Terrorist information-sharing plan awaits Bush's approval
- By Jason Miller
- Jan 21, 2005
Observers say council took right approach by ignoring technology
When Karen Evans walked into one of the first meetings of the Information Systems Council, she told executives from the agencies driving the federal government's efforts to better share terrorist information that technology was not a topic for discussion.
That's right. The Office of Management and Budget's administrator for e-government and IT did not want to talk about hardware, software, middleware or any other ware until the agencies had ironed out their business processes.
So executives from the CIA, FBI, National Counterterrorism Center and the departments of Commerce, Defense, Homeland Security, Justice, State and Treasury set about defining the underlying reasons for why they had trouble exchanging terrorist information.
'It was not what kind of search engine needs to be in place in order to do this stuff, but how much security and privacy do you want?' Evans said. 'Then we can go get the technology associated with that.'
The council delivered a set of recommendations to President Bush last month on what must be done so agencies can improve their sharing of terrorist information. Bush created the council and gave it its marching orders in an August executive order.
Evans, who spoke earlier this month at a luncheon in McLean, Va., sponsored by Gartner Inc. of Stamford, Conn., would not detail the specific recommendations, but the executive order Bush signed said the plan must recommend milestones, resource needs and funding.
The president's order also charged the council with looking at the types of systems agencies need and identifying guidelines that should follow.
The suggestions are under review by Bush, Evans said.
'We didn't have to solve the problem, we just had to come up with the plan on how to move forward, so we were good about not setting too high a bar for us to be able to achieve,' she said. 'We knew it was a high-enough hurdle to get everyone in the room and talk about it and send forward good, solid recommendations to the president for him to make the decision.'
Industry officials said the council's approach is exactly what's needed to improve sharing of terrorist data.
'There is an old saying, 'The plan is everything; the plan is nothing,' ' said Daniel Forrester, director of business consulting for Sapient Corp., an IT investment planning consultant in Cambridge, Mass. 'The projects that we've seen go well have an integrated program plan with milestones and visibility into the day-to-day progress of the project. Without that, the plan will fail.'
Forrester said understanding the roles and responsibilities of each agency and the context in which they share information is the most important aspect of this, or any, IT project.
Because Evans gathered a cadre of high-ranking federal officials and discussed the information-sharing business processes, the recommendations should be worthwhile, said James Dempsey, executive director for the Center for Democracy and Technology, a Washington nonprofit group, and a member of the Markle Foundation's Task Force on National Security in the Information Age.
The Markle task force met with the council at least twice. Dempsey, though, said he has not seen the final recommendations. But there are some things that must be dealt with no matter what the suggestions are, he said.
'Privacy and security guidelines have to be laid out up front as a part of the business plan,' Dempsey said. 'And the rules for who shares what information with whom and for what purpose also must be clear. It cannot call for unilateral data dumping.'
Dempsey hopes government officials learned their lesson from failed terrorism data-sharing attempts such as Total Information Awareness and the Computer Aided Passenger Prescreening System II. In both instances, poor security and privacy planning tripped up these Homeland Security efforts, he said.
'If you don't have privacy rules, you get one of two unacceptable outcomes,' Dempsey said. 'You get people throwing data over the wall and not worrying about what happens. Or you get people freezing up because they don't know what the rules are. Rules are not barriers to information sharing but can facilitate it.'