Information Secures New Homeland Department
Knowing what the enemy is up to is just as vital as keeping diverse organizational components in the loop.
The new Department of Homeland Security is assembling an information infrastructure that must encompass internal and external organizations, must process and disseminate key data among the appropriate customers, and must incorporate innovative new technologies and approaches to stay ahead of the enemy—all without missing a critical piece of intelligence or running afoul of the law. In effect, the department is constructing a complex information architecture that must serve its crucial immediate needs well before it is completed.
Not only is information the linchpin for the newly assembled department, it also may hold the key to securing the homeland and winning the war on terrorism. The department faces the unique challenge of networking a collection of newly consolidated agencies and organizations as well as developing an advanced information system architecture to combat an elusive enemy at home and abroad.
Most of the Department of Homeland Security’s information system requirements differ little from those of other federal departments. The biggest difference between this department and its federal cabinet-level counterparts is the role it plays, suggests Steven I. Cooper, chief information officer (CIO) at the Department of Homeland Security. Its responsibilities for securing the homeland and combating terrorism give the Homeland Security Department a different role from the bulk of the federal government. Accordingly, information needs particular to its mission will differ from those of the other departments.
Cooper allows that the department faces several major information technology challenges. Internally, the highest priority is to create a single information technology function across the department. This must be achieved rapidly and with quality, and it must not hinder the delivery of department mission capability, he states.
“We need the ability to create a flexible platform from which we can not only support all the capability that we deliver today, but also rapidly and effectively deliver new business capability that we might need to further secure the homeland or that might be directed by Congress or the executive branch,” Cooper declares.
Information sharing is another challenge. Its issues include sharing among and between federal agencies and departments, but it also involves sharing among state, local and tribal governments as well as appropriate authorities such as big-city mayors and emergency response officials. Additionally, elements of the private sector that own national critical infrastructure elements must be brought into this loop.
Cooper cites a third challenge: how the department can quickly identify opportunities for leveraging existing solutions and then build on them and deploy them across the department. This includes identifying and using newer information technology solutions coming from academia and industry.
To ensure that the right customer receives the right information at the right time, the department is taking a two-level approach. Cooper notes that all of the component organizational elements that the new department inherited with its formation had processes in place to carry out their missions. Teams are in place to refine and improve those processes continually, he says. Particular areas of interest include ways of identifying people entering the country, identifying risks and vulnerabilities in the United States and remedying shortcomings in these areas.
While many such processes existed before the department was created, the biggest change is that the department now must share this information with other organizations—internally and externally. So, the department must integrate not only the information but also the 15 applications brought aboard by existing government organizations. This is necessary to ensure that the information moves seamlessly from any source to any authorized individual among the different groups, Cooper imparts. “In many cases, we don’t have that seamless horizontal flow in place yet,” he allows.
To solve this problem, the department has identified several families or categories of business processes where this type of aggregation or integration must be achieved. One example, Cooper relates, is targeting and its related applications. Another is identity credentialing to identify people with assured documentation. The department also must integrate intelligence information as well as its processes for handling classified data. Much of the department’s tasking involves investigatory work leading to prosecution or adjudication, which requires integrated case management. And, above all, collaboration among the 200,000 employees of the department must be addressed.
The department has formed interagency working teams comprising representative, subject matter and technology experts drawn from all of the components involved in these business processes, Cooper says. These teams have been tasked with streamlining and identifying recommendations and changes that can ensure correct and timely information flow, he emphasizes.
With collaboration comes a host of issues. One of these is security. Cooper relates that the department has put in place a process by which it accredits all information systems. However, he emphasizes, “We are not there yet.” The department has begun this effort by basing it on priorities established with the business community. These priorities focused on which applications and environments need to be addressed first, and one of the earliest priorities rests in the department’s information analysis and infrastructure protection directorate. This directorate, in effect, is the brain center for most of the department’s information gathering and aggregation related to intelligence.
Teams are working through a formal process to review, test, certify and accredit all of the information system applications and environments, including the infrastructure and network, Cooper maintains. He expects this program to continue over the next 13 months to address all of the major programs that have been identified. Bob West, the department’s chief information security officer, has created a governance structure and has assembled information security officers and information system security managers from every organizational element within the department, Cooper notes. These experts form an information security advisory board that also deals with security processes and monitoring.
