Challenges to Effective
Information Sharing

homeland security issues. Our ongoing work includes evaluations of information sharing activities in homeland security, including reviews of airport and transportation security, seaport security and law enforcement agencies. However, as the committees are aware, GAO's work in evaluating the activities of the intelligence community historically has been limited, due in part to limitations imposed by the intelligence agencies and the small number of requests made by Congress. My statement today reflects this limitation on evaluations of the intelligence community and focuses more broadly on information sharing among various homeland security stakeholders.

In my testimony today, I will discuss (1) some of the challenges to effective
information sharing, including the fragmentation of information analysis
responsibilities, and technology and collaboration challenges, and
(2) GAO's views on addressing these challenges through transformational
strategies, including strengthening the risk management framework;
refining the national strategy, policy, and guidance structures to emphasize
collaboration and integration among homeland security stakeholders to
achieve common goals; and bolstering the fundamental management
foundation integral to effective public sector performance and
accountability. The statement also includes an appendix that lists GAO's
recommendations on combating terrorism and the status of their
implementation, as well as a list of related products.

The success of a homeland security strategy relies on the ability of all levels

of government and the private sector to communicate and cooperate effectively with one another. Activities that are hampered by organizational fragmentation, technological impediments, or ineffective collaboration blunt the nation's collective efforts to prevent or minimize terrorist acts.

Information Sharing
Fragmentation

GAO and other observers of the federal government's organization, performance, and accountability for combating terrorism and homeland security functions have long recognized the prevalence of gaps, duplication, and overlaps driven in large part by the absence of a central policy focal point, fragmented missions, ineffective information sharing, human capital needs, institutional rivalries, and cultural challenges. In recent years, GAO has made numerous recommendations related to changes necessary for improving the government's response to combating terrorism.' Prior to the establishment of the Office of Homeland Security (OHS), GAO found that the federal government lacked overall homeland security leadership and management accountable to both the President and Congress. GAO has also stated that fragmentation exists in both coordination of domestic preparedness programs and in efforts to develop a national strategy."

GAO believes that the consolidation of some homeland security functions makes sense and will, if properly organized and implemented, over time lead to more efficient, effective, and coordinated programs, better information sharing, and a more robust protection of our people, borders, and critical infrastructure. At the same time, even the proposed Department of Homeland Security (DHS), will still be just one of many players with important roles and responsibilities for ensuring homeland security. In addition, the creation of DHS will not be a panacea. It will create certain new costs and risks, which must be addressed.

As it is with so many other homeland security areas, it is also the case for intelligence and information sharing that there are many stakeholders who must work together to achieve common goals. Effective analysis, integration, and dissemination of intelligence and other information critical to homeland security requires the involvement of the Central Intelligence Agency (CIA), Federal Bureau of Investigation (FBI), the National Security Council (NSC), the National Security Agency (NSA), the Department of Defense (DOD), and a myriad of other agencies, and will also include the

'U.S. General Accounting Office, Combating Terrorism: Selected Challenges and Related Recommendations, GAO-01-822 (Washington, D.C.: September 2001).

U.S. General Accounting Office, Combating Terrorism: Comments on Counterterrorism
Leadership and National Strategy, GAO-01-556T (Washington, D.C.: March 27, 2001).

"U.S. General Accounting Office, Homeland Security: Critical Design and Implementation Issues, GAO 0-957T (Washington, D.C.: July 17, 2002).

proposed DHS. State and local governments and the private sector also have critical roles to play - as do significant portions of the international community. Information is already being shared between and among numerous government and private sector organizations and more can be done to facilitate even greater sharing, analyzing, integrating, and disseminating of information.

We have observed fragmentation of information analysis and sharing functions potentially requiring better coordination in many homeland security areas. For example, in a recent report on critical infrastructure protection (CIP), we indicated that some 14 different agencies or components had responsibility for analysis and warning activities for cyber CIP. Our recent testimony on aviation security indicated that the Immigration and Naturalization Service (INS), FBI and the Department of State all need the capacity to identify aliens in the United States who are in violation of their visa status, have broken U.S. laws, or are under investigation for criminal activity, including terrorism. GAO has also noted that information sharing coordination difficulties can occur within single departments, such as those addressed in our July 2001 review of FBI intelligence investigations and coordination within the Department of Justice. Procedures established by the Attorney General in 1995 required, in part, that the FBI notify the Criminal Division and the Office of Intelligence Policy and Review whenever a foreign counterintelligence investigation utilizing authorized surveillance and searches develops "...facts or circumstances...that reasonably indicate that a significant federal crime has been, is being, or may be committed...." However, according to Criminal Division officials, required notifications did not always occur and often, when they did, were not timely. The Attorney General and the FBI issued additional procedures to address the coordination concerns and ensure compliance, but these efforts have not been institutionalized.

