and conducted dozens of case studies of transit authorities, port authorities, and pipeline safety commissions and others entities, as well as testified before and heard testimonies from federal, state, and local officials at 11 congressional field hearings around the country. State and local officials continue to be frustrated by difficulties in the communication and sharing of threat information among all levels of government. Some of the problems they cited include: limited access to information because of security clearance issues, the absence of a systematic top-down and bottom-up information exchange, and uncertainties regarding the appropriate response to a heightened alert from the new homeland security advisory system. It is clear that sharing, analyzing, integrating, and disseminating information needs to occur both in and between all levels of government - and throughout organizations both vertically and horizontally. A number of steps have been taken to address these issues, but clearly more needs to be done. Following the terrorist attacks of September 11", a review by the Department of Justice found that America's ability to detect and prevent terrorism has been undermined significantly by restrictions that limit the intelligence and law enforcement communities' access to, and sharing of, information. The USA Patriot Act, enacted shortly after the terrorist attacks, was designed to address this problem through enhanced information sharing and updating information-gathering tools. The Patriot Act gives federal law enforcement agencies greater freedom to share information and to coordinate their efforts in the war on terrorism. Methods to use this authority are now being established and implemented, but the effectiveness of these changes will need to be evaluated. Moreover, the private sector has a critical role in reducing our vulnerability from terrorists. The national strategy for homeland security states: "Government at the federal, state, and local level must actively collaborate and partner with the private sector, which controls 85 percent of America's infrastructure." The strategy further states that the government at all levels must enable the private sector's ability to carry out its protection responsibilities through effective partnerships and designates the proposed DHS as the primary contact for coordination at the federal level. "The White House, The National Strategy for Homeland Security (Washington, DC, July 16, 2002). Recently, the President's Critical Infrastructure Protection Board issued a strategy recognizing that all Americans have a role to play in cyber security, and identifies the market mechanisms for stimulating sustained actions to secure cyberspace." The strategy recommends that the federal government identify and remove barriers to public-private information sharing and promote the timely two-way exchange of data to promote increased cyberspace security. Although industry groups already exchange security data, confidentiality concerns over the release of information may limit private sector participation. For example, the technology industry has said that any security information shared with the government should be exempt from disclosure under the Freedom of Information Act, which provides that any person has the right to request access to federal agency records or information. GAO has also reported on how public-private information sharing practices can benefit CIP. In a report issued last October, GAO cited a number of important practices, including: • establishing trust relationships with a wide variety of federal and nonfederal entities that may be in a position to provide potentially useful information and advice on vulnerabilities and incidents, • developing standards and agreements on how information will be used and protected; ⚫ establishing effective and appropriately secure communications mechanisms; and ⚫ taking steps to ensure that sensitive information is not inappropriately disseminated, which may require statutory change.13 Clearly, these practices are applicable to intelligence and information sharing in the broadest sense-and for stakeholders. Effectively implementing these practices will require using the full range of management and policy tools. The President's Critical Infrastructure Protection Board, The National Strategy to Secure Cyberspace, Draft (Washington, D.C.: September 2002). PU.S. General Accounting Office, Information Sharing: Practices That Can Benefit Previously, GAO observed that the federal government has not effectively planned and implemented risk assessment and management efforts. We noted in testimony before Congress last October that individual federal agencies have efforts under way, but the results to date have been inconclusive." In the past, we have recommended that the FBI and the DOD enhance their efforts to complete threat and vulnerability assessments and to work with state and local governments in order to provide comprehensive approaches. Although some of this work was accomplished, delays resulting from the September 11th attacks have prevented their completion. Nevertheless, assessments can help in efforts to pinpoint risks and reallocate resources: For example, after September 11th the Coast Guard conducted initial risk assessments of the nation's ports. The Coast Guard identified high-risk infrastructure and facilities "U.S. General Accounting Office, Homeland Security: A Risk Management Approach Can Guide Preparedness Efforts, GAO-02-208T (Washington, D.C.: October 31, 2001). interagency information architecture to support efforts to find, track, and respond to terrorist threats. This effort is among the Administration's budget priorities for fiscal year 2004. • Integrate information sharing across state and local governments, private industry, and citizens. This initiative describes efforts to disseminate information from the federal government to state and local homeland security officials. One effort, to allow the exchange of information on federal and state government Web sites, has been completed. • Adopt common "meta-data" standards for electronic information relevant to homeland security. This initiative is intended to integrate terrorist-related information from government databases and allow the use of "data mining” tools for homeland security. This effort is under way. • Improve public safety emergency communications. This initiative is intended to develop comprehensive emergency communications systems that can disseminate information about vulnerabilities and protective measures and help manage incidents. State and local governments often report that there are deficiencies in their communications capabilities, including the lack of interoperable systems. Such systems are necessary between and among all levels of government. This effort is planned, but no timeline is indicated. • Ensure reliable public health information. The last initiative is intended to address reliable communication between medical, veterinary, and public health organizations. It is under way. |