Developing Technology to Keep the Bad Guys Out
Federal officials work to create a National Vetting Center to stop terrorists.
The Trump administration is moving to expand the information-sharing apparatus built to stop terrorists entering the U.S. to cover foreign hackers, weapons proliferators, international organized criminals and other kinds of threat actors — and extending it to aliens already in the country who apply for citizenship or other immigration benefits.
The move, in a pair of presidential memoranda signed over the past year, has created a host of policy and technical challenges for the agencies involved, officials told AFCEA’s Federal ID Summit in Tampa on Tuesday.
“[National Security Presidential Memorandum, or] NSPM 7 basically said we do a really good job within the whole of government with respect to counterterrorism and [sharing] our [data] holdings there,” the FBI’s Carter Keeton said. “But what about these other threat actor categories? … What about foreign intelligence? What about transnational organized crime? What about cyber? What about military threat actors?”
NSPM 7, signed last October, ordered U.S. agencies to step up their information-sharing about these five categories of threat actors — including with foreign allies.
NSPM 9, issued in February, ordered the creation of a National Vetting Center, which will leverage the information shared under NSPM 7 to keep threat actors out of the U.S. and to deny those already in the country immigration benefits.
To fulfill the mandates of the two orders, officials said they were building an “identity enterprise” within the U.S. government — a set of processes and technologies that bring together everything that was known by different agencies about a particular individual.
“It’s like a classified Google for immigration officials,” integrating biometric, biographic and contextual information to create a complete picture, said one person briefed on the center who asked for anonymity because they were not authorized to speak to the media.
One of the challenges agencies faced, explained Jerry Reimers, an official with the Defense Forensics and Biometrics Agency, or DFBA, was that the immigration adjudicators and other front line officials who needed to make decisions based on the identity data often didn’t have sufficiently high level clearances to access it.
“The people who are doing the arresting, the people who are doing the targeting, the people who are doing the border management, they’re not operating at the classified level, they’re operating at the unclassified level,” he said. “So there needs to be [releasable] information that can come down to the beat cop.”
The Department of Homeland Security had already created such a system in microcosm, added Amir Dastouri, the department’s identity, credentialing and access management architect.
DHS’ Trusted Identity Exchange allows different components of the department to access a constantly updated central repository of identity data about employees, contractors and others requiring physical or logical access to DHS facilities and networks, he explained.
Policies are built for specific datasets, defining who they can be shared with and for which purposes, he said. For example, classified data can only be shared with people who have appropriate clearances. Then each piece of data in that set is “tagged” with those policies, which define who can have access to it.
The whole system is overseen through regular weekly and biweekly meetings bringing together the data owners with the department’s Office of General Counsel and its privacy and civil liberties officials. The oversight meetings make sure there is constant monitoring of what datasets are put into these systems, what is being shared and who is it being shared with.
The orders had also created policy and legal challenges for the FBI, Keeton explained. “There’s an inherent tension there: Being an active enthusiastic player in both these initiatives, realizing their value … but at the same time realizing that we can’t share with all the agencies out there [and] we can’t share everything — there are certain legal restrictions and policy restrictions.”
The mandate from the NSPMs was “to share as much as possible,” said Keeton. “We get it, we understand it and that’s what we’re going to do.”
But he added that the restrictions on what information could be shared, and with whom, couldn’t be ignored to fulfill the mandate of the NSPMs. “With respect to the National Vetting Center, we’re able to share a wide array of law enforcement and counterterrorism information with those agencies that are going to make decisions about individuals who may have applied for immigration benefits,” Keeton said
But the exceptions in the Privacy Act and the Judicial Redress Act that enable that sharing don’t apply to “other agency partners in the interagency who don’t have that as their mission,” he said.
The key, he said, was “figuring out how to achieve the objectives of both [NSPMs] but at the same time maintain the security of certain information that must remain secure and at the same time making sure that we always protect privacy interests, constitutional rights and individual civil liberties … that’s difficult at times and that creates some challenges.”
In particular, sharing data internationally is “where a lot of the privacy issues pop into play,” explained Reimers.“One of the biggest challenges was just getting past that paradigm of ‘It’s private information, I can’t share it,’” he said.
Reimers, a former naval officer and judge advocate, said working with EU and NATO allies had been eased by United Nations Security Council Resolution 2396, passed last December. The resolution, binding in international law, required all UN member states to collect biometric information in order to prevent travel by foreign terrorist fighters — especially those leaving the enclaves previously held by Islamic State. It also urged member states to share such data with each other.
In the midst of the heavy diplomatic lifting required to get NATO’s political body, the North Atlantic Council, on board with an information-sharing framework, “it was very helpful” that the resolution passed unanimously, he said.
NSPM 7 specifically called for the use of cloud computing architecture and Reimers said it was essential to break down data stovepipes and create a central repository of data about threat actors.
“We also need ... cloud computing to bring all that identity information back and run big data analytics on some of that stuff because doing it the old fashioned way of reaching out to multiple disparate databases requires a very highly trained workforce, a very highly specialized workforce of intelligence analysts to be able to go shop at different databases,” he said.
Rather than sending analysts from pillar to post to find the information they needed, “We really need a central grocery store so to speak that has all the data handling requirements and access controls and security in place to allow for mining that data to get the best optic on an individual to discover whether he’s good or he’s bad,” Reimers said.
“It’s all about denying the enemy anonymity,” he said.