Synchronized Data Protects Borders
Intelligence agencies sharing identification information fills gaps.
The Department of Homeland Security interagency National Vetting Center has created an information clearinghouse that automatically checks the names of foreigners applying to come to the United States against highly classified databases in various intelligence agencies. The clearinghouse relies on a cloud architecture that agencies are building to share information and lays the foundation for powerful new tools that could leverage artificial intelligence and predictive analytics to help find foreign travelers who might be a threat to U.S. national security.
The National Vetting Center (NVC) is part of a drive in both the intelligence community and across the federal government to improve use of the latest genre of intelligence: identity intelligence (I2). The center currently only deals in biographical not biometric identities.
Trump administration National Security Presidential Memoranda (NSPM) 7 and 9 mandated the creation of the NVC. Both were designed to expand the post-9/11 information-sharing apparatus built to stop terrorists from entering the United States by adding five classes of threat actors: foreign hackers, weapons proliferators, international organized criminals, military officers and intelligence operatives of adversary powers.
To stop these potential threats, gathered information must reach agencies such as the U.S. State Department, which issues visas; Customs and Border Protection (CBP), which admits foreign visitors; and Citizenship and Immigration Services, which confers immigration benefits such as green cards and citizenship.
Monte Hawkins, director, NVC, says U.S. intelligence agencies have massive amounts of data, and they are “nowhere close to leveraging the data we should be for these bulk vetting exercises.”
The NVC will systematize and integrate a series of ad hoc arrangements with intelligence agencies that the adjudicating agencies have relied on to vet visa applicants and other potential entrants to the United States. Through intelligence community databases, these agencies then will be able to weed out possible threats, Hawkins explains.
In the past, these types of information-sharing arrangements were stovepiped, which made it difficult to scale, and often the assessment was not completed until an individual was admitted into the United States. “That’s what we fix when we bring that [vetting program] on board” into the NVC, he says, “[by] consolidating those [checks] into the center … and ensuring they’re completed before the adjudication takes place.”
Kathleen Lane, identity intelligence executive, Office of the Director of National Intelligence, leads the agencies’ efforts to create a National Vetting Enterprise. The enterprise will be a collection of agency databases against which the NVC can screen potential visitors and immigrants.
The intelligence community has agreed to create a central data repository, and a multi-agency governance board has been established to oversee it, Lane says. “We’ve all agreed there will be some kind of central repository … [of] basic identity information ... that everybody … will be [able to access] on a regular basis.” But to review the actual intelligence associated with that identity, officials will have to reach back to the agency that collected it.
“But when you talk about information about a specific threat actor category, that probably wouldn’t be in a centralized location,” she adds.
Stood up in December 2018, the NVC has been providing analytical support to CBP adjudication decisions under the Electronic System for Travel Authorization (ESTA), which takes online applications from people who want to come to the United States from ally nations under the Visa Waiver Program. In the coming year, the NVC plans to provide analytical support to one or two more programs, Hawkins says.
The Immigration and Nationality Act defines the criteria for denying someone a benefit such as entry to the country or naturalization. Since the 9/11 attacks, the United States has built a complex system to allow classified intelligence about suspected terrorists to be used in such denials through the terrorist watch list, Hawkins says.
“We’ve been nibbling at the edges of just the CT [counterterrorism] information for 18 years [since the 9/11 attacks],” he says. “We’ve gotten pretty far into knowing where the core data repositories are on the CT side that we’ve plugged into” for watch listing and vetting.
Watch lists are a way of maintaining a kind of cordon sanitaire between the classified realm of the intelligence agencies and the unclassified realms of law enforcement and immigration adjudication. Intelligence agencies can nominate people to the terrorist watch list, but they don’t have to disclose a reason.
Mechanisms to sanitize intelligence agencies’ data holdings or even disclose their existence for use outside the classified realm do not exist for the five other threat actor categories outlined in NSPM 7. “We don’t know what we don’t know” even about what databases or other information various agencies might have on these other classes of threat actor, Hawkins states.
That’s why the technical and policy architecture the two NSPMs create is so important, he adds. “Our construct is we aren’t ingesting the raw data and doing our own correlations. We rely on [the intelligence agencies supporting our work] to do that matching back home.”
