Featured eBooks
Best Dates to Retire in 2025
Space Tech
The Future of the Air Force
Insights & Reports
A Government Leader's Book of Best Practices: AI Readiness
Presented By Salesforce
Download Now
Unlocking GenAI’s potential to transform government operations
Presented By ThunderCat Technology
Download Now
Magazine

Disconnect

Shane Harris

|
Information sharing won't make us safer if agencies can't get it right.

W

hen a computer mistakes a 70-year-old black woman for a 28-year-old white man who's a triple murder suspect on the FBI's terrorist list, something is wrong with the computer or the information inside it.

Both were true on March 23, when Johnnie Thomas got a firsthand lesson in the federal government's inability to share information as she tried to board a US Airways shuttle from Boston to New York. Thomas' name appeared in the airline's database as a wanted terrorist. The FBI had sent the list to some airlines weeks before, but failed to provide more information than just the name-John Thomas. That name, it turned out, is an alias used by the suspect.

The terrorist list on which Thomas' name appeared is just one of more than 25 maintained by dozens of law enforcement, intelligence and Defense Department agencies. Those lists aren't integrated and often aren't shared. And, as was the case in March, when the lists are disseminated to the private sector, they're too incomplete to be effective. The gate agents in Boston let Thomas board the plane, but they couldn't verify that she was or wasn't a terrorist because the government had no complete database to check.

The Bush administration wants to change that. In July, the White House released its much-anticipated "National Strategy for Homeland Security." The 86-page plan, written over several months by officials in the Office of Homeland Security, tries to define homeland security and to outline how better information sharing among agencies can prevent terrorist attacks.

Technology is the backbone of security, the plans' authors write, something that "every government official performing every homeland security mission depends upon." The plan envisions security personnel in the government and the private sector using technologies such as scanners, sensors and monitors to collect data, which they would then store, disseminate and analyze using information technologies such as databases, fiber optic networks and software programs. They believe information provides little security if it can't be shared quickly with the people who need it. The White House plan tells how the administration wants to use technology to make America safe:

"We will build a national environment that enables the sharing of essential homeland security information. We must build a 'system of systems' that can provide the right information at all the right times. Information will be shared 'horizontally' across each level of government and 'vertically' among federal, state and local governments, private industry, and citizens. With the proper use of people, processes and technology, homeland security officials throughout the United States can have complete and common awareness of threats and vulnerabilities. . . . We will leverage America's leading-edge technology . . . to effectively secure the homeland."

That vision, one of many in the plan, puts tremendous faith in systems that can fail or be wrong, and places even more trust in data, which was unreliable in Johnnie Thomas' case. Yet the administration officials designing the proposed Homeland Security Department believe that electronically tying together the more than 20 agencies to be merged into the new department will harness their security capabilities thereby making America safer.

In their attempt to do this, the officials are venturing into uncharted territory. Creating the Homeland Security Department will require the biggest government reorganization since the creation of the Defense Department more than 50 years ago, a project that had almost no technology component at all. Though it is the largest user of technology in the world, the federal government never has come close to mounting such an ambitious and potentially expensive technology initiative as that envisioned for the new department. Dozens of agencies have spent billions of dollars over the past decade to upgrade and integrate their technology systems. The results have been mixed at best. Integration efforts have gone over budget, missed deadlines and, in many cases, have failed to achieve their goals.

So why, with years of evidence to the contrary, do the authors of the security plan and the designers of the new department believe they will succeed where others haven't? What if information sharing doesn't make America any safer at all?

REAL OBSTACLES

Private sector and government advocates of information sharing say that technology isn't the obstacle. Instead, differences in how agencies work and legal constraints on sharing data often block cooperation, proponents argue. But technology is a significant barrier to the free flow of information for several reasons.

Many of the systems used by agencies to house their data, process it and move it from place to place are old and weak. They may not support the sophisticated software applications many officials say agencies need to search their databases and "connect the dots" about future attacks. Such shaky foundations exist in many of the security agencies and their future partners.

FBI agents, for instance, can only search the bureau's case file databases for single words, not groups of words. This limits their ability to correlate tips and leads against the limited information they've stored electronically. FBI Director Robert Mueller wants to install analysis software that could better scour those databases, but the systems themselves are too antiquated to support such tools, FBI technology officials say. They must be replaced with modern equipment before the bureau can improve its analysis capabilities.

