Document on Judiciary - Views on a National Information Policy
by hbopuri on Tuesday, 08 March 2011
Currently rated 4.81 by 5 people
In the wake of the 9-11 attacks, as America began searching for answers, it became clear that the means of sharing critical information between the various organizations engaged in protecting us were woefully inadequate. With the many initiatives put forth since then, there has been improvement in the timeliness and quality of information sharing, but there is still no comprehensive, methodical and disciplined approach to overcoming the institutional and cultural barriers to more effective information sharing. Without such a long term approach, we may be inadvertently increasing our risk – we may be moving away from a “risk avoidance” approach to information sharing to a “risk acceptance” approach in which we have not properly weighed the risks versus benefits involved. This paper will lay out a recommended approach to a comprehensive national information policy that would be based on principles of risk management. The key points are:
The Federal Government must develop a comprehensive national information policy that provides an overarching framework for developing specific guidance in areas such as information security, classification and declassification decisions, and information sharing with international, state, local, tribal, non-government partners and the public.
This information policy must be based on a rational risk management methodology that balances need to know against the need to protect. Risk management, for the purposes of national policy, must include risk analysis and risk response processes.
Risk, as a commonly used but not commonly understood term, is composed of criticality (sometimes referred to as “impact”), vulnerability, and threat (includes all hazards).
The proposed risk management methodology can be developed on the basis of existing analytical models. The key concept is that, under the national information policy, content should regarded as an asset and that risks can be determined in a similar fashion to the way we determine risk for other assets, such as infrastructure.
Currently, there are a multitude of legal, policy and procedural approaches within the federal government that deal with the protection or dissemination of information. The levels of protection afforded to some categories of information are in fact based on assessment of risk, although in practice this is not often recognized. For example, under Executive Order 12958 “Classified National Security Information” (amended by EO 13292) the differences between Top Secret, Secret and Confidential information are based on the level of potential damage to national security, i.e. the risk incurred, if the information is compromised through unauthorized disclosure.
Even though there may be inherent risk decisions underlying many of our information policies, they are not based on a consistent approach between communities of interest. With no common terms of reference, criteria for comparison or analytical framework by which to make informed decisions, many of the current information sharing initiatives fixate on the processes and information technology solutions required and not on the information content itself. The information content is the whole point of the information sharing process. We cannot convince partners to share their information unless we can assure them that their information will be protected appropriately.
What is needed is an overarching information construct, that is, a comprehensive National Information Policy, by which different communities of interest can relate to each other on the basis of common understanding. Left to their own devices, communities of interest have often shown that they develop their own terminology, processes and procedures. The first necessary step to addressing this multiplicity of approaches is to establish national policy that serves as capstone guidance. The development of such policy, in turn must be based on an analytical approach to risk management. (This risk management process will be further explored in later sections.) The proposed approach would:
Balance the need to share against the need to protect, enabling true risk management, not just risk avoidance or risk acceptance.
Form a sound basis for establishing protection criteria, e.g. security classification guidance, handling unclassified but sensitive information, privacy and medical data safeguards, protecting proprietary commercial information, public affairs guidance during times of crisis, etc.
Provide a means to examine policy and guidance to ensure a consistent approach to both information security and information sharing.
Ensure that actual information sharing and protection requirements drive technology solutions instead of the current situation, where our technology has created the possibility of being inundated with too much irrelevant information instead of providing the right information to the right recipients, at the right time, i.e. true knowledge management.
Establish a common analytical framework for interaction with information sharing partners, e.g. Department of Homeland Security, Department of Defense, state and local governments, foreign governments, non-governmental organizations, the private sector, etc.
It is important to stress that this framework will not provide all the specific guidance needed for particular circumstances, but that specific guidance for an individual community of interest must be consistent with, and derived from, the national capstone guidance. Once a national level construct has been established, the next step is the rationalization of other information policies to ensure that they are consistent with national guidance, do not conflict with other communities, and are not duplicative or inconsistent. This will be a long term process, but we must start now. We have avoided dealing with the larger issues in the interest of obtaining near term improvements. While this has had some benefits, it is time to take a more deliberative approach before our stop gap measures become unmanageable. The first step is to adopt a consistent risk management process.
