Thursday, May 10, 2007

It's a HSIN: The State of Information Sharing

Information-sharing continues to be a kind of holy grail of homeland security. Everyone - well, almost everyone - agrees that agencies across all levels of government should share information to prevent, prepare for, and respond to threats.

But actually implementing information-sharing systems has been a constant struggle. Priorities have been announced. Committees have been seated. Initiatives have been rolled out. Efforts have been undertaken. Problems have been identified.

DHS is supposed to lead the effort, and yet, agencies are still trying to figure this out - to the extent that earlier this week we learned that a lieutenant commander in the Coast Guard finally said "to heck with it" and built an information-sharing system of his own accord.

GAO has continually studied the struggle to share information and, based on a
review of DHS' information-sharing efforts from February 2006 through December 2006, recently released this report, with the ponderous but significant title:

Numerous Federal Networks Used to Support Homeland Security Need to Be Better Coordinated with Key State and Local Information-Sharing Initiatives.

First, some of the background info from the report:

The Departments of Homeland Security and Justice have 17 major networks that support their homeland security missions, including sharing information with state and local governments.

While some networks and applications are used solely within their respective departments, others are used both within the department and by other federal, state, and local agencies and the private sector. For example, of the 17 networks, 9 are used only within their own department, and 8 are used within the department and by other federal, state, and local agencies.
The big one is the Homeland Security Information Network (HSIN):
DHS considers HSIN to be its primary communication application for transporting sensitive but unclassified information. According to DHS, this network is an encrypted, unclassified, Web-based communications application that serves as DHS’s primary nationwide information-sharing and collaboration tool. It is intended to offer both real-time chat and instant messaging capability, as well as a document library that contains reports from multiple federal, state, and local sources.

HSIN is composed of over 35 communities of interest such as emergency management, law enforcement, counterterrorism, individual states, and private sector communities.
But as I've noted before, HSIN has been beset with problems ever since its inception. One major issue has been lack of use. As senators Susan Collins and Joe Lieberman pointed out last November in a letter to DHS Secretary Michael Chertoff:
[N]o more than 6 percent of the approximately 18,000 registered users contribute daily to the network’s three major portals (law enforcement, emergency management, and counter terrorism).
GAO details one of the key reasons for HSIN's struggles - it hasn't been adequately coordinated with existing state and local information-sharing systems:
Key practices to help implement the guidance include establishing joint strategies and developing compatible policies and procedures to operate across agency boundaries.However, DHS did not fully adhere to these practices or guidance in coordinating its efforts on the Homeland Security Information Network with key state and local information-sharing initiatives. For example, in developing the system, the department did not work with the two key state and local initiatives, which are major parts of the Regional Information Sharing System program, to fully develop joint strategies to meet mutual needs.

DHS’s limited use of these practices is attributable to a number of factors, including the department’s expediting its schedule to deploy information-sharing capabilities after the events of September 11, 2001, and in doing so not developing a comprehensive inventory of key state and local information-sharing initiatives. Consequently, the department faces the risk that, among other things, effective information sharing is not occurring. It also faces the risk that the Homeland Security Information Network may be duplicating state and local capabilities.
Two major state and local information-sharing systems are the Regional Information Sharing System Secure Intranet (RISSNET) and the Automated Trusted Information Exchange (RISS ATIX). Some background on RISS:
The RISS program is a nationwide initiative, operated and managed by state and local officials, to share criminal intelligence among stakeholders in law enforcement, such as federal, state, local, and tribal law enforcement agencies; first responders; and the private sector; to coordinate efforts against crime that operates across jurisdictional lines. Established in 1974, the program consists of six regional information analysis centers that serve as regional hubs across the country.

Among others, RISS operates two key state and local information-sharing initiatives. The first is RISS Secure Intranet, which is commonly referred to as RISSNET; the second is the RISS Automated Trusted Information Exchange, or RISS ATIX.
  • RISSNET is intended as a secure network serving law enforcement agencies throughout the United States and other countries. Through this network, RISS offers services such as secure e-mail, document libraries, intelligence databases, Web pages, bulletin boards, and a chat tool. Created in 1996, RISSNET offers resources to member agencies across the nation and internationally.
  • RISS ATIX offers services similar to those described in RISSNET to agencies beyond the law enforcement community, including executives and officials from governmental and nongovernmental agencies and organizations that have public safety responsibilities. the RISS ATIX application was developed in response to the events of September 11, 2001, and initiated in 2002. As of July 2006, RISS ATIX supported 1,922 users beyond the traditional users of RISSNET.
It's interesting to note that while RISS ATIX claims 1,922 users, the HSIN has only about 1,100 active users (i.e., 6% of 18,000).