Lackluster management of technology assets and budgets over the years has hampered many agencies' attempts to update their systems. For example, before the Sept. 11 attacks, the Immigration and Naturalization Service failed to install biometric identification technologies at the U.S. border with Mexico. It's only now beginning to deploy those systems, even though INS inspectors at major ports of entry have complained they need the tools to improve security. INS, like the FBI and other civilian agencies, is playing technology catch-up in preparation for its new homeland security role. OMB has said it will withhold agencies' technology funds unless they better manage their money.

Government agencies have had bad luck updating and replacing their outdated technologies, a process known as modernization. Huge modernizations, such as the 10- to 15-year, multibillion-dollar effort at the Internal Revenue Service, or the Navy's $16 billion plan to interconnect its systems with the Marine Corps' on a new network, are the closest cousins to the task the Homeland Security Department faces in integrating thousands of systems. The same set of factors regularly stymies such modernizations.

Because of inconsistent leadership and frequent changes in management, some projects are years behind schedule. The IRS lost three chief information officers in four years. The FBI saw four technology chiefs leave over five years. Those agencies, like many others, have missed project deadlines and have spent billions of dollars on technology that has gone underused. Frequently, poor understanding of an agency's technological deficiencies, or how to remedy them, has caused major setbacks. Congress threatened to halt funding for the Navy's new network, known as the Navy Marine Corp Intranet, because officials couldn't say how many systems the Navy owns. In late July, Navy officials reported they were stunned to find that 20 percent of the computer programs they could account for were going unused, even though the Navy was paying to maintain them. In the mid-1990s, FBI technologists built an electronic case file system with 1980s equipment and without conferring with the agents who would eventually use it. Today, many agents don't use the cumbersome and inefficient apparatus, and they've built more than 40 additional systems to work around it during investigations.

It might be impossible to say precisely how many such redundant systems agencies have in place, and how much data they house. The number surely is enormous. Taking an inventory, says one security agency's CIO, is like trying to find all the fat marbled through a piece of steak.

Many agencies use data written in different programming languages. Some are in languages that are hardly used anymore. That's one reason the dozens of terrorist lists can't be searched at once. Merging them requires putting the data in a common computer language. The administration has begun to integrate those lists, says Jim Flyzik, one of the new department's planners in the Office of Homeland Security. The lists, though, represent a fraction of the data housed by just the security agencies.

The outdated systems also aren't secure. Hackers have gained access to sensitive government networks repeatedly, and agencies have done too little to protect their systems against cyberattacks. The government can't disseminate information securely today, says Mario Correa, the director of security policy for the Business Software Alliance in Washington, which has pushed for tougher security requirements in the Homeland Security Department. The General Accounting Office concurs. In numerous reports, it has found most agencies' information security capabilities insufficient and in some cases unknown.

Security policies aren't uniformly enforced or understood. At a June conference of federal network administrators in Denver, many people said their managers repeatedly violate the policies because they don't understand why they should have to follow inconvenient procedures. For example, administrators generally aren't supposed to issue someone a new network user name and password until the old set is canceled. But the executives commonly demand a new set immediately if they've lost or forgotten the one they were assigned. Distributing multiple user names and passwords creates a security nightmare. But one administrator said his superiors tell him, "Don't give me that techie crap," when he tries to explain the procedure, and says that they demand instant access. The administrator called this "systematically disarticulating" his agency's security policy.

Securing the private sector's networks may be even more important than securing the government's. Companies own about 90 percent of the data networks through which dams, electric power grids, nuclear reactors and other such critical infrastructures are controlled. Intelligence agency officials say terrorists have cased the networks of those presumed prime targets. But Correa says many companies aren't telling the government about their networks' vulnerabilities for fear of lawsuits from the public if the systems are found to be unprotected. Until the law is changed to exempt companies from having to reveal information to anyone other than the government, and to keep company vulnerabilities protected from freedom of information requests, Correa says the government won't have a clear picture of how those critical facilities are at risk of attack. The House version of a bill creating the Homeland Security Department, passed in July, provides for this protection, but the Senate bill is still pending.

In spite of the technological obstacles to integrating Homeland Security Department's systems, its planners are more focused on its management principles and organizational design. They've left much of the technological dirty work until after the new department is established. In the meantime, they are crafting the theoretical plan for how all the agencies' systems should work together, presuming, of course, that they can.

BETTER BY DESIGN?

