Изображения страниц

proposed DHS. State and local governments and the private sector also have critical roles to play - as do significant portions of the international community. Information is already being shared between and among numerous government and private sector organizations and more can be done to facilitate even greater sharing, analyzing, integrating, and disseminating of information.

We have observed fragmentation of information analysis and sharing functions potentially requiring better coordination in many homeland security areas. For example, in a recent report on critical infrastructure protection (CIP), we indicated that some 14 different agencies or components had responsibility for analysis and warning activities for cyber CIP. Our recent testimony on aviation security indicated that the Immigration and Naturalization Service (INS), FBI and the Department of State all need the capacity to identify aliens in the United States who are in violation of their visa status, have broken U.S. laws, or are under investigation for criminal activity, including terrorism. GAO has also noted that information sharing coordination difficulties can occur within single departments, such as those addressed in our July 2001 review of FBI intelligence investigations and coordination within the Department of Justice. Procedures established by the Attorney General in 1995 required, in part, that the FBI notify the Criminal Division and the Office of Intelligence Policy and Review whenever a foreign counterintelligence investigation utilizing authorized surveillance and searches develops "...facts or circumstances...that reasonably indicate that a significant federal crime has been, is being, or may be committed...." However, according to Criminal Division officials, required notifications did not always occur and often, when they did, were not timely. The Attorney General and the FBI issued additional procedures to address the coordination concerns and ensure compliance, but these efforts have not been institutionalized.

*U.S. General Accounting Office, Critical Infrastructure Protection: Federal Efforts Require a More Coordinated and Comprehensive Approach for Protecting Information Systems, GAO-02-474 (Washington, D.C.: July 15, 2002).

*U.S. General Accounting Office, Aviation Security: Transportation Security Administration Faces Immediate and Long-Term Challenges, GAO-02-971T (Washington, D.C.: July 25, 2002).

*U.S. General Accounting Office, FBI Intelligence Investigations: Coordination Within Justice on Counterintelligence Criminal Matters Is Limited, GAO-01-780 (Washington, D.C.: July 2001).

Technological Impediments This country has tremendous resources at its disposal, including leading

edge technologies, a superior research and development base, extensive
expertise, and significant human capital resources. However, there are
substantial challenges in leveraging these tools and using them effectively
to ensure that timely, useful information is appropriately disseminated to
prevent or minimize terrorist attacks. One challenge is determining and
implementing the right format and standards for collecting data so that
disparate agencies can aggregate and integrate data sets. For example,
Extensible Markup Language (XML) standards are one option for
exchanging information among disparate systems. Further, guidelines and
procedures need to be specified to establish effective data collection
processes, and mechanisms need to be put in place to make sure that this
happens – again, a difficult task, given the large number of government,
private, and other organizations that will be involved in data collection.
Mechanisms will be needed to disseminate data, making sure that it gets
into the hands of the right people at the right time. It will be equally
important to disaggregate information in order to build baselines
(normative models) of activity for detecting anomalies that would indicate
the nature and seriousness of particular vulnerabilities. Additionally, there
is a lack of connectivity between databases and technologies important to
the homeland security effort. Databases belonging to federal law
enforcements agencies, for example, are frequently not connected, nor are
the databases of the federal, state, and local governments. In fact, we have
reported for years on federal information systems that are duplicative and
not well integrated."

'U.S. General Accounting Office, National Preparedness: Integrating New and Existing Technology and Information Sharing into an Effective Homeland Security Strategy, GAO02-811T (Washington, D.C.. June 7, 2002).

*XML is the universal format for structured documents and data on the Web that makes it easy for a computer to generate data, read data, and ensure that the data structure is unambiguous. XML avoids common pitfalls in language design: It is extensible, platformindependent, and supports internationalization and localization. XML is a flexible, nonproprietary set of standards for annotating or "tagging" information so that it can be transmitted over a network and readily interpreted by disparate systems. For more information on its potential use for electronic government initiatives, see U.S. General Accounting Office, Electronic Government. Challenges to Effective Adoption of the Extensible Markup Language, GAO-02-327 (Washington, D.C. April 2002).

"U.S. General Accounting Office, Information Technology: Enterprise Architecture Use Across the Federal Government Can Be Improved, GAO-02-6 (Washington, D.C.: February 2002).

Ineffective Collaboration

Ineffective collaboration among homeland security stakeholders remains one of the principal impediments to integrating and sharing information in order to prevent and minimize terrorist attacks. The committees' joint inquiry staff's initial report detailing numerous examples of strategic information known by the intelligence community prior to September 11th highlights the need to better ensure effective integration, collaboration, and dissemination of critical material." The joint inquiry staff's report focuses on the national intelligence community, but its implications are clearly evident for all homeland security stakeholders – government at all levels, as well as the private sector, must work closely together to analyze, integrate, and appropriately disseminate all useful information to the relevant stakeholders in order to combat terrorism and make the nation more secure.

