Information Sharing for Homeland Security: A Brief Overview

Order Code RL32597 CRS Report for Congress Received through the CRS Web Information Sharing for Homeland Security: A Brief Overview Updated January 10, 2005 Harold C. Relyea Specialist in American National Government Government and Finance Division Jeffrey W. Seifert Analyst in Information Science and Technology Policy Resources, Science, and Industry Division Congressional Research Service ˜ The Library of Congress Information Sharing for Homeland Security: A Brief Overview Summary In the aftermath of the terrorist attacks on the World Trade Center and the Pentagon, various recommendations and efforts have been made with the intention of improving information sharing among government entities at all levels within the United States, the private sector, and certain foreign governments, with a view to countering terrorists and strengthening homeland security. The National Commission on Terrorist Attacks Upon the United States (9/11 Commission) was among those to have most recently offered recommendations in this regard in its July 22, 2004, report. The types of information potentially within the scope of such sharing include raw data, which has undergone little or no assessment regarding its accuracy or implications; knowledge, which has been determined to have a high degree of reliability or validity; and intelligence, which has been carefully evaluated concerning its accuracy and significance, and may sometimes be credited in terms of its source. This report reviews some of the principal existing homeland security information sharing arrangements, as well as some projected arrangements in this regard, and discusses related policy, evaluations, and proposed legislation. It will be updated as events warrant. Contents 9/11 Commission Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Existing Arrangements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Joint Regional Information Exchange System (JRIES) and the Homeland Security Information Network (HSIN) . . . . . . . . . . . . . 5 Regional Information Sharing System (RISS) Program . . . . . . . . . . . . 7 Multistate Anti-Terrorism Information Exchange (MATRIX) Pilot Information Sharing Project . . . . . . . . . . . . . . . . . . . . . . . . 12 Projected Arrangements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Related Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Presidential Procedures . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Protections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Quality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 GAO Evaluations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22 Legislative Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Purposes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Authority and Functions of the OMB Director [or, Alternatively, the Secretary of Homeland Security] . . . . . . . . . . . . . . . . . . . . . . 28 Federal Agency Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Other Participants’ Responsibilities . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Annual Inventory and Assessment of Information Sharing Initiatives 30 Related Proposed Legislation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Appendix 1. Selected Online Information Sharing Resources . . . . . . . . . . . . . . . 35 Information Sharing for Homeland Security: A Brief Overview Among the responses prompted by the terrorists attacks on the World Trade Center and the Pentagon were various recommendations for, and subsequent efforts at, improving information sharing among government entities at all levels within the United States, the private sector, and certain foreign governments, with a view to countering terrorists and strengthening homeland security. The National Commission on Terrorist Attacks Upon the United States (9/11 Commission) was among those to have most recently offered recommendations in this regard in its July 22, 2004, report. Because the commission’s report arrived at a time when information sharing improvements were well underway, its recommendations were multifaceted. 9/11 Commission Recommendations In Chapter 12, titled “What to Do? A Global Strategy,” the commission’s report provided two sets of recommendations pertaining to the exchanging or sharing of information. With respect to border screening, the panel proffered the following recommendation: ! The U.S. government cannot meet its own obligations to the American people to prevent the entry of terrorists without a major effort to collaborate with other governments. We should do more to exchange terrorist information with trusted allies, and raise U.S. and global border security standards for travel and border crossing over the medium and long term through extensive international cooperation.1 While the commission’s recommendation was not specific as to how such collaborations could be carried out, the report suggested the need for global standards for identity authentication (such as biometrically enhanced passports), and stated that the U.S. should take a leading role in establishing these standards. One potential longer-term implication of carrying out this recommendation was a global network of country-based screening systems that could verify the departure/arrival of an individual and authenticate that person’s identity in real time. While advocating greater information sharing, the report also recognized how consolidating and transferring large amounts of information about individuals could be susceptible to abuse. Regarding the protection of civil liberties, the report called for an “enhanced system of checks and balances” to be built into the policy framework used to oversee and regulate information sharing. To that end, three 1 U.S. National Commission on Terrorist Attacks Upon the United States, The 9/11 Commission Report (Washington: GPO, 2004), p. 390. CRS-2 recommendations were included regarding what information would be shared, why the information would be shared, and who would be overseeing these activities. ! As the President determines the guidelines for information sharing among government agencies and by those agencies with the private sector, he should safeguard the privacy of individuals about whom information is shared. ! The burden of proof for retaining a particular governmental power should be on the executive, to explain (a) that the power actually materially enhances security and (b) that there is adequate supervision of the executive’s use of the powers to ensure protection of civil liberties. If the power is granted, there must be adequate guidelines and oversight to properly confine its use. ! At this time of increased and consolidated government authority, there should be a board within the executive branch to oversee adherence to the guidelines we recommend and the commitment the government makes to defend our civil liberties.2 In Chapter 13, titled “How To Do It? A Different Way of Organizing Government,” the commission’s report included two recommendations that explicitly addressed the need to facilitate the development of a policy and technical environment that encouraged and supported information sharing. With respect to developing policies that foster a culture of information sharing, the commission recommended: ! Information procedures should provide incentives for sharing, to restore a better balance between security and shared knowledge.3 This commission recommendation highlighted what it considered to be a significant impediment to comprehensive intelligence analysis — the “‘need-toknow’ culture of information protection.”4 The commission suggested that, while the federal government has access to huge volumes of information, procedural and organizational cultural barriers undermined the government’s ability to capitalize on these resources. The commission also cited two specific factors that have helped to perpetuate “need-to-know” information practices. One was the lack of robust internal information sharing procedures, which, in turn, contributed to the compartmentalization of information as a standard practice, rather than the regular dissemination of information to the external community of users. According to the commission, current procedures allowed information to be shared if someone specifically requested the information, and then only according to classification and 2 Ibid., pp. 394-395. 3 Ibid., p. 417. 4 Ibid. CRS-3 other security protocols. The purpose of such an approach was to guard against the disclosure of information that could create security risks. However, the commission suggested that, if taken too far, such security procedures can outweigh the benefits that could be gleaned from information sharing.5 A second factor cited by the commission as perpetuating “need-to-know” information practices was an organizational culture, prevalent across agencies, that supports disincentives to information sharing. As the report stated: “There are no punishments for not sharing information.”6 However, depending upon the situation, criminal, civil, and/or administrative penalties can be imposed if information is shared or disclosed in violation of procedure. The commission suggested that the emphasis on security had led to the “overclassification and excessive compartmentalization of information among agencies.”7 Obstructed access to information can also have both analytical and financial costs, by contributing to incomplete analysis and the duplication of effort by various agencies. To address these concerns, the commission advocated replacing the “need-toknow” information culture with a “need-to-share” information culture. In order to transition to an intelligence information environment that emphasized the “need-toshare,” development of new procedures must also be matched with the development of a technical infrastructure that enables actual information sharing. To that end, with respect to developing the technical infrastructure for information sharing, the commission offered the following recommendation: ! The president should lead the government-wide effort to bring the major national security institutions into the information revolution. He should coordinate the resolution of the legal, policy, and technical issues across agencies to create a ‘trusted information network.’”8 The report did not specify exactly how a trusted information network would be constructed, who would use it, or what information would be shared through it. However, it did highlight some of key features that would characterize the trusted information network, and cited an example described in a recent Markle Foundation report as “an outstanding conceptual framework for the kind of ‘trusted information network.’”9 According to the commission’s report, the trusted information network would be based on a decentralized network model that would facilitate information sharing not only within agencies (vertically), but also, more critically, across agencies (horizontally). The report also recommended using a digital rights management 5 Ibid. 6 Ibid. 7 Ibid. 8 Ibid., p. 418. 9 Ibid.; the Markle Foundation report, produced in December 2002 by its Task Force on National Security in the Information Age, is titled Creating a Trusted Information Network for Homeland Security: Second Report of the Markle Foundation Task Force, and is available at [http://www.markle.org/downloadable_assets/nstf_report2_full_report.pdf]. CRS-4 framework, so that a trusted information network could allow agencies to maintain and populate their own databases, as well as establish access controls to govern the use of the data by authorized individuals within the network. The commission also suggested that presidential leadership would be required to address the policy and legal issues associated with establishing a trusted information network. This leadership, in turn, could develop standards for common information use, and could be applied across the participant community. Another recommendation would have had the President, when determining “the guidelines for information sharing among government agencies and by those agencies with the private sector,” also “safeguard the privacy of individuals about whom information is shared.” Seeking to reinforce compliance with these guidelines, and otherwise finding “that there is no office within the government whose job it is to look across the government at the action we are taking to protect ourselves to ensure that liberty concerns are appropriately considered” the report recommended the creation of the civil liberties oversight board.10 On August 27, 2004, President George W. Bush issued two executive orders responding to some of the recommendations of the 9/11 Commission. One of them, E.O. 13356, prescribed duties for the heads of agencies possessing or acquiring terrorist information concerning the accessibility, sharing, and analysis of such information; set requirements for the collection of terrorism information within the United States; and, among other considerations, established an Information Systems Council, chaired by a representative of the Director of the Office of Management and Budget (OMB) with at least 10 other members representing specified senior officials, “to plan for and oversee the establishment of an interoperable terrorism information sharing environment to facilitate automated sharing of terrorism information among appropriate agencies.”11 The other directive, E.O. 13353, established the President’s Board on Safeguarding Americans’ Civil Liberties within the Department of Justice.12 Chaired by the Deputy Attorney General and composed of 19 other senior counsels and leaders largely from within the intelligence and homeland security communities, the board had, among its responsibilities, advising the President regarding civil liberties policy, gathering information and making assessments regarding such policy and its implementation, making recommendations to the President, referring information about possible violations of such policy by a federal official or employee for prompt action, enhancing cooperation and coordination among federal departments and agencies in implementing such policy, and undertaking other efforts to protect the civil liberties of the citizenry as directed by the President. This board was subsequently replaced by the Privacy and Civil Liberties Oversight Board mandated by the Intelligence Reform and Terrorism Prevention Act, which the President signed 10 Ibid., p. 394-395. 