Another collaboration issue is the sharing of privileged information. Cooper’s office works closely with the chief information security officer; the information security advisory board; the office of security, headed by Jack Johnson; and the department’s chief privacy officer, Nuala O’Connor Kelly. Cooper, Kelly and Johnson are responsible for conducting privacy impact assessments on all of the department’s major applications, including databases.
The guidance and the mechanisms for these privacy assessments have been established by Kelly. Teams in place are beginning to perform the privacy assessments. Cooper explains that these assessments serve two functions. First, they validate whether the information that is contained in any application or database can be collected.
The information is matched against the initial Federal Register filings that take place when an application collects information from people. Based on the privacy assessments, the team checks the information against the original collection purpose. This illuminates any occasions when the department may have strayed accidentally from the original collection purpose. If the department discovers data that does not seem to match its original reason for filing, then it will notify the appropriate government authorities and take the proper action, as directed. In some cases, Cooper offers, the department simply may need to file new listings in the Federal Register, but other cases may require that information be destroyed. Cooper hastens to add that the department has not yet found any information that required destruction.
Interoperability among federal, state and local government organizations remains a problem—as it has been for some time, Cooper allows. One of the biggest of these problems is wireless interoperability, especially for voice communications in the emergency responder community. The administration recently launched the SAFECOM program, which is guided by the Homeland Security Department’s science and technology directorate. This program’s goal is to ensure wireless interoperable voice communications among the emergency responder community as well as with federal and state authorities and entities.
Cooper notes that progress in SAFECOM is being made, albeit slowly. One of the challenges is that the department is dependent on industry to produce products for emergency responders. So, the department must work with vendors and suppliers, emergency responders and the federal government community to generate products that solve these interoperability problems. “Progress is challenging and slow,” Cooper declares. “It comes, in some cases, a baby step at a time.”
The government is addressing interoperability technical standards with an eye toward software programmable radios, as opposed to hardware interoperability. Some of the work that needs to be done cannot be dictated by the federal government, Cooper says—nor does the government want to.
This hands-off work involves processes and protocols about how multiple agency response is handled in a natural or manmade disaster. Describing this work as tough and complex, Cooper nonetheless offers that this effort is moving forward.
Industry plays a significant role in the department’s information technology activities. First, however, the government must change its relationship with industry as well as the way it procures goods and services. “I believe very strongly that the solutions to what we face in the information technology arena—and the challenges that we face in the Department of Homeland Security—lie in a very collaborative industry/government partnership,” Cooper declares. “We [in government] need to be very clear in defining the requirements—not the solution sets.”
He explains that these requirements should include the business requirements that the department faces as well as the constraints under which it must operate, such as rules and regulations. By providing clear requirements to industry, the private sector can suggest solutions in a true partnership.
For improving the acquisition process, government must offer flexibility that enables industry to deliver the best possible solutions and resources, Cooper imparts. Instead of releasing requests for proposals that are laden with technical specifications, the government should release procurement initiatives that are goal- and schedule-oriented. These initiatives also would describe the operational constraints. Cooper adds that this is the model on which the department’s CIOs are shaping the collaborative partnership with industry.
One challenge that remains unanswered is how to develop a mechanism for understanding what industry has to offer. This would be separate from just procurement actions, Cooper notes. In this approach, industry would share its relevant capabilities on a regular basis instead of only through specific procurements. The department would be able to view industry goods and services through the lens of its own homeland security needs. “We don’t have a good process for that right now,” Cooper admits. “The way we’re doing it now is labor-intensive. We’re trying to meet with as many companies as we can, but there are only so many hours in the day, and there are more companies out there than we have hours in the day to meet with.”
When the department has defined its technology requirements, then it can turn both to industry and to its own internal science and technology directorate. The department already knows that to carry out its missions, it will require new geospatial and wireless technologies, particularly in the interoperability arena. For some items, such as multilevel security, the department may be able to meet its needs through industry. The science and technology directorate may be called on to help provide guidance to industry on how to meet those requirements, especially in developing the next generation of vital technologies and systems.