'U.S. General Accounting Office, Critical Infrastructure Protection: Federal Efforts Require a More Coordinated and Comprehensive Approach for Protecting Information Systems, GAO-02-474 (Washington, D.C.: July 15, 2002).

'U.S. General Accounting Office, Aviation Security: Transportation Security Administration Faces Immediate and Long-Term Challenges, GAO-02-971T (Washington, D.C.: July 25, 2002).

*U.S. General Accounting Office, FBI Intelligence Investigations: Coordination Within Justice on Counterintelligence Criminal Matters Is Limited, GAO-01-780 (Washington, D.C.: July 2001).

Technological Impediments

This country has tremendous resources at its disposal, including leading
edge technologies, a superior research and development base, extensive
expertise, and significant human capital resources. However, there are
substantial challenges in leveraging these tools and using them effectively
to ensure that timely, useful information is appropriately disseminated to
prevent or minimize terrorist attacks. One challenge is determining and
implementing the right format and standards for collecting data so that
disparate agencies can aggregate and integrate data sets. For example,
Extensible Markup Language (XML) standards are one option for
exchanging information among disparate systems. Further, guidelines and
procedures need to be specified to establish effective data collection
processes, and mechanisms need to be put in place to make sure that this
happens – again, a difficult task, given the large number of government,
private, and other organizations that will be involved in data collection.
Mechanisms will be needed to disseminate data, making sure that it gets
into the hands of the right people at the right time. It will be equally
important to disaggregate information in order to build baselines
(normative models) of activity for detecting anomalies that would indicate
the nature and seriousness of particular vulnerabilities. Additionally, there
is a lack of connectivity between databases and technologies important to
the homeland security effort. Databases belonging to federal law
enforcements agencies, for example, are frequently not connected, nor are
the databases of the federal, state, and local governments. In fact, we have
reported for years on federal information systems that are duplicative and
not well integrated."

'U.S. General Accounting Office, National Preparedness: Integrating New and Existing Technology and Information Sharing into an Effective Homeland Security Strategy, GAO02-811T (Washington, D.C.. June 7, 2002).

*XML is the universal format for structured documents and data on the Web that makes it easy for a computer to generate data, read data, and ensure that the data structure is unambiguous. XML avoids common pitfalls in language design: It is extensible, platformindependent, and supports internationalization and localization. XML is a flexible, nonproprietary set of standards for annotating or "tagging" information so that it can be transmitted over a network and readily interpreted by disparate systems. For more information on its potential use for electronic government initiatives, see U.S. General Accounting Office, Electronic Government. Challenges to Effective Adoption of the Extensible Markup Language, GAO-02-327 (Washington, D.C.: April 2002).

"U.S. General Accounting Office, Information Technology: Enterprise Architecture Use Across the Federal Government Can Be Improved, GAO-02-6 (Washington, D.C.: February 2002).

Ineffective Collaboration

Ineffective collaboration among homeland security stakeholders remains one of the principal impediments to integrating and sharing information in order to prevent and minimize terrorist attacks. The committees' joint inquiry staff's initial report detailing numerous examples of strategic information known by the intelligence community prior to September 11th highlights the need to better ensure effective integration, collaboration, and dissemination of critical material." The joint inquiry staff's report focuses on the national intelligence community, but its implications are clearly evident for all homeland security stakeholders – government at all levels, as well as the private sector, must work closely together to analyze, integrate, and appropriately disseminate all useful information to the relevant stakeholders in order to combat terrorism and make the nation more secure.

GAO recognizes that this goal is easier to articulate than achieve and that some long-standing obstacles to improving information sharing between and among stakeholders at all levels will require significant changes in organizational cultures, shifts in patterns of access to and limitations on information, and improved processes to facilitate communication and interaction.

GAO's ongoing work illuminates some of the issues. For instance, officials
from the Department of Justice, FBI, and the Office of the Secretary of
Defense indicated that the vast majority of information—about 90
percent-is already publicly available, and that only about 10 percent of the
information is classified, sensitive, or otherwise restricted. The officials
said that the expectation for all homeland security participants to obtain
actionable information (actionable intelligence is information that is
specific enough to tell who, what, where, and when an attack will take
place) is unrealistic because, in most cases, the data do not exist or cannot
be recognized as actionable. These officials also said that they do share
actionable information with appropriate entities, but must also balance the
release of the information against the possibility of disclosures that may
reveal the sources and methods used to collect the information.

Non federal officials tend to echo these concerns. Since September 11th,
GAO has met with representatives of various state and local organizations

U.S. Congress, House and Senate Select Intelligence Committees, Joint Inquiry Staff
Statement, Part 1, (Washington, D.C.: September 18, 2002).