11 Federal Register, vol. 69, Sept. 1, 2004, pp. 53599-53602. 12 Ibid., pp. 53585-53587. CRS-5 into law on December 17, 2004.13 Implementing many of the recommendations of the 9/11 Commission, this reform legislation is discussed later in this report. In the paragraphs below, some of the principal existing homeland security information sharing arrangements are reviewed, as well as some projected arrangements in this regard; and related policy, Government Accountability Office (GAO, formerly known as the General Accounting Office) evaluations, and legislation are discussed. The types of information potentially within the scope of such sharing include raw data, which has undergone little or no assessment regarding its accuracy or implications; knowledge, which has been determined to have a high degree of reliability or validity; and intelligence, which has been carefully evaluated concerning its accuracy and significance, and may sometimes be credited in terms of its source. Existing Arrangements While discussions of information sharing frequently focus on how technology can be used to break down the so-called “stove pipes” that purportedly inhibit collaboration among government agencies, it is important to recognize that these initiatives are more than simply information technology projects. Instead, they represent a specific component of ongoing efforts to improve the management, efficiency, and efficacy of government information resources, often associated with electronic government or e-government. As such, information sharing initiatives are characterized by their programmatic elements as well as their technology elements. Some of the most common categories or types of information being shared through these initiatives include intelligence, homeland security, law enforcement, and critical infrastructure information. Information shared and technology used by these initiatives can vary widely. However, an overarching purpose of most of these initiatives is to facilitate better collaboration and information analysis through the use of improved information technology and the development of common information standards. Concerns about coordination and duplication of these initiatives have been raised since there currently appears to be no centralized inventory of all the information sharing initiatives being carried out within and between the federal, state, and/or local levels.14 GAO has reported, however, that efforts to fight terrorism have spurred the growth of the number of initiatives at all levels of government since the September 11, 2001, attacks.15 Three existing information sharing initiatives are discussed below to provide general examples of how information sharing is sometimes carried out. Joint Regional Information Exchange System (JRIES) and the Homeland Security Information Network (HSIN). In December 2002, JRIES 13 118 Stat. 3638. 14 See U.S. General Accounting Office, Homeland Security: Efforts to Improve Information Sharing Need to Be Strengthened, GAO Report GAO-03-760 (Washington: August 2003). 15 Ibid. CRS-6 began as a pilot project for the sharing of counterterrorism information between local and state law enforcement and the Department of Defense (DOD). JRIES was initiated by the Joint Intelligence Task Force - Combating Terrorism (JITF-CT), led by the Defense Intelligence Agency (DIA). The initial participants included the New York Police Department Counterterrorism Bureau (NYPD-CTB) and the California Department of Justice Anti-Terrorism Information Center (CATIC). After assessment of the pilot phase, JRIES became operational in February 2003. The number of participants has also grown to include other municipalities, states, and federal agencies.16 In February 2004, the Department of Homeland Security (DHS) announced the launch of its Homeland Security Information Network (HSIN) initiative, designed to connect all 50 states, five U.S. territories, and 50 major urban areas with the Homeland Security Operations Center (HSOC) at the department. To accomplish this goal, DHS adopted the JRIES infrastructure, expanding both its capabilities and its community of users beyond its original “law enforcement and intelligence counterterrorism mission” while leaving the original JRIES system in place.17 In July 2004, DHS announced that it achieved connectivity to all 50 states.18 JRIES/HSIN is anticipated to include eventually users such as state homeland security advisers, state adjutant generals (National Guard), state emergency operations centers, local emergency services (fire, police, and other first responders), and possibly private sector actors as well. A significant focus of the expanded JRIES/HSIN network will be to prevent terrorist attacks by capitalizing on the existing human and information resources at the federal, state, and local levels, and enabling the real time collaboration and exchange of information for improved awareness and quicker response to threats.19 Some civil liberties organizations have raised concerns regarding the exchange of information by state and local law enforcement agencies with DIA, an intelligence agency barred from collecting information domestically. Concerns also have been raised about the potential collection information regarding the activities of legitimate political or social organizations, such as anti-war groups.20 JRIES functions as a secure virtual private network (VPN), connecting various participant data sources using encrypted communications via the Internet. JRIES 16 U.S. Department of Justice, Office of Justice Programs, The National Criminal Intelligence Sharing Plan (Washington: October 2003), pp. 45-56, available at [http:// it.ojp.gov/documents/National_Criminal_Intelligence_Sharing_Plan.pdf]. 17 U.S. Department of Homeland Security, “Homeland Security Information Network to Expand Collaboration, Connectivity for States and Major Cities,” press release, Feb. 24, 2004, available at [http://www.dhs.gov/dhspublic/display?content=3350]. 18 Dibya Sarkar, “HSIN Starts Five Months Early,” Federal Computer Week, July 8, 2004, available at [http://www.fcw.com/fcw/articles/2004/0705/web-hsin-07-08-04.asp]. 19 U.S. Department of Homeland Security, “Homeland Security Information Network to Expand Collaboration, Connectivity for States and Major Cities,” available at [http://www. dhs.gov/dhspublic/display?content=3350]. 20 Justin Rood, “Pentagon Has Access to Local Police Intelligence Through Office in Homeland Security Department,” CQ Homeland Security, July 6, 2004, available at [http://www.cq.com/corp/show.do?page=temp/20040708_homeland]. CRS-7 relies upon commercial, off-the-shelf technology and Web-based software that enables users to access database and analysis applications, send secure e-mail, send and receive maps and other graphics, and collaborate in real time online.21 JRIES/HSIN is currently used to exchange so-called sensitive but unclassified (SBU) information, although DHS plans to upgrade the security of the network to allow for the exchange of security classified information at the “Secret” level by fall 2004. These information protections are discussed later in this report. In the future, DHS also plans to develop an interface between JRIES and RISSNET (see below), a longestablished nationwide network of criminal databases used by law enforcement agencies.22 Regional Information Sharing System (RISS) Program. The RISS Program is an established system of six regional centers that are used to “share intelligence and coordinate efforts against criminal networks that operate in many locations across jurisdictional lines.”23 The RISS Program was created to combat traditional law enforcement targets, such as drug trafficking and violent crime, but has been expanded to include other activities, such as terrorism and cybercrime. According to its website, RISS has “member agencies in all 50 states, the District of Columbia, U.S. territories, Australia, Canada, and England.”24 The RISS program uses a regional approach, so that each center can tailor/focus its resources on the specific needs of its area, while still coordinating and sharing information as one body for national-scope issues.25 The origins of the RISS Program date to 1974, when the Department of Justice awarded its first grant to allow police departments in the southern U.S. to share/exchange information with each other via computers.26 This support helped create the first of the six regional centers, the Regional Organized Crime Information Center (ROCIC).27 The other regional centers include the Rocky Mountain 21 Brian Robinson, “DHS Unfolds New Safety Net,” Federal Computer Week, June 21, 2004, available at [http://www.fcw.com/supplements/homeland/2004/sup2/hom-safety06-21-04.asp]. 22 U.S. Department of Homeland Security, “Homeland Security Information Network to Expand Collaboration, Connectivity for States and Major Cities,” available at [http://www. dhs.gov/dhspublic/display?content=3350]. 23 For a detailed description of RISS, see [http://www.iir.com/riss/] and [http://www. rissinfo.com/]. 24 See [http://www.rissinfo.com/overview2.htm]. 25 See [http://www.rissinfo.com/]. 26 Wilson P. Dizard III, “IT Security Calls for Collaboration,” Government Computer News, Mar. 4, 2002, available at [http://www.gcn.com/21_5/news/18099-1.html]; U.S. Department of Justice, Bureau of Justice Assistance, “Regional Information Sharing Program,” Bureau of Justice Assistance Program Brief (Washington: April 2002), available at [http://www. ncjrs.org/pdffiles1/bja/192666.pdf]. 27 Regional member states include Alabama, Arkansas, Florida, Georgia, Kentucky, Louisiana, Mississippi, North Carolina, Oklahoma, South Carolina, Tennessee, Texas, Virginia, and West Virginia. Puerto Rico and the U.S. Virgin Islands are also members of (continued...) CRS-8 Information Network (RMIN),28 the New England State Police Information Network (NESPIN),29 the Mid-States Organized Crime Information Center (MOCIC),30 the Western States Information Network (WSIN),31 and the Middle Atlantic-Great Lakes Organized Crime Law Enforcement Network (MAGLOCLEN).32 Membership in each of the centers includes federal, state, and local law enforcement agencies, for an estimated total of “nearly 7,000 law enforcement and criminal justice agencies representing over 700,000 sworn officers.”33 The RISS Program continues to be federally funded through the Bureau of Justice Assistance (BJA) at the Department of Justice (DOJ), which also has program management oversight responsibilities. In addition, RISS centers are required to be in compliance with Criminal Intelligence Systems Operating Policies regarding the confidentiality of information collected and shared.34 Each RISS center provides its member agencies with a range of services, including: ! Information sharing — primarily through the operation of the RISS secure intranet (RISSNET) (see below), providing secure databases and investigative tools. ! Analysis — including the preparation of analytical products, compilation and analysis of data, and computer forensics analysis. ! Equipment loans — inventories of specialized investigative and surveillance equipment, including photographic, communications, and surveillance equipment, for member agencies to borrow for multijurisdictional investigations. 27 (...continued) ROCIC. 28 Regional member states include Arizona, Colorado, Idaho, Montana, Nevada, New Mexico, Utah, and Wyoming. RMIN also includes member agencies from Canada. 29 Regional member states include Connecticut, Maine, Massachusetts, New Hampshire, Rhode Island, and Vermont. NESPIN also includes member agencies from Canada. 30 Regional member states include Illinois, Iowa, Kansas, Minnesota, Missouri, Nebraska, North Dakota, South Dakota, and Wisconsin. MOCIC also includes member agencies from Canada. 31 Regional members states include Alaska, California, Hawaii, Oregon, and Washington. WSIN also includes member agencies from Canada, Australia, and Guam. 32 Regional members states include Delaware, Indiana, Maryland, Michigan, New Jersey, New York, Ohio, and Pennsylvania, as well as the District of Columbia. MAGLOCLEN also includes member agencies from England, the Canadian provinces of Ontario and Quebec, and Australia. 