Search AFCEA Site

Enable breadcrumbs token at /includes/pageheader.html.twig

The Barriers to Information Sharing

The dramatic culture shift that needs to happen for government agencies to embrace change kept coming up at the SOLUTIONS conference like the refrain of a popular song: agencies must move from an emphasis on risk avoidance to a focus on risk management. Without that shift, the quest to achieve 100 percent risk avoidance is quixotic at best; more realistically, it hampers agencies' ability to share information.
By H. Mosher
The dramatic culture shift that needs to happen for government agencies to embrace change kept coming up at the SOLUTIONS conference like the refrain of a popular song: agencies must move from an emphasis on risk avoidance to a focus on risk management. Without that shift, the quest to achieve 100 percent risk avoidance is quixotic at best; more realistically, it hampers agencies' ability to share information. Addressing "Best Practices and Case Studies: The Framework for Allied/Coalition Information Sharing," panelists at yesterday afternoon's second track session weren't able to come up with best practices in action so much as they made recommendations for what needs to happen to facilitate best practices. Among those points:
  • "We have this mentality that we can control or eliminate risk with technology, but we can't," said Maj. Robert Castillo, USA, Branch Chief, US Southern Command. "We need to change culture and policy, and start with the individual operator first."
  • Elwood "Bud" Jones, Program Manager, MNIS, US Central Command, framed lawyers' usual response to the question of permission a little differently. "They'll tell me that we can't do something. Their job is not to tell me what I can't do-tell me how I can do it," he said.
  • Malcolm Green, Chief CAT 9, NATO C3 Agency, participated via distance technology, but even being on a video screen, he jumped right in with a perspective on how to manage security through identity assurance. "Our long-term goal is that information will have a security wrapper around it, then anyone with the right credentials will be able to unwrap the information," he said.
  • Bobbie Stempfley, CIO of DISA, said that there needed to be some streamlining of standards so that enterprise solutions will work for multiple agencies. That, she added, can't happen, unless the agencies can "agree what the problem is with enough specificity that it will work" for all of them.
One of the biggest barriers of all, the panelists agreed, was the lethargic attitude toward the changes that need to happen. "We are hearing the cry for better answers technologically and procedurally, but it's a painful and long process," said Stempfley. "Operators come to us with a good idea. Vendors come to us with good solutions. But we always run into the policy barrier that slows us down," Jones added. "It's always a six to 12 to 24 month process. If [the agency] was truly embracing information sharing, that policy would have been changed." Ultimately, they decided to weigh in with the biggest challenge in information sharing that is making little to no progress. Simply put, "Cultural changes and policy changes," said Jones. "Embrace these changes to provide a common network for the warfighter so he can get the information he needs, when he needs it, to achive the mission."

Comment

Even in areas where the Federal government has tried to embrage culture change, we still have problems with implementation. Take PKI for example. Many Federal agencies have embraced it in the last few years since it helps us to manage risk; PKI gives us authentication, integrity, and confidentiality. The only PKI program I have experience with is DoD's, which works fairly well within certain enclaves. It seems that different commands implement DoD PKI in different ways, however, so even though we all have DoD Common Access Cards (CACs) and access to DISA's "DoD 411" global directory service, we still can't always send encrypted emails to each other. But that's just the first level of the problem. We also need to be able to implement inter-agency PKI. There are apparently a number of Federal agencies that have PKI programs, and there's a program called the Federal Bridge that's supposed allow them to be interoperable. (My GovLoop blog about this subject is at http://www.govloop.com/profiles/blogs/federal-bridge-or-federal.) The concept seems sound, but I have yet to hear about a single operational implementation that takes advantage of the Federal Bridge. If we can't even implement assured info sharing that leverages the Federal Bridge, how will we ever get to the point of an "International Bridge?" This will be imperative if our PKI program is going to be interoperable with those of our allies (e.g., http://www.infosec.nato.int/pki.html) and coalition partners. Apparently there has been experimentation with PKI at exercises like Combined Endeavor, but instead of continually exercising it, we need to find a way to operationalize it.

Comments

The content of this field is kept private and will not be shown publicly.
About text formats

Plain text

  • No HTML tags allowed.
  • Lines and paragraphs break automatically.
  • Web page addresses and email addresses turn into links automatically.
Enjoying SIGNAL?
SIGNAL Magazine is available through subscription or as part of your membership in AFCEA.
SUBSCRIBE NOW
LEARN MORE
JOIN AFCEA