GAO recognizes that this goal is easier to articulate than achieve and that some long-standing obstacles to improving information sharing between and among stakeholders at all levels will require significant changes in organizational cultures, shifts in patterns of access to and limitations on information, and improved processes to facilitate communication and interaction.

GAO's ongoing work illuminates some of the issues. For instance, officials
from the Department of Justice, FBI, and the Office of the Secretary of
Defense indicated that the vast majority of information—about 90
percent-is already publicly available, and that only about 10 percent of the
information is classified, sensitive, or otherwise restricted. The officials
said that the expectation for all homeland security participants to obtain
actionable information (actionable intelligence is information that is
specific enough to tell who, what, where, and when an attack will take
place) is unrealistic because, in most cases, the data do not exist or cannot
be recognized as actionable. These officials also said that they do share
actionable information with appropriate entities, but must also balance the
release of the information against the possibility of disclosures that may
reveal the sources and methods used to collect the information.

Non federal officials tend to echo these concerns. Since September 11th,
GAO has met with representatives of various state and local organizations

U.S. Congress, House and Senate Select Intelligence Committees, Joint Inquiry Staff
Statement, Part 1, (Washington, D.C.: September 18, 2002).

and conducted dozens of case studies of transit authorities, port authorities, and pipeline safety commissions and others entities, as well as testified before and heard testimonies from federal, state, and local officials at 11 congressional field hearings around the country. State and local officials continue to be frustrated by difficulties in the communication and sharing of threat information among all levels of government. Some of the problems they cited include: limited access to information because of security clearance issues, the absence of a systematic top-down and bottom-up information exchange, and uncertainties regarding the appropriate response to a heightened alert from the new homeland security advisory system. It is clear that sharing, analyzing, integrating, and disseminating information needs to occur both in and between all levels of government – and throughout organizations both vertically and horizontally.

A number of steps have been taken to address these issues, but clearly more needs to be done. Following the terrorist attacks of September 11a, a review by the Department of Justice found that America's ability to detect and prevent terrorism has been undermined significantly by restrictions that limit the intelligence and law enforcement communities' access to, and sharing of, information. The USA Patriot Act, enacted shortly after the terrorist attacks, was designed to address this problem through enhanced information sharing and updating information-gathering tools. The Patriot Act gives federal law enforcement agencies greater freedom to share information and to coordinate their efforts in the war on terrorism. Methods to use this authority are now being established and implemented, but the effectiveness of these changes will need to be evaluated.

Moreover, the private sector has a critical role in reducing our vulnerability from terrorists. The national strategy for homeland security states: "Government at the federal, state, and local level must actively collaborate and partner with the private sector, which controls 85 percent of America's infrastructure."" The strategy further states that the government at all levels must enable the private sector's ability to carry out its protection responsibilities through effective partnerships and designates the proposed DHS as the primary contact for coordination at the federal level.

"The White House, The National Strategy for Homeland Security (Washington, DC, July 16, 2002).

Recently, the President's Critical Infrastructure Protection Board issued a strategy recognizing that all Americans have a role to play in cyber security, and identifies the market mechanisms for stimulating sustained actions to secure cyberspace." The strategy recommends that the federal government identify and remove barriers to public-private information sharing and promote the timely two-way exchange of data to promote increased cyberspace security. Although industry groups already exchange security data, confidentiality concerns over the release of information may limit private sector participation. For example, the technology industry has said that any security information shared with the government should be exempt from disclosure under the Freedom of Information Act, which provides that any person has the right to request access to federal agency records or information.

GAO has also reported on how public-private information sharing practices can benefit CIP. In a report issued last October, GAO cited a number of important practices, including:

establishing trust relationships with a wide variety of federal and nonfederal entities that may be in a position to provide potentially useful information and advice on vulnerabilities and incidents,

• developing standards and agreements on how information will be used and protected;

⚫ establishing effective and appropriately secure communications mechanisms; and

⚫ taking steps to ensure that sensitive information is not inappropriately disseminated, which may require statutory change. 13

Clearly, these practices are applicable to intelligence and information sharing in the broadest sense-and for stakeholders. Effectively implementing these practices will require using the full range of management and policy tools.

The President's Critical Infrastructure Protection Board, The National Strategy to Secure Cyberspace, Draft (Washington, D.C.: September 2002).

"U.S. General Accounting Office, Information Sharing: Practices That Can Benefit Critical Infrastructure Protection GAO-02-24 (Washington, D.C.: Oct. 15, 2001).

« ПредыдущаяПродолжить »