33 34 See [http://www.rissinfo.com/overview2.htm]. See 28 C.F.R. Part 23; U.S. Department of Justice, Bureau of Justice Assistance, “The RISS Program: 2002, Membership and Service Activity”(Washington: June 2003), available at [http://www.iir.com/Publications/RissProgram2002.pdf]. CRS-9 ! Confidential funds — following federal and center guidelines, money that can be used to purchase information, contraband, stolen property, and other evidentiary items, as well as to pay investigative expenses for multijurisdictional investigations. ! Training — meetings and conferences for training on information sharing techniques, anti-terrorism training; and training in surveillance techniques, equipment use, safety, and analysis techniques. ! Technical assistance — training and assistance for activities such as requesting analytical services, and RISSNET installation and support.35 The centerpiece of the RISS Program’s information sharing activities is its secure intranet, RISSNET, which is capable of sharing electronically what is termed “sensitive but unclassified information.” RISSNET participants can either connect a single computer to the intranet, or establish a node connection, enabling wider access through their agency’s network. RISSNET participants use a virtual private network (VPN) connection over the Internet to access the RISSNET gateway firewall, whereupon the user’s identity is authenticated and access is granted to the secure intranet. The secure intranet is a dedicated network carried over frame relay circuits (a guaranteed amount of bandwidth carried over public telephone lines) connecting the RISS centers to the database resources. Security is maintained through the use of encryption, smart cards, and other Internet security protocols.36 This system enables participants to send and receive secure e-mail transmissions with other RISSNET participants, as well as use secure Web browser sessions to access data. RISSNET also provides access to a number of other resources, including: 35 36 ! RISS center websites — each of the six RISS centers has a website that provides information on its services and resources, and provides access to criminal intelligence databases. ! RISSIntel/RISSNET II — electronically linked collection of webbased criminal intelligence databases with information provided by member agencies. ! RISSGang — the RISS National Gang Database, a crime-specific database related to gangs and gang members, including both text information and images, such as photographs, gang tattoos, and gang graffiti. See [http://www.rissinfo.com/services.htm]. U.S. Department of Justice, Bureau of Justice Assistance, “The RISS Program: 2002, Membership and Service Activity,” available at [http://www.iir.com/Publications/ RissProgram2002.pdf]; Office of Information Technology, Regional Information Sharing Systems, “Regional Information Sharing — What’s Working? Is It Helping?,” July 21, 2003, National Criminal Justice Association National Forum 2003 Conference, available at [http://www.ijis.org/education/Docs/RISS/RISS%20Tech%20(RISS).ppt]. CRS-10 ! RISSLeads — the RISS Investigative Leads Bulletin Board, a newsgroup server where participants can post case-related information for the purpose of generating investigative leads and can exchange information with other participants. ! RISSSearch — a search engine that identifies and retrieves data from multiple databases and information sources, including restricted information sites, sensitive but unclassified sites, and public Internet sites. ! RISSTraining — electronic resources for anti-terrorism training. ! RISSLinks — a data visualization tool for analyzing and showing associations among the results from multiple databases. ! RISSLive — an online, real-time communications medium to facilitate real-time information sharing among participants.37 Another recently developed resource is the RISS Anti-Terrorism Information Exchange (ATIX). Initiated in late 2002, RISS ATIX represents an expansion of the efforts to facilitate communication and information sharing among personnel responsible for planning and implementing actions to prevent, mitigate, and recover from terrorist incidents and disasters. RISS ATIX participants include constituencies that have not traditionally participated in RISS. RISS ATIX participants include both government and private sector actors, who are divided into ATIX communities, based on their functions.38 According to the RISS ATIX website, some of the ATIX communities include “state, county, local, tribal, and federal government; law enforcement; emergency management; disaster relief; utilities; and, among others, the chemical, transportation, and telecommunication industries.”39 Since becoming operational, RISS ATIX has been used to facilitate communications for events such as Hurricane Isabel in September 2003, the G8 Summit at Sea Island, Georgia, in 37 U.S. Department of Justice, Bureau of Justice Assistance, “The RISS Program: 2002, Membership and Service Activity,” available at [http://www.iir.com/Publications/ RissProgram2002.pdf]; National Narcotic Officers’ Associations’ Coalition, “Regional Information Sharing Systems Program,” NNOAC Insight, n.d., available at [http://www. natlnarc.org/papers/RISS_Position.pdf]; Gerard P. Lynch, “Facilitating an Enhanced Information Sharing Network That Links Law Enforcement and Homeland Security for Federal, State, and Local Governments,” hearing statement before U.S. Congress, House Committee on Government Reform, Subcommittee on Technology, Information Policy, Intergovernmental Affairs, and the Census (Washington: July 13, 2004). 38 U.S. Department of Justice, Bureau of Justice Assistance, “The RISS Program: 2002, Membership and Service Activity,” available at [http://www.iir.com/Publications/ RissProgram2002.pdf]. 39 See [http://www.rissinfo.com/rissatix.htm]. CRS-11 June 2004, and both the Republican and Democratic national conventions in summer 2004.40 RISS ATIX utilizes four primary components to facilitate communication and information sharing. These include: ! RISS ATIX Web page — news articles, online resources, and contact information tailored to the various ATIX communities. ! RISS ATIX bulletin board — a newsgroup server where participants can post information related to terrorism, disasters, and homeland security, as well as “page” online participants and send secure e-mail messages. ! ATIXLive — an online, real-time communications medium to facilitate real-time information sharing among participants, including the “paging” function and the ability to send secure e-mail messages from within the ATIXLive application. ! ATIX secure e-mail — a secure e-mail application to send and receive homeland security alerts and exchange information with other participants.41 On September 1, 2002, RISSNET interconnected with the FBI Law Enforcement Online (LEO) system to create a so-called “virtual single system” for the purpose of exchanging sensitive but unclassified homeland security information. Both RISSNET and LEO participants can access these resources combined using a single logon identifier. Participants can also exchange secure e-mail messages. RISSNET has established, or is in the process of establishing, interconnections with other information sharing networks as well, including the National Law Enforcement Telecommunications System (NLETS), the Criminal Information Sharing Alliance (CISAnet), and the Multistate Anti-Terrorism Information Exchange (MATRIX) Pilot Project.42 As with other information sharing initiatives, civil liberties organizations have raised concerns about privacy and the potential misuse of personal data as more information sources become interconnected and available to a larger number of users. 40 Lynch, “Facilitating an Enhanced Information Sharing Network that Links Law Enforcement and Homeland Security for Federal, State, and Local Governments,” hearing statement. 41 42 See [http://www.rissinfo.com/rissatix.htm]. U.S. Department of Justice, Bureau of Justice Assistance, “The RISS Program: 2002, Membership and Service Activity,” available at [http://www.iir.com/Publications/ RissProgram2002.pdf]; National Narcotic Officers’ Associations’ Coalition, “Regional Information Sharing Systems Program,” available at [http://www.natlnarc.org/papers/ RISS_Position.pdf]; Lynch, “Facilitating an Enhanced Information Sharing Network That Links Law Enforcement and Homeland Security for Federal, State, and Local Governments,” hearing statement. CRS-12 Multistate Anti-Terrorism Information Exchange (MATRIX) Pilot Information Sharing Project. The MATRIX project was initially developed in the days following the September 11, 2001, terrorist attacks by Seisint, a Floridabased information products company, in an effort to facilitate collaborative information sharing and factual data analysis. At the outset of the project, MATRIX included a component Seisint called the High Terrorist Factor (HTF), which was designed to identify individuals with high HTF scores, or so-called terrorism quotients, based on an analysis of demographic and behavioral data. Although the HTF scoring system appeared to attract the interest of officials, this feature was reportedly dropped from MATRIX because it relied on intelligence data not normally available to the law enforcement community and because of concerns about privacy abuses.43 In its current form, the MATRIX pilot project is administered through a collaborative effort between Seisint, the Florida Department of Law Enforcement (FDLE),44 and the Institute for Intergovernmental Research (IIR), a “Florida-based nonprofit research and training organization, [that] specializes in law enforcement, juvenile justice, and criminal justice issues.”45 FDLE serves as the “security agent” for MATRIX, administering control over which agencies and individuals have access to the system. FDLE is also a participant state in MATRIX. IIR is responsible for administrative support, and is the grantee for federal funds received for MATRIX.46 Thus far, it has been reported that the MATRIX pilot project has received a total of $12 million in federal funding — $8 million from the Office of Domestic Preparedness (ODP) at the Department of Homeland Security (DHS), and $4 million from the Bureau of Justice Assistance (BJA) at the Department of Justice (DOJ).47 The analytical core of the MATRIX pilot project is an application called Factual Analysis Criminal Threat Solution (FACTS), described as a “technological, investigative tool allowing query-based searches of available state and public records in the data reference repository.”48 The FACTS application allows an authorized user to search “dynamically combined records from disparate datasets” based on partial information, and will “assemble” the results.49 The data reference repository used with FACTS represents the amalgamation of over 3.9 billion public records collected 43 Brian Bergstein, “Database Firm Tagged 120,000 Terrorism ‘Suspects’ for Feds,” (Biloxi, MS) SunHerald, May 20, 2004, available at [http://www.sunherald.com/mld/sunherald/ business/technology/8715327.htm]. 44 The FDLE website is available at [http://www.fdle.state.fl.us/]. 45 The IIR website is available at [http://www.iir.com/]. 46 See [http://www.matrix-at.org/roles.htm]. 47 John Schwartz, “Privacy Fears Erode Support for a Network to Fight Crime,” New York Times, Mar. 15, 2004, available at [http://www.nytimes.com/2004/03/15/technology/ 15matrix.html]; see also [http://www.matrix-at.org/faq.htm]. 48 For a more detailed description of FACTS, see [http://www.matrix-at.org/FACTS_ defined.htm]. 49 Ibid. CRS-13 from thousands of sources.50 The data contained in FACTS include FAA pilot license and aircraft ownership records, property ownership records, information on vessels registered with the Coast Guard, state sexual offender lists, federal terrorist watch lists, corporation filings, Uniform Commercial Code filings, bankruptcy filings, state-issued professional license records, criminal history information, department of corrections information and photo images, driver’s license information and photo images, motor vehicle registration information, and information from commercial sources that “are generally available to the public or legally permissible under federal law.”51 The data reference repository is said to exclude data such as telemarketing call lists; direct mail mailing lists; airline reservations or travel records, frequent flyer/hotel stay program membership information or activity; magazine subscription records; information about purchases made at retailers or over the Internet; telephone calling logs or records; credit or debit card numbers; mortgage or car payment information; bank account numbers or balance information; records of birth certificates, marriage licenses, and divorce decrees; and utility bill payment information. Participating law enforcement agencies utilize this information sharing and data mining resource over the Regional Information Sharing Systems (RISS) secure intranet (RISSNET), described above. Some civil liberties organizations have raised concerns about law enforcement actions being taken based on algorithms and analytical criteria developed by a private corporation — in this case, Seisint — without any public or legislative input.52 Questions have also been raised about the level of involvement of the federal government, particularly the Department of Homeland Security and the Department of Justice, in a project that is ostensibly focused on supporting state-based information sharing.53 The MATRIX pilot project has suffered some setbacks in recruiting states to participate. The lack of participation can be especially troubling for a networked information sharing project such as MATRIX because, as Metcalfe’s Law suggests, “the power of the network increases exponentially by the number of computers connected to it.”54 While as many as 16 states have been reported to have either participated or seriously considered participating in MATRIX at its outset, several have chosen to withdraw, leaving a current total of five states, including Florida, Michigan, Ohio, Pennsylvania, and Connecticut, actively participating. State officials have cited a variety of reasons for not participating in MATRIX, including 50 See [http://www.matrix-at.org/newsletter.pdf]. 