have to have their data secured without inhibiting the flow of information.'
FSI's Bjorkland noted that information sharing is not something CIOs can easily influence.

'I am not saying that CIOs are just technologists,' Bjorklund said. 'But the cultural barriers that have prevented information sharing have put the CIOs in the position of building tools so that federal officials can tap into one another's datasets.'