The NVC is now leveraging that architecture to check the names of people who want to come to the United States against the actual databases intelligence agencies maintain, rather than against a sanitized watch list.
“The first phase is an automated check,” Hawkins explains. “The computer says, ‘This traveler matches this piece of intelligence [from this agency],’ and that kicks it out to an analyst at that agency” for an initial decision about whether the match is correct, whether the information is analytically significant and whether the intelligence reporting on which it is based can be disseminated—meaning it can be shared with other agencies.
“If it is,” Hawkins says, “they pass links to that intelligence back to the vetting center” in a vetting support response. The NVC doesn’t actually hold any of that intelligence information; the data remains with the agency that collected it. According to the center’s privacy impact assessment, the vetting support response contains only “links or pointers” to the underlying intelligence.
The customer agency adjudicating admission to the United States has analysts based at the NVC who use those links to review the information, “more of an adjudicative analytical determination, a threshold look,” Hawkins says, to determine if the data is relevant and significant to the decision to allow the individual into the country. “Looking at the whole picture, they’ll piece it together and say, ‘Yes, there’s something here,’ and then pass that on to the adjudicating agency.”
Both the analysts and the adjudicators remain in the chain of command and operating under their authorities at their respective agencies. This is one way to keep that sanitary cordon intact between the agencies who spy for America and rightly suspect everything and everyone and the agencies that confer admission and must operate under rules designed to eliminate discrimination, ensure equity and guarantee transparency.
In addition to the privacy impact assessment, the NVC has hired a privacy and civil liberties officer and has a special working group devoted to the issue. Travelers who are denied entry under ESTA can use the DHS’ Traveler Redress Inquiry Program, or TRIP, to find out what happened and try to correct any misinformation or misidentification.
Building the machinery to make the NVC work wasn’t easy, the center’s Technical Director Lori Vislocky says. Working under some very tight timelines, she notes, the team soon realized just how tough their challenge was. “What we thought would be just [basic data] aggregation … we very quickly realized was going to be much more in depth and much more complex than that,” she says.
The project required personnel to work a lot of extra hours—often without overtime pay or contractor support because additional money had not been appropriated. “Unfortunately, we saw some turnover … of staff from that,” Vislocky adds.
Hawkins agrees the toughest challenge he and his small team faced was the lack of a dedicated budget. During the past year, some internal reprogramming of the CBP budget covered the work. “There isn’t a single place in the government where this is funded. This is very much a team effort,” he relates. As a result, many different funding initiatives must fall into line to make the center work, he notes.
“CBP is really just administering this … DHS Intelligence and Analysis is doing all the technical development, not CBP. So we’ve had to make sure that they are getting the funding they need for that. But that’s just building the base [IT] architecture,” Hawkins explains. How much of that information can be viewed depends on those agencies and their budgets, which is outside the NVC’s purview, he adds.
“Making sure that everyone is appropriately planning and budgeting for this growth [in the center’s role] requires a lot of coordination,” Hawkins says. “There are a lot of pieces … moving around.”
Lane explains that the next step for the NVC and the larger National Vetting Enterprise is incorporating biometrics into I2. “It’s very easy to change your name or change your address but not so easy to change your face, fingerprint, iris, gait or DNA,” she states.
However, tracking biometric information poses its own set of problems. For example, biometric identity data even from a single set of fingerprints can be stored in many different ways, and currently no single standard has been established, creating challenges for integrating biometric identity data from different agencies. “We’re still working out how to share things and what [should be] the biometric of choice,” Lane says.
In the long run, NVC Chief of Staff Casie Antalis adds, the cloud architecture built to support the center also could be used to develop analytical and predictive tools powered by artificial intelligence. These could proactively detect travelers who might pose a threat even when the government knows nothing about them as individuals.
The question is how to bring analytical behavior such as call or travel patterns to the forefront, so analysts can spot concerning behavior even when additional information isn’t available, Antalis says.
Fiscal year 2020 was the first presidential budget proposal to include a funding line for the NVC, but without agreement on the DHS appropriations bill, the department’s funding is part of the continuing resolution, so no dedicated money currently is available for the center.