51 For more information about data included in and excluded from the data reference repository, see [http://www.matrix-at.org/data_sources.htm]. 52 William Welsh, “Feds Offer to Mend Matrix,” Washington Technology, May 24, 2004, available at [http://www.washingtontechnology.com/news/19_4/egov/23597-1.html]. 53 Robert O’Harrow, Jr., “Anti-Terror Database Got Show at White House,” Washington Post, May 21, 2004, p. A12. 54 For a more detailed discussion of Metcalfe’s Law, see [http://searchnetworking.techtarget. com/sDefinition/0,,sid7_gci214115,00.html]. CRS-14 costs, concerns about violating state privacy laws, and duplication of existing resources.55 To help address the privacy concerns associated with a centralized data repository, some officials have suggested switching to a distributed approach whereby each state would maintain possession of its data and control access according to its individual laws. As a pilot project, MATRIX is expected to continue through November 2004. At that time, IIR will submit a final report to officials evaluating the long-term viability of the project.56 Projected Arrangements At this time it is unclear if and how the 9/11 Commission report recommendations regarding information sharing might be implemented. One option would be to use and/or modify existing information sharing initiatives, including the possibility of combining features from existing initiatives. Another option might be to build a new information sharing infrastructure from the ground up. However, in light of the level of resources already invested in existing information sharing initiatives, the cost and time involved to build a new infrastructure, and the urgency that some place on implementing some of the recommendations quickly, it appears that a comprehensive information sharing initiative would most likely involve capitalizing on existing resources and working to improve the interoperability of these resources. As described above, some information sharing networks already exist, although they each have their own specific purposes and goals. One option might be to construct a network of networks that incorporates existing information sharing networks and other databases and resources that could create the trusted information network called for in the 9/11 Commission report. In keeping with the recommendation of the second report of the Markle Foundation’s Task Force on National Security in the Information Age, which was cited by the 9/11 Commission report, such a network would not utilize either a mainframe or a hub-and-spoke model of information dissemination, both of which feature centralized points for information flows.57 Instead, the trusted information network could operate as a 55 The states that have reportedly decided to withdraw from the pilot project include Alabama, California, Georgia, Kentucky, Louisiana, New York, Oregon, South Carolina, Texas, Utah, and Wisconsin. Larry Greenemeier, “Two More States Withdraw from Database,” InformationWeek, Mar. 12, 2004, available at [http://www.informationweek. com/story/showArticle.jhtml?articleID=18312112]; Diane Frank, “Utah No Longer Part of MATRIX,” Federal Computer Week, Apr. 5, 2004, p. 14; Associated Press. “Two More States Withdraw from Controversial Database Program,” (Fort Worth-Dallas, TX) StarTelegram, Mar. 12, 2004, available at [http://www.dfw.com/mld/dfw/business/8170978. htm?1c]; Associated Press “Matrix Plan Fuels Privacy Fears,” Wired News, Feb. 2, 2004, available at [http://www.wired.com/news/business/0,1367,62141,00.html]. 56 Welsh, “Feds Offer to Mend Matrix,” available at [http://www.washingtontechnology. com/news/19_4/egov/23597-1.html]. 57 See the “Overview” in Markle Foundation, Task Force on National Security in the (continued...) CRS-15 decentralized peer-to-peer network. This approach would allow participants to retain control over their respective data, while also reducing the vulnerability of the information sharing network to attack or failure by not having a single control point or hub upon which the rest of the system would be dependent. Through the use of middleware — software used to connect or integrate two or more separate applications — the challenges of making diverse databases interoperable, or compatible, might be addressed. Middleware could also be designed to support a rule-based system that could govern which data could be accessed, who could access the data, and how the data could be used. A rule-based system could incorporate the overarching policy framework recommended by the 9/11 Commission report, as well as jurisdiction-specific privacy and security requirements. In light of the emphasis being placed on information sharing, and the complexity of the issue, it is likely that the creation of a trusted information network is likely to require the dedicated attention of key individuals over an extended period of time. From a technology management perspective, a chief information sharing officer could be designated within OMB, as well as at each of the relevant agencies. These individuals could serve as the primary points of contact for information sharing initiatives, and could be responsible for working with their respective chief information officers and agency managers to facilitate compliance with standard setting and information sharing requirements. The institutionalization of a chief information sharing position to champion information sharing might also help ensure that agencies do not eventually revert to their previous practices. Related Policy The development of information sharing for homeland security purposes, as the above discussion of some of the existing arrangements suggests, occurs within an existing policy context, which may prove to be in need of clarification, adjustment, and supplement. For example, state privacy laws, as noted, apparently have limited participation in the MATRIX pilot project. Some federal policy considerations that bear on information sharing are discussed in this section relative to anticipated presidential procedures mandated by the Homeland Security Act. Presidential Procedures. Signed into law on November 25, 2002, the Homeland Security Act, establishing the principal homeland security institutions of the federal government, contains various provisions facilitating or mandating homeland security information sharing. Primary among these is Section 892 of the statute, which defines “homeland security information” as “any information possessed by a Federal, State, or local agency that (A) relates to the threat of terrorist activity; (B) relates to the ability to prevent, interdict, or disrupt terrorist activity; (C) 57 (...continued) Information Age, Creating a Trusted Information Network for Homeland Security: Second Report of the Markle Foundation Task Force (New York: December 2003), n.p., available at [http://www.markle.org/downloadable_assets/nstf_report2_full_report.pdf]. CRS-16 would improve the identification or investigation of a suspected terrorist or terrorist organization; and (D) would improve the response to a terrorist act.”58 Prior to this definition of homeland security information, five subsections establish procedures and conditions regarding such information. The first of these requires the President to prescribe and implement procedures under which relevant Federal agencies (A) share relevant and appropriate homeland security information with other Federal agencies, including the Department [of Homeland Security] and appropriate State and local personnel; (B) identify and safeguard homeland security information that is sensitive but unclassified; and (C) to the extent such information is in classified form, determine whether, how, and to what extent to remove classified information [from its protected status], as appropriate, and with which such personnel it may be shared after such information is removed.59 Neither this section nor the other provisions of the Homeland Security Act define what constitutes “sensitive but unclassified” homeland security information. The remaining portions of the subsection require the President to “ensure that such procedures [as he prescribes] apply to all agencies of the Federal Government”; stipulate that these new procedures “shall not change the substantive requirements for the classification and safeguarding of classified information”; and specify that the new procedures “shall not change the requirements and authorities to protect [intelligence] sources and methods.” The second subsection prescribes refinements to the procedures established by the President pursuant to the first subsection. “Under [the] procedures prescribed by the President,” it is stated, “all appropriate agencies, including the intelligence community, shall, through information sharing systems, share homeland security information with Federal agencies and appropriate State and local personnel to the extent such information may be shared, as determined in accordance with” the President’s procedures, “together with assessments of the credibility of such information.” Each of these information sharing systems must (A) have the capability to transmit unclassified or classified information, though the procedures and recipients for each capability may differ; (B) have the capacity to restrict delivery of information to specified subgroups by geographic location, type of organization, position of a recipient within an organization, or a recipient’s need to know such information; (C) be configured to allow the efficient and effective sharing of information; and (D) be accessible to appropriate State and local personnel. Other provisions require the establishment of conditions on the use of shared information “(A) to limit the redissemination of such information to ensure that such information is not used for an unauthorized purpose; (B) to ensure the security and confidentiality of such information; (C) to protect the constitutional and statutory right of any individuals who are subjects of such information; and (D) to provide data 58 116 Stat. 2255. 59 116 Stat. 2253 (emphasis added). CRS-17 integrity through the timely removal and destruction of obsolete or erroneous names and information.” The information sharing systems are to “include existing information sharing systems, including, but not limited to, the National Law Enforcement Telecommunications System, the Regional Information Sharing System, and the Terrorist Threat Warning System of the Federal Bureau of Investigation .” Federal agencies having access to information sharing systems have access to all of the information shared in those systems. The prescribed procedures are to “ensure that appropriate State and local personnel are authorized to use such information sharing systems (A) to access information shared with such personnel; and (B) to share, with others who have access to such information sharing systems, the homeland security information of their own jurisdictions, which shall be marked appropriately as pertaining to potential terrorist activity.” Regarding this shared state and local information, it is to be reviewed and assessed, under procedures prescribed jointly by the Director of Central Intelligence (DCI) and the Attorney General, by each appropriate federal agency, as determined by the President, and integrated with existing intelligence.60 The third subsection authorizes the President to “prescribe procedures under which Federal agencies may, to the extent the President considers necessary, share with appropriate State and local personnel homeland security information that remains classified or otherwise protected” after being reviewed for removal from its protected status. To facilitate such sharing, a sense of Congress provision recognizes the use of background investigations and security clearances, non-disclosure agreements regarding sensitive but unclassified information, and “informationsharing partnerships that include appropriate State and local personnel, such as the Joint Terrorism Task Forces of the Federal Bureau of Investigation, the AntiTerrorism Task Forces of the Department of Justice, and regional Terrorism Early Warning Groups.” The fourth subsection specifies that the head of each affected agency shall designate an official having administrative responsibility for that agency’s compliance with the information sharing requirements of Sections 891-899.61 Finally, the fifth subsection states: “Under procedures prescribed under this section, information obtained by a State or local government from a Federal agency under this section shall remain under the control of the Federal agency, and a State or local law authorizing or requiring such a government to disclose information shall not apply to such information.” Presumably, it is the President who prescribes the referred to