DHS, in a hurry to build an information-sharing network, has not adequately coordinated its efforts with existing systems like RISS.
First, while DHS officials met with RISS program officials to discuss exchanging terrorism related documents, joint strategies for meeting mutual needs by leveraging resources have not been fully developed.
In fact, they haven't even met much:
  • DHS did not engage the RISS program in ongoing dialogue to determine how resources could be leveraged to meet mutual needs. According to RISS program officials, they met with DHS on September 25, 2003, and January 7, 2004, to demonstrate that their RISS ATIX application could be used by DHS for sharing homeland security information. However, communication from DHS on this topic stopped after the meetings with no explanation. DHS officials told us they could not remember having the meetings and attributed this to people in the meetings no longer being at DHS.
  • While DHS initially pursued a limited strategy of exchanging selected terrorism-related documents with the RISS program, the strategy has been impeded by technical issues and by differences in what each organization considers to be terrorism information. For example, the exchange of documents between HSIN and the RISS program stopped on August 1, 2006, due to technical problems with HSIN’s upgrade to a new infrastructure. As of December 2006, the exchange of terrorism-related documents had not resumed.
That's pretty much the opposite of an effective collaborative relationship. They haven't met in more than 3 years, and when the two systems stopped talking to one another, no one bridged the gap. The clear implication is that the two systems are seen as competitors rather than collaborative partners.

In fact, that's what GAO indicates. DHS has tried to build HSIN without understanding RISS and what it could bring to the table:
DHS did not fully understand the RISS program. Specifically, DHS officials did not acknowledge the RISS program as a state and local based program with which to partner, but instead considered the RISS program to be one of many vendors providing a tool for information sharing. Further, DHS officials believed that the RISS program was solely focused on law enforcement information and did not capture the broader terrorism-related or other information of interest to the department.

HSIN and RISS ATIX currently target similar user groups. DHS and the RISS program are independently striving to make their applications available to user communities involved in the prevention of, response to, mitigation of, and recovery from terrorism and disasters across the country. For example, HSIN and RISS ATIX are being used and marketed for use at state fusion centers and other state organizations such as emergency management agencies across the country.
Unfortunately, this sounds a lot like the criticism in February's report from the DHS Inspector General (OIG) on the department's work with the food sector. (Also see this post.) The OIG reported that DHS wasn't coordinating efforts with food sector representatives:
By spring 2006, the Food Information Sharing and Analysis Center's (ISAC’s) contact with the government had deteriorated to the extent that, according to the ISAC, it did not have a dedicated DHS point of contact.
And its HSIN Food and Agricultural portal is duplicating an existing FBI information-sharing network:

[The OIG is] concerned that the HSIN's Food and Agriculture portal may essentially duplicate an FBI effort [AgInfraGard]. ... As described by the FBI and food sector representatives with access to the web community, much of AgInfraGard’s content is similar to that of the Homeland Security Information Network’s portal.
The solution to the information-sharing problem is not more networks. Building more networks that don't talk to one another will only dilute efforts to share information, as it becomes stovepiped in systems.

Meanwhile, DHS acknowledges the problem and says they're working on it.
DHS officials stated that the department has efforts planned and under way to improve coordination and collaboration. For example, it is developing an integration strategy to allow other entities’ applications and networks to more easily connect with its Homeland Security Information Network. In addition, the department is establishing a Homeland Security Information Network Advisory Committee, that includes state and local officials, whose charge is to advise the department on how it can better meet user needs, including examining DHS processes for deploying the Homeland Security Information Network to the states.
But...
While these are steps in the right direction, they have either just begun or are being planned, with milestones for implementation yet to be defined.
And in the meantime, DHS is taking some small steps. Which is nice but not sufficient to solve the problem. For example, DHS is establishing a portal to accept suggestions from state and local first responders to improve communications systems. DHS has dedicated $8 million to the project, and they will choose projects that take less than 1 year at a cost of less than $1 million each. This is a nice ad hoc approach that may solve some small problems and help build bridges here and there, but it is not a strategic way to build information-sharing systems.

It is so very important to get this right, but the struggles to share information continue...

Cross-posted in IPS Blogs at the Institute for Preventive Strategies.

1 comment:

Marechaux said...

A great analysis of staggering lack of interoperability. But is it getting any better?