20 March 2011

Analytic Priorities: Crossing the Digital RubiCON...

The analytic priorities of Homeland Security Intelligence are spelled out on the DHS Intelligence and Analysis web site. These five areas of concern and concentration provide us with a landscape or spectrum of information that is necessary to analyze for us to be right and timely 100% of the time:

  • Threats related to border security
  • Threat of violent extremism
  • Threats from particular groups entering the United States
  • Threats to the homeland's critical infrastructure and key resources (CI/KR)
  • Threats from weapons of mass destruction and health threats

We are guided by the IC's key principles: a commitment to change the intelligence culture from “need to know” to “responsibility to provide”; a strong, common direction for our enterprise; enhancement of our core capabilities of requirements, analysis, and dissemination; a renewed sense of purpose and accountability for our efforts; and an aggressive commitment to attracting and retaining a diverse, innovative, and world-class workforce. As important, we pursue our mission with respect for the Constitution and for the civil rights, civil liberties, and privacy of the American people.

The direct links from these analytic set of priorities to the Comprehensive National Cybersecurity Initiative (CNCI) can be traced to the facts surrounding the use of the Internet and other high technology platforms by criminal and terrorist enterprises. Therefore, it would seem logical that Homeland Security Intelligence analysts platforms would not only be secure, they would be capable of sharing first responder information without impediments. The Interagency Threat Assessment and Coordination group is on the front line of task changing to a "Responsibility to Provide" culture shift.

The ITACG consists of state, local, and tribal first responders from around the United States and federal intelligence analysts from the Department of Homeland Security, Federal Bureau of Investigation, and National Counterterrorism Center working to enhance the sharing of federal information on counterterrorism, homeland security, and weapons of mass destruction with state, local, and tribal consumers of intelligence.

This era of information sharing for homeland security intelligence has recently seen a potential setback as a result of the WikiLeaks case. A congressional hearing on the topic of information sharing emphasized the need to continue our pursuit of information sharing without retreating to the days prior to 9/11 when most everyone in the IC was collecting and analyzing their own set of the same information. Senator Joe Lieberman stated the following during this latest hearing:

We can and must prevent another WikiLeaks without also enabling federal agencies, in fact perhaps compelling federal agencies to reverse course and return to the pre-9/11 culture of hoarding information. We need to be smarter about how information is shared and appropriately balance security's concerns with the legitimate needs of the users of different types of information. Methods and technologies for doing so already exist. Some of them, I gather, have been put into place since the WikiLeaks case and we need to make sure that we utilize them as fully as possible across our government. The bottom line is we cannot walk away from the progress we have made that has saved lives. I give you two -- a couple of quick examples. U.S. Special Forces and elements of the Intelligence community have shared information and worked exceptionally well together in war zones to combat and disrupt terrorist groups such as alQaeda in Iraq and the Taliban in Afghanistan. And that would not happen without information sharing.

Here at home, we've used information sharing to enhance the role of state, local, tribal, and private sector entities in our fight against terrorists. And those efforts have paid off, most recently in the case of a chemical supply in North Carolina that alerted the FBI to suspicious purchases by a Saudi Arabian student in Texas who turned out to be building improvised explosive devices. So we need to fix what's broken without going backwards.

The governance of information within the government enterprise or the private sector enterprise remains very much the same. Both are subjected to a myriad of laws to help protect the civil liberties and privacy of U.S. citizens. Yet the data leaks, breaches and lost laptops keep both private sector and government organizations scrambling to cover their mistakes and to keep their adversaries from getting the upper hand. Again, the governance of information is the core capability that must be addressed if we are to have effective homeland security intelligence sharing to defeat the threats to the homeland 100% of the time.

The stakeholders in the information sharing environments will say that they have all the laws they need to not only protect information and also to protect the privacy of and liberties of U.S. citizens. What they may not admit, is that they do not have the assets within the context of their own organizations to deter, detect, defend and document the threats related to too much information being shared or not enough. These assets are a combination of new technologies, new education and situational awareness training and the people to staff these respective duties within the enterprise architecture.

Operational Risk Management is a continuous process in the context of our rapidly expanding corporate environments. What is one example? People traveling to emerging markets to explore new business opportunities or new suppliers that will be connected by high speed Internet connections to the supply chain management system. These boundaries of managing operational risk, have not only expanded, they have become invisible.

Ru·bi·con
1. a river in N Italy flowing E into the Adriatic

2. Rubicon, to take a decisive, irrevocable step

This "Digital Rubicon" before us, to take on a more "Active Defense" in navigating the risk across international waters of e-commerce, privacy and legal jurisdictions will forever shape our future. The decisions made on what constitutes an adversarial attack in the cyber domain, will not be as easy as the dawn of the nuclear age. Policy makers today have to weave the potential implications into a sophisticated decision tree that crosses the complex areas of intelligence, diplomacy, defense, law, commerce, economics and technology.

The new digital "Rule Sets" are currently being defined by not only nation states but the "Non-State" actors who dominate a segment of the global digital domains. The same kinds of schemes, ploys, communication tactics and strategies are playing out online and what has worked in the physical world, may also work even better in the cyber-centric environment. Corporations are increasingly under estimating the magnitude of the risk or the speed that it is approaching their front or back door steps.

The private sector is under tremendous oversight by various regulators, government agencies and corporate risk management. Yet the "public-private" "tug-of-war" over information sharing, leaks to the public press and Wikileaks incidents has everyone on full alert. As the government has outsourced the jobs that will take too long to execute or that the private sector already is an expert, operational risks have begun to soar.

As the private sector tasks morph with the requirements of government you perpetuate the gap for effective risk mitigation and spectacular incidents of failure. Whether it is the failure of people, processes, systems or some other clandestine event doesn't matter. The public-private paradox will continue as long as the two seek some form of symbiosis. The symbiotic relationship between a government entity and a private sector supplier must be managed no differently than any other mission critical resource within an unpredictable environment.

Once an organization has determined the vital combination of assets it requires to operate on a daily basis, then it can begin it's quest for enabling enterprise resiliency. The problem is, most companies still do not understand these complex relationships within the matrix of their business and therefore remain vulnerable. The only path to gaining that resilient outcome, is to finally cross that "Digital Rubicon" and realize that you no longer can control it.

The first step in any remediation program, is first to admit the problem and to accept the fact that it exists. Corporate enterprises and governments across the globe are coming to the realization that the only way forward is to cooperate, coordinate and contemplate a new level of trust.