procedures; information shared with a subnational jurisdiction pursuant to these procedures remains under the “control” of the providing federal agency; and, because the information is under federal “control,” it is beyond the scope of state information access or freedom of information laws. On July 29, 2003, President Bush issued E.O. 13311, assigning responsibility for preparing the Section 892 homeland security information sharing procedures to 60 61 116 Stat. 2254. These provisions constitute Subtitle I of Title VIII of the Homeland Security Act and may be cited, as specified in the statute, as the Homeland Security Information Sharing Act. CRS-18 the Secretary of Homeland Security.62 Others, in accordance with the provisions of the order, will make input, as well, including the Attorney General, the DCI, and specified officials with whom Homeland Security Secretary Ridge is to coordinate. How that set of procedures will be formulated has not been made publicly known by the Department of Homeland Security (DHS). While many observers expected that these procedures would be issued during the summer of 2004, they have not appeared to date. Control. Arising with the formulation of the President’s procedures is the important consideration of the “ownership” or control of shared information. For the information sharing procedures mandated by Section 892 of the Homeland Security Act, Congress has determined in Subsection 892(e) that “information obtained by a State or local government from a Federal agency under this section shall remain under the control of the Federal agency.” The subsection further specifies that such shared federal agency information is not subject to “a State or local law authorizing or requiring such a government to disclose information.” The statute is silent regarding any reciprocal “controls” which state or local governments may exercise regarding information they provide through the sharing system. Whether such information as state or local governments do provide would constitute, as a threshold question, a federal “agency record” accessible under the Freedom of Information Act (FOIA) is not immediately clear. The Supreme Court, because the FOIA provides no definition of an “agency record,” established, several years ago, in DOJ v. Tax Analysts, a two-prong test for determining whether materials so qualify. First, a federal agency must “either create or obtain” the materials, and, second, “must be in control of the requested materials at the time the FOIA request is made,” control meaning “that the materials have come into the agency’s possession in the legitimate conduct of its official duties.”63 Would federal agencies be considered to have “obtained” state or local government information voluntarily provided through the sharing system? Does the voluntary provision of such information through the sharing system result in its coming under federal agency “control,” that is “the agency’s possession in the legitimate conduct of its official duties?” It seems likely that, if a court is asked to determine whether state or local government information voluntarily provided through the sharing system falls within the scope of the FOIA, it would examine the extent to which a federal agency or agencies had control over the materials at issue. Beyond this threshold question, should a court consider whether such information is subject to FOIA, it is a matter of the applicability of the statute’s nine exemptions to the rule of disclosure and other provisions protecting law enforcement information.64 Protections. The President’s procedures for sharing homeland security information must accommodate various kinds of protected information. Section 62 Federal Register, vol. 68, July 31, 2003, pp. 45149-45150. 63 DOJ v. Tax Analysts, 492 U.S. 136, 144-145 (1989). 64 See 5 U.S.C. § 552(b)-(c). CRS-19 892(a) of the Homeland Security Act requires the President to “identify and safeguard homeland security information that is sensitive but unclassified; and ... to the extent such information is in classified form, determine whether, how, and to what extent to remove classified information, as appropriate, and with which such personnel it may be shared after such information is removed.” Moreover, the new procedures “shall not change the substantive requirements for the classification and safeguarding of classified information” and “shall not change the requirements and authorities to protect [intelligence] sources and methods.” Following Subsection 892(a), the President is directed, when prescribing the mandated information sharing procedures, “to protect the constitutional and statutory rights of any individuals who are subjects of such information.”65 Among the types of protected information so identified are those which are “sensitive but unclassified,” those which are classified, and those which may enjoy privacy protection, as well as intelligence sources and methods. There is a degree of uncertainty about the meaning and scope of some of these terms, however, and management requirements for a couple of types of protected information proffer compliance difficulties for subnational governments. As mentioned earlier, neither Section 892 nor the other provisions of the Homeland Security Act define what constitutes “sensitive but unclassified” homeland security information. Some have noted that the Computer Security Act of 1987 refers to, and defines, “sensitive information,” but neither this statute nor its definition of “sensitive information” is referenced by the Homeland Security Act regarding “sensitive but unclassified” information.66 Furthermore, the Computer Security Act, as originally enacted, specified that it was not to be construed to constitute authority to withhold information sought pursuant to the FOIA or to authorize any federal agency to limit, restrict, regulate, or control, among other actions, the disclosure, use, transfer, or sale of any information disclosable under the FOIA or public domain information.67 Elsewhere, in Section 208 of the E-Government Act of 2002, allowance is made for the modification or waiver of a required privacy impact assessment “for security reasons, or to protect classified, sensitive, or private information contained in an assessment.”68 What constitutes “sensitive” information for this section is not evident, because the term is neither defined in the statute nor is its relationship, if any, to the “sensitive but unclassified” information of Section 892 of the Homeland Security Act explained. An internal DHS management directive on “Safeguarding Sensitive But Unclassified (For Official Use Only) Information,” issued on May 11, 2004, indicates that the “For Official Use Only” (FOUO) marking “will be used to identify sensitive but unclassified information within the DHS community that is not otherwise specifically described and governed by statute or regulation.” Examples of several types of information treated as FOUO information are provided, such as information 65 116 Stat. 2253-2254. 66 See 101 Stat. 1724; 15 U.S.C. § 278g-3. 67 101 Stat. 1730; 40 U.S.C. § 759 note, subsequently repealed 1996, 110 Stat. 680. 68 116 Stat. 2922. CRS-20 that may be protectable under the FOIA’s exemptions to the rule of disclosure; international and domestic information protected by statute, treaty, or other agreements; “[i]nformation that could be sold for profit”; “[i]nformation that could result in physical risk to personnel”; and information revealing security vulnerabilities or breaching operations security. Access to FOUO information is on a need-to-know basis, and persons having such access must sign a nondisclosure agreement. Secure storage of FOUO information is required, and secure communication of it by encrypted telephone or fax is encouraged.69 While statutorily undefined, the “sensitive but unclassified” homeland security information concept perhaps may be discerned in a practice disclosed in regard to the operations of a new facility, a $4 million expansion of the Upstate New York Regional Intelligence Center, jointly operated by New York State and the FBI. Managers explained that security classified information, including data about individuals, would be “filtered” through screeners and intelligence analysts at the center so that no classified information would be provided to local authorities. Thus, it appeared that details which merited security classification would be eliminated or obscured, resulting in unclassified information which would still not be available to the public.70 This unclassified information will probably be regarded as having been compiled for law enforcement purposes and, as such, protected from disclosure under the FOIA or comparable New York law. It seems unlikely, however, that “sensitive but unclassified” homeland security information, per se, could be protected from disclosure pursuant to the FOIA because it does not appear to fall clearly within any of that statute’s exemptions. Classified information is understood to be information “specifically authorized under criteria established by an Executive order to be kept secret in the interest of national defense or foreign policy,” and which is “in fact properly classified pursuant to such Executive order.”71 The operative executive order prescribing security classification (and declassification) policy and practice is E.O. 12958 of April 17, 1995, as amended by E.O. 13292 of March 25, 2003.72 The latter directive added two new concerns to the former’s rather traditional, but specific, military, intelligence, foreign affairs, and national security classification categories: defense against transnational terrorism and the vulnerabilities of infrastructures, both of which are probably regarded generally to be homeland security interests. Security classification is used to protect Restricted Data, as defined by the Atomic Energy Act of 1954, and intelligence sources and methods, the sanctity of which is a statutorily specified responsibility of the DCI.73 Other types of information protected by security classification include National Security Agency signals intelligence and 69 U.S. Department of Homeland Security, Management Directive System, “Safeguarding Sensitive But Unclassified (For Official Use Only) Information,” MD No. 11042, May 11, 2004. 70 David Johnston, “Terror Data to Be Shared at New Center Near Albany,” New York Times, May 25, 2004, p. A20. 71 5 U.S.C. § 551(b)(1). 72 3 C.F.R., 1995 Comp., pp. 333-356; 3 C.F.R., 2003 Comp., pp. 196-218. 73 See 42 U.S.C. § 2014(y); 50 U.S.C. § 403-3(c)(6). CRS-21 communications security information, and so-called foreign government information, which is information provided by a foreign government or international organization of governments, with the expectation that the information, its source, or both, are to be held in confidence. Two types of privileged homeland security information not regarded to be security classified information, but which may be considered to be “sensitive but unclassified,” although the DHS management directive on FOUO information suggests otherwise, are “critical infrastructure information,” as understood within the context of Subtitle B of Title II of the Homeland Security Act, and “Sensitive Security Information” (SSI), as that term is defined by the Transportation Security Administration. In defining “critical infrastructure information” in Subtitle B of Title II of the Homeland Security Act, the statute recognizes that this information is “not customarily in the public domain.” When voluntarily shared with DHS by the private sector, it becomes subject to certain protections, including exemption from disclosure under the FOIA and specified use limitations (sharing with state or local governments is anticipated). Federal officers or employees improperly disclosing such critical infrastructure information may be criminally punished.74 Operative security classification policy does not authorize the classification of this information, which remains the private property of the submitter.75 Relying upon information protection provisions of the Air Transportation Security Act of 1974 and the Aviation and Transportation Security Act of 2001, the Transportation Security Administration, now a component of DHS, has issued transportation security regulations making reference to “Sensitive Security Information” (SSI), defined as “information about security programs, vulnerability assessments, technical specifications of certain screening equipment and objects used to test screening equipment, and other information.”76 A more detailed explanation of SSI may be found in the regulations.77 While SSI is a type of protected information, it is not security classified, but may constitute “sensitive but unclassified” homeland security information. A federal appellate court ruled in 1993 that 1990 amendments did not by implication repeal the authority of the Air 74 See 116 Stat. 2150-2155. 75 The Fifth Amendment to the Constitution, among other prohibitions, specifies that no person shall “be deprived of life, liberty, or property, without due process of law.” Pursuant to the Invention Secrecy Act, however, the federal government may deny, for one year, subject to renewal, the issuance of a patent to an applicant where the publication of the application or granting of the patent would be “detrimental to the national security.” An inventor who violates the imposed requirement to keep his invention secret may be criminally punished and regarded to have forfeited patenting his invention. See 35 U.S.C. § 181-188; see, also, 50 U.S.C. App. 10((i). 