Risk management is a widely used term that means different things to different communities of interest, usually within a particular context. Within the Department of Defense, the mission assurance concept developed by the Assistant Secretary of Defense for Homeland Defense and Americas Security Affairs (ASD(HD&ASA)) can serve as a starting point for a national risk management process. Under this mission assurance concept, risk management includes risk assessment and risk response. This approach can be extended to the national level.
Risk assessment is a systematic, unconstrained, examination of risk that includes:
− Determination of criticality based on operational impact. In some risk management processes, criticality is often identified as the impact of the loss or degradation of an asset. Within DOD, criticality is determined by examining the missions assigned, the tasks necessary to complete these missions, and the impact of loss or degradation of capabilities provided by various assets. Many other organizations, including the private sector, also have “mission statements” and “business processes” that can be related to criticality.
− Assessment of vulnerability based on common standards. A widespread problem within government and the private sector is the lack of commonly agreed upon assessment criteria and methodologies.
− Identification of potential threats and hazards. Within Dodd there is often a distinction made between threats, which are seen as deliberate actions that may be taken by an adversary, and hazards, which may include natural disasters or accidents. These related ideas are often combined for the purposes of risk analysis under an “all hazards” terminology.
Risk response is a tradeoff analysis between operational impacts, technical capabilities and available resources that can be used to develop recommended courses of action. Generally, the response is to remediate the vulnerability, mitigate the effects, or accept the risk. Within the context of the National Information Policy, this would equate to the changes in policy and procedures that are being called for now in many information sharing initiatives. The difference is that under the proposed approach, there would be sound analytical processes and methods to derive such changes.
There are many analytical processes and methods that could be adapted to weigh information content risk, such as network theory and the methods used by DOD for weapons effects. An example would be the methods used to develop the Joint Munitions Effectiveness Manuals, which can be used to determine weapons effects or survivability. Once the need for a common analytical framework has been accepted, candidate processes and methods could be examined in greater detail in subsequent implementation actions. There are also a number of recommended steps that can be taken immediately to establish both the National Information Policy and the supporting analytical framework. These include:
Establishing an informal group from government, the commercial sector and academia with experience in information related professions, e.g., news media, intelligence, public affairs, to survey existing information sharing methods, risk management processes, network theory, vulnerability assessment processes, etc. to identify possible candidates suitable for an information risk management process. (Note: this group should not include information technology professionals at this point. The reason is that there is an unfortunate tendency of organizations to skip the very necessary first step of examining information content needs and jump to developing technical solutions to sharing information without considering the what and why of information sharing.)
The initial survey output from the informal study group could form the basis for further, more focused effort that may take the form of government or academic research into information process modeling. (Note: there may already be relevant ongoing efforts, such as in the areas of intelligence fusion or suspicious activity reporting, that could be leveraged or expanded upon to a broader context.)
A parallel effort should focus on risk management process modeling and development of common criteria and terminology. This effort should be complementary to the information process modeling.
The recommendations from both the risk management and information process groups should be handed off to the Director of National Intelligence to incorporate their findings into a draft National Information Policy. Under the overall supervision of the DNI, there should be specific actions to draft a national information policy and timelines for completion.
Once the National Information Policy is in place, those government organizations that are proponents for related policies, e.g. information security, public affairs, etc. would be tasked to review and revise their guidance as necessary to conform to the national information policy.
The need for change in the way we approach information sharing, once accepted, must be implemented by means of the proposed National Information Policy. This policy in turn, must be formed on the basis of consistent, logical analytical processes and methods that examine information content. We should be under no misapprehension that these recommendations can be implemented immediately or that there will not be contentious issues that may need to be resolved as we develop our courses of action. However, the National Information Policy will allow us to establish orderly, effective information sharing and will have significant benefits in many other areas in the future.
David Brin, 1995, “The Internet as a commons,” Information Technology and Libraries,
Volume 14, Number 4, PP. 240–242.
Harlan J. Onsrud, 1998, “The tragedy of the information commons,”