Critics say that reorganizing agencies into a Homeland Security Department won't make them try harder to prevent terrorism, or be any better at it. The Coast Guard, Customs and INS provided security functions well before President Bush proposed the merger, and Sept. 11 only made them redouble their efforts. Muddling through the details of a merger could distract them from preparing for imminent attacks.

But proponents of merging those agencies believe a new focus is essential. Norman Lorentz, chief technology officer at OMB and one of the officials most involved in setting up homeland security technology systems, says the department would create "clear boundaries of accountability" for security. Before Sept. 11, President Bush has said, dozens of agencies had missions that affected domestic security, but no single agency or department had ultimate accountability for providing it.

A team from OMB and the Office of Homeland Security, in conjunction with chief information officers from the security agencies, is writing a technology blueprint that will map out how all the pieces should fit together to achieve the president's information sharing vision. But federal agencies have tried before to write these plans, known as enterprise architectures, and by and large they've failed. In February, GAO found that only 4 percent of agencies' enterprise architecture efforts have "matured" to the point where they could be considered effective. "Most federal agencies currently do not have the architectural context . . . needed for making informed IT investment decisions, thus increasing the risk that these agencies will build and modernize systems that are duplicative, poorly integrated, unnecessarily costly to maintain and interface, and ineffective in optimizing agency mission performance," the auditors reported.

Writing architectures requires a precise understanding of all the different activities an agency engages in. But the government itself is decentralized, and so are its computer systems. "We tend to talk about the federal government like it's a real thing that has borders," says Ken Johnson, the president of U.S. operations for technology contractor CACI in Arlington, Va. But the government "is just a big huge amorphous mass. . . . To organize [it] and get all of its systems communicating at the same level, that's not going to happen in my lifetime." Getting all architects to agree on the same vision has been impossible in some instances. At the FBI, factions of planners wrote separate architectures and fought over limited technology funds, says Bob Chiaradio, an 18-year FBI veteran who advised Director Mueller on the bureau's technology modernization.

Architects rarely view their plans in terms of technology. Rather, they see them as maps of business processes, the micro-level activities that constitute an agency's day-to-day work. An INS inspector checking someone's passport is engaged in a business process. So is a Customs inspector inspecting a shipping container. The Homeland Security Department's architects are trying to define every one of those processes for the agencies that will be merged. OMB's Lorentz says piecing together the technology components comes into play later. Integrating thousands of devices into a cohesive whole has less to do with technology than with mapping agencies' business processes and how they use information. Lorentz also says that architectures never are truly complete. The quest to define business processes and how they relate to one another is ongoing. This venture has bewildered most who've undertaken it, but it appears to make perfect sense to architects of Homeland Security.

Architectures were born in the private sector and reflect "change management" philosophies laid out in popular late 1990s business bibles, such as Who Moved my Cheese? (Putnam, 1998). Revered across government, especially among technologists, the authors' instructions on how to "deal with change in your work and in your life" have struck a chord with managers. The Homeland Security architects hail from private sector backgrounds where many of these management concepts have flourished, but with questionable results. Lorentz; Mark Forman, OMB's electronic government chief; and Steve Cooper, the CIO for the Office of Homeland Security; all were private sector executives. Lorentz and Forman have served in federal positions, as well, and are intent on applying their business ideas in government.

But none of these planners ever has tackled an architecture the size of what the Homeland Security Department needs. Nevertheless, architecture supporters say constructing technology systems is impossible without first mapping business processes. Drawing the architecture before implementing technology is critical because the plan sets out clear goals for the agency, says Ruth David, the president and chief executive officer of ANSER, a not-for-profit government technology consulting firm in Arlington, Va. David, a former CIA deputy director for science and technology, notes that the most successful corporate mergers have been built on clear architectures. She admits the government doesn't have a good record of articulating those plans, but she believes, as do many architecture proponents, that the success or failure of the Homeland Security Department's plan will depend entirely upon the managerial skills of its authors.

While enterprise architecture has failed to help most agencies share information, the government has successfully built small, decentralized networks to coordinate information among many parties. The White House established such a network in the late 1990s to prepare for the year 2000 computer rollover, which many feared might cause a worldwide systems crash. A central command in Washington oversaw 25 entities, each of which collected information from government agencies around the world and from companies, says John Koskinen, who led the effort and served as OMB's deputy director in the Clinton administration. Koskinen, now deputy mayor of Washington, says the network succeeded because it used existing lines of communication rather than inventing new ones. Each of the information gathering groups had a common goal-preventing a computer shutdown-and collected what it needed through established channels.