76 See 49 U.S.C. § 114(s), 40119; this general definition of SSI appears in Federal Register, vol. 67, Feb. 22, 2002, p. 8342. 77 See 49 C.F.R. 1520.7. CRS-22 Transportation Security Act of 1974 to promulgate and withhold from the public security-sensitive rules and other related information now within the scope of SSI.78 Speaking at the summer meeting of the National Governors Association in 2003, Secretary Ridge indicated that, in addition to the governors, five senior officials in each state would be given a Top Secret security clearance in order that security classified information might be shared with them for homeland security purposes.79 Presumably, the states paid for the background investigations for these clearances, each costing upwards of $2,500, and perhaps used discretionary federal homeland security grant funds for this expense. Whether this number of clearances is adequate for each state, given population, geography, and other differences, is uncertain. How these state officials will be able to use classified information to direct the actions of other uncleared state personnel is somewhat problematic, as are integrity considerations of detecting and addressing security breaches involving classified information. Quality. Finally, for policymakers, Section 892 seems to require some attention to data quality in the homeland security information sharing procedures to be prescribed by the President. Shared information is to be provided “together with assessments of the credibility of such information.” Presumably, these assessments would be made by the information provider. Potentially more controversial is the requirement that shared state and local information “be reviewed and assessed, under procedures prescribed jointly by the Director of Central Intelligence and the Attorney General, by each appropriate Federal agency, as determined by the President, and integrated with existing intelligence.” The nature of this assessment is left to determination by the named principals. The section would also have the President’s information sharing procedures “provide data integrity through the timely removal and destruction of obsolete or erroneous names and information,” a rather broad and highly discretionary standard. Who would function as the shared information system manager regarding this data integrity responsibility is not clear, nor is the extent to which other federal records management law, such as Chapters 31 and 33 of Title 44, United States Code, is applicable. GAO Evaluations In September 2003 testimony before two subcommittees of the House Select Committee on Homeland Security, Robert F. Dacey, Director of Information Security Issues for GAO, discussed, among other information sharing matters, the federal government’s critical information protection (CIP) effort, “which is focused on the sharing of information on incidents, threats, and vulnerabilities, and the providing of warnings related to critical infrastructures both within the federal government and between the federal government and state and local governments and the private sector.” Acknowledging that “improvements have been made,” further efforts were thought to be needed to address the following critical CIP challenges: 78 79 See Public Citizen, Inc. v. FAA, 988 F.2d 186 (D.C. Cir. 1993). Michael Janofsky, “Intelligence to Be Shared, Ridge Tells Governors,” New York Times, Aug. 19, 2003, p. A17; the prepared text of Secretary Ridge’s remarks is available at [http://www.dhs.gov/dhspublic/display?theme=44&content=1200&print=true]. CRS-23 ! developing a comprehensive and coordinated national plan to facilitate CIP information sharing that clearly delineates the roles and responsibilities of federal and nonfederal CIP entities, defines interim objectives and milestones, sets timeframes for achieving objectives, and establishes performance measures; ! developing fully productive information sharing relationships within the federal government and between the federal government and state and local governments and the private sector; ! improving the federal government’s capabilities to analyze incident, threat, and vulnerability information obtained from numerous sources and share appropriate, timely, useful warnings and other information concerning both cyber and physical threats to federal entities, state and local governments, and the private sector; and ! providing appropriate incentives for nonfederal entities to increase information sharing with the federal government and enhance other CIP efforts.80 Recounting various recent CIP developments, Dacey noted the 1998 issuance of Presidential Decision Directive 63, which “established CIP as a national goal and described a strategy for cooperative efforts by government and the private sector to protect the physical and cyber-based systems essential to the minimum operations of the economy and the government,” as well as “organizations to provide central coordination and support.” Critical infrastructure sectors essential to national security, national economic security, and/or national public health and safety were identified. “For these sectors, which now total 14, federal government leads (sector liaisons) and private-sector leads (sector coordinators) were to work with each other to address problems related to CIP for their sector” through the development and implementation of vulnerability and education programs and a sectoral preparation plan assessing sector vulnerabilities to cyber or physical attack, as well as ways to eliminate significant vulnerabilities, and identify, prevent, respond to, and recover from attacks. The “voluntary creation of information sharing and analysis centers (ISACs) to serve as mechanisms for gathering, analyzing, and appropriately sanitizing and disseminating information to and from infrastructure sectors and the federal government” was encouraged. Dacey identified 15 established ISACs and a prospective center in the maritime transportation sector.81 “An underlying issue in the implementation of CIP,” according to the GAO testimony, “is that no national plan to facilitate information sharing yet exists that clearly delineates the roles and responsibilities of federal and nonfederal CIP entities, defines interim objectives and milestones, sets time frames for achieving objectives, and establishes performance measures.” Such a plan, which GAO, since 1998, has called for and “made numerous related recommendations regarding,” would appear 80 U.S. General Accounting Office, Homeland Security: Information Sharing Responsibilities, Challenges, and Key Management Issues, GAO Testimony GAO-03-1165T (Washington: Sept. 17, 2003), pp. 2-3. 81 Ibid., pp. 12-15. CRS-24 to be outside of the scope of the homeland security information sharing procedures mandated by Section 892 of the Homeland Security Act (although the creation of the procedures seemingly would benefit from having such a plan). The plan is, however, anticipated in the National Strategy for Homeland Security, which indicates that its creation will build on “baseline physical and cyber infrastructure protection plans” then under development and subsequently produced in February 2003 as the National Strategy for the Physical Protection of Critical Infrastructures and Key Assets and the National Strategy to Secure Cyberspace.82 The President’s November 2002 DHS reorganization plan tasks the department’s Assistant Secretary for Infrastructure Protection with developing “a national plan for securing the key resources and critical infrastructure of the United States,” and specifies certain systems to be included in such a plan.83 Six months later, in a reprise, Dacey appeared before the same subcommittees of the House Select Committee on Homeland Security to discuss the status of ISACs. Operative CIP policy “left the actual design and function of the ISACs to the entities that formed them,” he explained. “As a result, although their overall missions are similar, the current ISACs were established and developed based on the unique characteristics and needs of their individual sectors. They operate under different management and operational structures,” he continued, “and, among other things, have different business models and funding mechanisms.” While “most are managed or operated as private entities,” some “are part of associations that represent their sectors” and others “have partnered with government agencies.” The “funding mechanisms used by the ISACs include fee-for-service, association sponsorship, federal grants, and/or voluntary or in-kind operations by ISAC participants.”84 Dacey proffered examples of the various methods being used by ISACs to share information with their members, other ISACs, and the federal government. These methods include: ! Member access to electronic information via email and websites; ! Secure members-only access to information on the ISAC website; ! Conference calls for members; and ! Other IT such as pagers, telephone calls, and faxes to disseminate information.85 82 See U.S. Office of Homeland Security, National Strategy for Homeland Security (Washington: July 2002), p. 33. 83 U.S. White House Office, Department of Homeland Security Reorganization Plan (Washington: Nov. 25, 2002), p. 9. 84 U.S. General Accounting Office, Critical Infrastructure Protection: Establishing Effective Information Sharing with Infrastructure Sectors, GAO Testimony GAO-04-699T (Washington: Apr. 21, 2004), p. 2. 85 Ibid., p. 16; Dacey noted that “the Telecommunications ISAC uses the Critical (continued...) CRS-25 Eleven of the 15 existing ISACs have “created an ISAC Council to work on various operational, process, and other common issues to effectively analyze and disseminate information and, where possible, to leverage the work of the entire ISAC community,” Dacey reported. He also provided examples of actions taken by DHS and other agencies to promote and support ISACs, organize critical infrastructure sectors, and foster information sharing through the ISACs.86 In a July 2004 followup report to the leaders of the two subcommittees of the House Select Committee on Homeland Security to whom testimony had been given earlier, GAO identified actions the Department of Homeland Security (DHS) and the ISACs could take to improve the effectiveness of CIP information sharing efforts. Among the more significant challenges identified were the following. ! Government agencies and the ISACs need to build trusted relationships between them to facilitate information sharing. In some cases, establishing such relationships may be difficult because sector-specific agencies may also have a regulatory role. ! The federal government and the private sector should share information on incidents, threats, and vulnerabilities. Most ISACs reported that they believed they were providing appropriate information to the government but, while noting improvements, they still had concerns with the information being provided to them by DHS and/or their sector-specific agencies. These concerns included the limited quantity of information and the need for more specific, timely, and actionable information. In its recent white papers, the ISAC Council also has identified a number of potential barriers to information sharing between the private sector and the government. These included the sensitivity of the information (such as law enforcement information), legal limits on disclosure (such as Privacy Act limitations on disclosure of personally identifiable information), and contractual and business limits on how and when information is disclosed (e.g., the Financial Services ISAC does not allow any governmental or law enforcement access to its database). The Council also emphasized that perhaps the greatest barriers to information sharing stem from practical and business considerations in that, although important, the benefits of sharing information are often difficult to discern, while the risks and costs of sharing are direct and foreseeable. ! The roles of the various government and private-sector entities involved in protecting critical infrastructures must continue to be identified and defined. In particular, officials for several ISACs wanted a better definition of DHS’s role with respect to them. The ISAC Council also identified the need for DHS to establish the goals of its directorates and the relationship of these directorates 85 (...continued) Infrastructure Warning Information Network,” which provides continuous, around-the-clock alert and notification capability to government and industry participants. 86 Ibid., pp. 23, 24-26. CRS-26 with the private sector. The Council also wants clarification of the roles of the other federal agencies, state agencies, and other entities — such as the National Infrastructure Advisory Council. ! Government funding is needed. Ten of the ISACs we contacted emphasized the importance of government funding for purposes including creating the ISAC, supporting operations, increasing membership, developing metrics, and providing for additional capabilities. ! Private-sector analytical efforts should not be overlooked and must be integrated into the federal processes for a more complete understanding. The private sector understands its processes, assets, and operations best and can be relied upon to provide the required private-sector subject matter expertise.87 Acknowledging that “DHS has taken a number of actions to implement the public/private partnership called for by federal CIP policy,” GAO, nonetheless, concluded: DHS has not yet developed a plan for how it will carry out its information sharing responsibilities, including efforts to address the challenges identified by the ISACs and the ISAC Council. In addition, DHS has not developed internal policies and procedures to help ensure effective information sharing by the many entities within the department that collect and analyze information that may impact the security of our nation’s critical infrastructure. It is essential for DHS to develop this plan, along with internal policies and procedures, to establish effective information-sharing relationships both within DHS and with other federal agencies and infrastructure sectors.88 Legislative Considerations It appears that there are at least two possible legislative approaches to create a policy framework for a trusted information network for sharing counterterrorism and related information among federal, state, and local governments, as well as selected portions of the private sector. One strategy might be to amend the Homeland Security Act with such a framework. Another strategy might be to amend Chapter 35 of Title 44, United States Code, captioned “Coordination of Federal Information Policy.” Located in this chapter are such information life cycle management laws as the Paperwork Reduction Act and the Federal Information Security Management Act, which was enacted as Title III of the E-Government Act of 2002.89 Each strategy has implications for the designation of a principal manager of the resulting policy framework for a trusted information sharing network. Amending the 87 U.S. General Accounting Office, Critical Infrastructure Protection: Improving Information Sharing with Infrastructure Sectors, GAO Report GAO-04-780 (Washington: July 2004), pp. 9-10. 88 Ibid., p. 10. 89 116 Stat. 2899 at 2946. CRS-27 Homeland Security Act in this regard suggests that the Secretary of Homeland Security or his designee from within the Department of Homeland Security, such as the Chief Information Officer, would be the principal network manager, while amending Chapter 35 of Title 44, United States Code, suggests the Director of the Office of Management and Budget (OMB) or his designee would be the principal manager. In the latter case, however, it might be possible that the OMB director would designate the Secretary of Homeland Security or another official within the Department of Homeland Security, with the Secretary’s concurrence, as his agent for managing the network. Whether the OMB director or the Secretary of Homeland Security is made the principal manager of the network, it would probably be useful, in terms of accountability, to specify that a “principal officer” shall be designated by either the OMB director or the Secretary, as the case may be, whose primary responsibility shall be to carry out the duties of whichever official is tasked as the principal manager. Identified below are some possible components for legislation establishing a policy framework for a trusted information network for information sharing: purposes, definitions, authority and functions of a principal manager, federal agency responsibilities, other participants’ responsibilities (which, at this basic stage of development, are the same as those set out for federal agencies), and annual inventory and assessment of information sharing initiatives.90 Options regarding the primary manager are provided, and some other considerations are offered for each of the proffered components. While some of the key recommendations of the National Commission on Terrorist Attacks Upon the United States (9/11 Commission) report emphasized the need to improve information sharing practices, the report was, for the most part, silent regarding how these recommendations might be carried out statutorily. To that end, legislation to implement the “trusted information network” called for in the 9/11 Commission report would need to address concerns such as standard-setting authority, agency responsibilities, and congressional oversight. The concepts set out below are possible components of potential information sharing legislation. Purposes. The purposes of this act are the following: 90 ! To facilitate the creation of a “trusted information network.” ! To promote better informed decisionmaking by policy makers. ! To improve the ability of the government to share information within and among agencies, and among federal, state, and local government agencies and selected portions of the private sector. ! To promote interoperable information standards. The Federal Information Security Management Act provides a legislative model at 116 Stat. 2946. CRS-28 ! To facilitate a shift from a “need to know” culture of information protection to a “need to share” culture of integration. Definitions. ! Director — the term “Director” means the Director of the Office of Management and Budget (OMB) [alternatively, the Secretary of Homeland Security may be inserted]. ! Trusted information network — the term “trusted information network” means a secure, decentralized, scalable, interoperable, permission-based network, accessible to the appropriate federal, state, local, and private sector entities, designed to facilitate the sharing and analysis of information. ! Enterprise architecture — the term “enterprise architecture” means (A) (i) a strategic information asset base, which defines the mission; (ii) the information necessary to perform the mission; (iii) the technologies necessary to perform the mission; and (iv) the transitional processes for implementing new technologies in response to changing mission needs; and (B) includes (i) a baseline architecture; (ii) a target architecture; and (iii) a sequencing plan. ! Relevant agency — the term “relevant agency” means any agency with responsibility for intelligence and/or homeland security. Authority and Functions of the OMB Director [or, Alternatively, the Secretary of Homeland Security]. The Director [or Secretary of Homeland Security], in coordination with the Secretary of Homeland Security [or omit in alternative case], the Chief Information Officer and the Chief Technology Officer of the Department of Homeland Security, and the designated representatives of the relevant agencies, and in accordance with the Clinger-Cohen Act of 1996 and the E-Government Act of 2002, shall: ! Endeavor to make the information technology systems of the federal government, including communications systems, effective, efficient, secure, and appropriately interoperable. ! Oversee and ensure the development and implementation of a trusted information network for government-wide information sharing. ! Develop, in conjunction with ongoing federal enterprise architecture efforts, a comprehensive enterprise architecture for information systems, including communications systems, to achieve interoperability between and among information systems of agencies with responsibility for homeland security. CRS-29 ! Develop a plan to achieve interoperability between and among information systems, including communications systems, of agencies with responsibility for homeland security and those of state and local agencies with responsibility for homeland security. ! Establish timetables for the development and implementation of the trusted information network and associated enterprise architecture. ! Consult with information systems management experts in the public and private sectors, in the development and implementation of the trusted information network and associated enterprise architecture. ! Submit, not later than 120 days after the enactment of this act, a report on efforts to develop and implement the trusted information network to the Committee on Governmental Affairs of the Senate and the Committee on Government Reform of the House of Representatives, with semi-annual reports submitted thereafter. ! Designate, with the approval of the President, a principal officer in the Office of Management and Budget [or Department of Homeland Security], whose primary responsibility shall be to carry out the duties of the Director [or Secretary of Homeland Security] assigned in this act. Federal Agency Responsibilities. The head of each relevant agency shall: ! Cooperate fully with the Director [or Secretary of Homeland Security] in the development of the trusted information network and associated enterprise architecture to implement government-wide information sharing, and in the management and acquisition of information technology consistent with applicable law. ! Develop, document, and implement an agency-wide plan to participate in the trusted information network in accordance with any policies or procedures promulgated by the Director [or Secretary of Homeland Security]. ! Report semi-annually to the Director [or Secretary of Homeland Security] on the progress and effectiveness of efforts to develop and adopt interoperable information standards, and a scalable enterprise architecture, and the scope and substance of the information being shared with other federal, state, and local agencies and selected portions of the private sector. ! Designate a chief information sharing officer whose primary responsibility shall be to carry out the agency’s responsibilities related to this act in coordination with the Director [or Secretary of Homeland Security]. CRS-30 Other Participants’ Responsibilities. The head of each relevant state and local government agency, other governmental entity, or private sector organization shall: ! Cooperate fully with the Director [or Secretary of Homeland Security] in the development of the trusted information network and associated enterprise architecture to implement government-wide information sharing, and in the management and acquisition of information technology consistent with applicable law. ! Develop, document, and implement an agency-wide plan to participate in the trusted information network in accordance with any policies or procedures promulgated by the Director [or Secretary of Homeland Security]. ! Report semi-annually to the Director [or Secretary of Homeland Security] on the progress and effectiveness of efforts to develop and adopt interoperable information standards, and a scalable enterprise architecture, and the scope and substance of the information being shared with other federal, state and local agencies and selected portions of the private sector. ! Designate a chief information sharing officer whose primary responsibility shall be to carry out the agency’s responsibilities related to this act in coordination with the Director [or Secretary of Homeland Security]. Annual Inventory and Assessment of Information Sharing Initiatives. ! Each year the Director [or Secretary of Homeland Security] shall perform an inventory of existing information sharing initiatives being carried out at the federal, state, and local levels to assess what information is being shared, with whom it is being shared, resources being used, the effectiveness of the initiative, and to identify any overlap or duplication of efforts. ! For each initiative documented in the inventory, the inventory shall include information regarding: the lead agency/organization in charge of the initiative, the participant agencies involved in each initiative, the type(s) of information being shared, the technology used to facilitate sharing, the capabilities of the sharing system, and security procedures. ! To the extent an information sharing initiative includes classified activities, details about this initiative will be made available to Congress only through the appropriate oversight committees of Congress, in accordance with applicable laws. CRS-31 ! Not later than 90 days after the date of enactment of this act, an initial inventory of information sharing initiatives shall be prepared by the Director [or Secretary of Homeland Security] and submitted to the Committee on Governmental Affairs of the Senate and the Committee on Government Reform of the House of Representatives, with annual reports submitted thereafter. Related Proposed Legislation Among the information sharing proposals offered during the 108th Congress, S. 2701, the Homeland Security Interagency and Interjurisdictional Information Sharing Act of 2004, was introduced by Senator Joseph Lieberman with bipartisan support on July 21, 2004.91 Referred to the Committee on Governmental Affairs, the legislation would have established a Homeland Security Information Sharing Network to facilitate information flow within and among federal, state, local, and tribal government agencies; established a Homeland Security Information Coordinating Council to develop and oversee protocols and procedures for sharing homeland security information; directed the Secretary of Homeland Security to create a performance management plan and an incentive program to assess and promote information sharing objectives; and established an Office of Information Sharing (OIS) within the Office for State and Local Government Coordination and Preparedness at DHS. OIS, among other responsibilities, would have been tasked with facilitating information sharing among federal, state, and local government agencies through the creation of regional task forces and the establishment of 24-hour operations centers in each state; fostering the development of interoperable communications systems for state and local agencies; providing technical assistance to state and local agencies in the development of regional information sharing networks; and administering a preparedness grant program to support state and local agency information sharing activities. No action was taken on the bill prior to the final adjournment of the 108th Congress. Senator Lieberman also introduced S. 2708, the National Strategy for Homeland Security Act of 2004, on July 21, 2004.92 Referred to the Committee on Governmental Affairs as well, the measure directed the Secretary of Homeland Security, “in collaboration with the Assistant to the President for Homeland Security and the Homeland Security Council,” to “develop the National Strategy for Homeland Security for the detection, prevention, protection, response, and recovery with regard to terrorist threats to the United States.” This mandated national strategy would have been an updated version of the one issued in July 2002, and would itself have been rewritten every fours years, with updates every two years and annual progress reports to be submitted with the President’s annual budget request. With respect to information sharing, Section 3(c)(2)(a) of S. 2708 would have had the National Strategy for Homeland Security include “policies and procedures to maximize the collection, translation, analysis, exploitation, and dissemination of information relating to combating terrorism and the homeland security response 91 Congressional Record, daily edition, vol. 150, July 21, 2004, pp. S8550-S855. 