Koskinen admits that the year 2000 problem was a different beast than homeland security because, unlike dealing with a terrorist attack, planners knew when the event would occur. But he believes placing all the security agencies' systems under one roof and building more systems won't make agencies communicate. "You'll never get your arms around it," he says. It's unclear whether the Y2K model would be suited to homeland security. But it did succeed in its mission. No computers crashed on Jan. 1, 2000.

VALUABLE INFORMATION

Presuming the Homeland Security Department would be able to share information as envisioned, officials then would have to assess the value of what they're sharing. Ultimately, security comes not from moving data around, but from analyzing it and transforming it into intelligence. Intelligence is more critical for preventing terrorism than a system that can disseminate information, no matter how extensively. Frederick Thomas Martin, the former deputy director of the National Security Agency's Information Services Division, writes about the value of intelligence versus information in his book Top Secret Intranet, (Prentice Hall, 1999), which explains how U.S. intelligence agencies built a secure sharing network called Intelink in the mid-1990s.

Martin says such a network is only valuable if people can act on its data. Police officers, for instance, don't benefit from knowing that an attack or crime might occur, or that one is being planned. They need to know when and where that event will happen and who will execute it. Likewise, federal security agencies would depend more on such "actionable" intelli- gence than on unspecific data. But administration officials, including Homeland Security Director Tom Ridge, have envisioned a narrow role for intelligence analysis in the new department. The CIA, FBI and Defense intelligence agencies would collect and analyze intelligence data, while the department would use it primarily to issue warnings about attacks.

The intelligence agencies, though, have their own problems dissecting what they collect. Some, like the NSA, have computer systems that are years more advanced than those in the private sector, but the agencies are short on human analysts. Satellites can spy on a small group of people from hundreds of miles above the earth, but without analysts and agents to provide a context for why the group is there or what it's talking about, the information is useless. Over time, the CIA has lost its human intelligence gathering capability in the South Asian region that's now the focus of the administration's terror war. Reportedly, no agents were left in the area by the mid-1990s. Critics are adamant that the Homeland Security Department will have to take stronger steps to explain what information means. Yet intelligence analysts would comprise less than 1 percent of the department's personnel roster.

Ridge has said the department won't require the information collection technologies that intelligence agencies use, but it will need new technologies for the front-line war against terror, such as bomb detectors and chemical sensors. But security agencies have little experience recruiting the small, new companies that are developing such cutting-edge technology. These companies often are wary of signing exclusive government contracts that might require them to relinquish patent rights. What's more, government is doing less of its own research and development. Government R&D funding has plummeted over the past four decades, and today accounts for about a quarter of the annual total, while private sector spending makes up most of the remainder.

The CIA and some Defense agencies have established nonprofit venture capital organizations in recent years to invest in the innovative companies developing specialized technologies. The investment groups strike deals that give companies unprecedented freedom to maintain control over the products they develop for the government. The Homeland Security Department likely will become more dependent on these boutique companies as officials look for better devices to battle bioterrorists and create data models to help predict future attacks.

But homeland security officials' awareness of those firms is limited. For years agencies have relied on a small pool of federal contractors that meet most of their needs. When those firms can't do a job, they, not agency personnel, recruit other companies. OMB's Lorentz confesses that, had he not left the government to work in the private sector, he wouldn't know many smaller companies existed. To take advantage of the newest, best technology, the new department must quickly learn how to entice those firms to cater to its needs and to sell to it. Few agencies are doing so today.

PAST AND PROLOGUE

Perhaps the biggest misconception about the Homeland Security Department is that it will get up and running quickly. It won't, and neither will its new system of systems. Building the department will take longer and cost more than many of its proponents admit. The department's technology integration also will take years to complete. As it should. A project of such unprecedented magnitude ought to be deliberate and painstaking. Yet the new department's architects say they're rushing to put their plans in place to counteract the imminent threat of terrorism. "We're moving at e-business speed," says OMB's Forman of his efforts to review dozens of the security agencies' projects and decide whether to pull them apart, splice them together or halt them entirely.

But government executives have been trying to inject business methods and speed into their agencies for years, and they've still failed to manage their technology assets effectively, to secure them or to share information. To be sure, there's never been a greater imperative than domestic attacks for agencies to cooperate. Technology's essential role in that cooperation is undeniable. But the current mind-set really isn't much of a change from the same one that has failed to live up to its promised potential. And that won't make us any safer.

NEXT STORY: What’s a COTR?