92 Ibid., pp. S8558-S8559. CRS-32 throughout the Federal government, and with State and local authorities, and, as appropriate, the private sector.” The bill remained in committee at the conclusion of the 108th Congress. Several legislative proposals were introduced in the 108th Congress to implement the many recommendations of the 9/11 Commission, which issued its final report on July 22, 2004. The Bush Administration, on September 16, sent to congressional leaders its draft bill, which would have established a National Intelligence Director (NID), who, among other responsibilities, would have established common security and access standards for managing and handling intelligence systems, information, and products, including access to collected data and analytic products generated by or within the intelligence community, focusing particularly on facilitating among the agencies and organizations within the intelligence community and networks available across the other federal agencies involved in national security and homeland security activities, state and local governments, and, as appropriate, other entities, the fullest and most prompt sharing of and access to information and products practicable, including access to collected data and analytic products, with special emphasis on detecting, preventing, preempting, and disrupting terrorist threats and attacks against the U.S., its people, property, and interest. In doing so, the director also would have been tasked with the establishment of interface standards for an interoperable information-sharing enterprise that facilitated automated access to national intelligence by agencies and organizations within the intelligence community. Selected by the Senate majority and minority leaders to lead the effort to legislatively implement the recommendations of the 9/11 Commission, Senator Susan Collins, the chair of the Committee on Governmental Affairs, and Senator Lieberman, the ranking minority member on the panel, initially discussed the general terms of their reform bill at a September 15 press conference.93 The text of the legislation was made public in draft form on September 20. The Committee on Governmental Affairs began a markup of the Collins proposal on September 21, and completed their action the following day when the committee ordered the amended measure favorably reported as an original bill. Introduced by Senator Collins as an original bill on September 23, the legislation was designated S. 2840, the National Intelligence Reform Act.94 The proposal was also introduced a second time that day, with Senator Lieberman as a cosponsor, and was designated S. 2845. At the end of the day, unanimous-consent agreement was reached providing that, on September 27, the Senate would begin consideration of S. 2845. As introduced, S. 2845 would have made the NID responsible for intelligence dissemination and sharing, including using an integrated communications network that provides interoperable communications capabilities among all elements of the intelligence community and other appropriate entities; directed the President to establish a trusted information network to facilitate collaboration and information sharing among federal, state, local, and tribal 93 Amy Klamper and John Stanton, “Intelligence: ... As Collins, Lieberman Unveil a Rtesponse to 9/11 Panel,” CongressDailyPM, Sept. 15, 2004, available at [http://nationaljournal.com/pubs/congressdaily/dj040915.htm]; Philip Shenon, “Intelligence Proposals Gain in Congress,” New York Times, Sept. 16, 2004, p. A15. 94 See Congressional Record, daily edition, vol. 150, Sept. 23, 2004, pp. S9615-S9638. CRS-33 government agencies; established an Advisory Council on Information Sharing to advise the President and relevant agency officials on issues related to the establishment and ongoing operation of the information sharing network; required the President to submit semiannual reports to Congress regarding the state of the information sharing network; required participant agencies to submit annual reports to OMB regarding their use and expenditures related to the information sharing network; and required GAO to assess periodically the implementation and operation of the information sharing network. The Senate began consideration of S. 2845 on September 27 and completed action on October 6 with a 96-2 vote of approval of the legislation as amended. In the House, the vehicle for implementing the recommendations of the 9/11 Commission was introduced by Speaker Dennis Hastert on September 24, and was designated H.R. 10, the 9/11 Recommendations Implementation Act. The bill drew upon the President’s September 16 draft proposal, with additional input from committee chairs who had held hearings on the findings and recommendations of the 9/11 Commission during August and the early weeks of September. As a result, the bill contained various provisions not found in S. 2845, as introduced. Provisions of H.R. 10, as introduced, would have vested the NID with authority to ensure maximum availability of, and access to, intelligence information within the intelligence community, consistent with national security requirements; authorized additional appropriations for information systems for sharing data concerning money laundering and terrorist financing; fostered improved information sharing and dissemination by the Federal Bureau of Investigation; directed the NID to establish an interim, interoperable intelligence data exchange system that would have connected the data systems operated independently by the entities in the intelligence community and by the National Counterterrorism Center (NCTC) to permit automated data exchange among these entities, and also to establish a fully functional, interoperable law enforcement and intelligence electronic data system — to be known as the “Chimera system” — within the NCTC to provide immediate access to information in databases of federal law enforcement agencies and the intelligence community that is necessary to identify terrorists, and organizations and individuals that support terrorism; and mandated the Secretary of Homeland Security to establish a mechanism to ensure the coordination and dissemination of terrorist travel intelligence and operational information among appropriate agencies. The House bill was referred to the Committees on Armed Services, Education and the Workforce, Energy and Commerce, Financial Services, Government Reform, International Relations, the Judiciary, Rules, Science, Transportation and Infrastructure, and Ways and Means, as well as the Permanent Select Committee on Intelligence and the Select Committee on Homeland Security. Committee markups were scheduled to begin on September 29. On October 7, the Committee on Rules reported a version of the legislation for floor discussion and made 23 amendments in order for consideration.95 The House completed its action on the legislation on October 8 when it approved the modified bill on a 282-134 vote. 95 U.S. Congress, House Committee on Rules, Providing for Consideration of H.R. 10, 9/11 Recommendations Implementation Act, H.Rept. 108-751, a report to accompany H.Res. 827, 108th Cong., 2nd sess. (Washington: GPO, 2004). CRS-34 Conference committee deliberations on the reform bills began on October 20, but became prolonged due to considerable differences between them. Agreement on a November 20 compromise version of the legislation quickly unraveled in the House. Subsequently, another compromise version was realized, and the conferees filed their report on this legislation on December 7.96 That day, the House, on a 33675 vote, approved the conference committee report, and the Senate accepted it the following day on a 89-2 vote. President George W. Bush signed the bill into law on December 17.97 The reform legislation established a National Intelligence Director (NID), appointed by the President with Senate confirmation, to serve as the principal intelligence adviser to the President, head the intelligence community, and oversee and direct the National Intelligence Program. Other new components included a National Counterterrorism Center, within the office of the NID, to serve as the primary executive branch organization for counterterrorism intelligence and strategic operational planning. In addition, the President was authorized to establish a National Counter Proliferation Center to prevent and halt the proliferation of weapons of mass destruction, their delivery systems, and related materials and technologies; and the NID was authorized to establish one or more national intelligence centers to address intelligence priorities, including regional issues. A Privacy and Civil Liberties Oversight Board, composed of five members appointed by, and serving at the pleasure of, the President, was also created and located within the Executive Office of the President. With regard to information sharing, Section 1016 of the reform legislation directed the President to create an information sharing environment (ISE) for the sharing of terrorism information in a manner consistent with national security and applicable legal standards relating to privacy and civil liberties. The President was also authorized to designate the organizational and management structures that will be used to operate and manage the ISE. By March 17, 2005, the President must designate, with notification to Congress, a program manager “responsible for information sharing across the Federal Government.” The duties and responsibilities of this individual are specified in the statute, including the obligation, by mid-April, to submit to the President and Congress a report describing “the technological, legal, and policy issues presented by the creation of the ISE, and the way in which these issues will be addressed.” An Information Sharing Council was also created, utilizing the Information Systems Council established by E.O. 13356 of August 27, 2004.98 Finally, by December 17, 2006, and annually thereafter, the President is required to submit to Congress a report on the state of the ISE and information sharing across the federal government. Elsewhere, Section 6501 amended Rule 6(e) of the Federal Rules of Criminal Procedure to facilitate somewhat sharing of grand jury information. 96 U.S. Congress, House Committee of conference, Intelligence Reform and Terrorism Prevention Act of 2004, H.Rept. 108-796, a report to accompany S. 2845, 108th Cong., 2nd sess. (Washington: GPO, 2004). 97 98 118 Stat. 3638. See Federal Register, vol. 69, Sept. 1, 2004, pp. 53599-53602. CRS-35 Appendix 1. Selected Online Information Sharing Resources Lessons Learned Information Sharing (LLIS.gov) [http://www.llis.gov] Information Sharing and Analysis Center Council (ISAC Council) [http://www.isaccouncil.org/] Multi-State Information Sharing Analysis Center (MS-ISAC) [http://www.cscic.state.ny.us/msisac/index.html] Water Information Sharing and Analysis Center (WaterISAC) [http://www.waterisac.org/] Financial Services Information Sharing and Analysis Center (FS-ISAC) [http://www.fsisac.com/] Information Technology Information Sharing and Analysis Center (IT-ISAC) [https://www.it-isac.org/index.php] Energy Information Sharing and Analysis Center (ENERGY-ISAC) [http://www.energyisac.com/index.cfm] Electricity Sector Information Sharing and Analysis Center (ESISAC) [http://www.esisac.com] Chemical Sector Information Sharing and Analysis Center [http://chemicalisac.chemtrec.com] Healthcare Services Information Sharing and Analysis Center (HCISAC) [http://www.hcisac.org] Highway Information Sharing and Analysis Center [http://www.truckline.com/insideata/isac/] Surface Transportation and Public Transportation Information Sharing and Analysis Center (ST-ISAC) [http://www.surfacetransportationisac.org/] National Coordinating Center for Telecommunications Information Sharing and Analysis Center (NCC-ISAC) [http://www.ncs.gov/ncc/main.html]