[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]
BUILDING THE INFORMATION SHARING
ENVIRONMENT: ADDRESSING THE CHALLENGES OF IMPLEMENTATION
=======================================================================
HEARING
before the
SUBCOMMITTEE ON INTELLIGENCE,
INFORMATION SHARING AND TERRORISM RISK ASSESSMENT
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED NINTH CONGRESS
SECOND SESSION
__________
MAY 10, 2006
__________
Serial No. 109-75
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
__________
U.S. GOVERNMENT PRINTING OFFICE
36-987 WASHINGTON : 2007
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092104 Mail: Stop IDCC, Washington, DC 20402�0900012007
COMMITTEE ON HOMELAND SECURITY
Peter T. King, New York, Chairman
Don Young, Alaska Bennie G. Thompson, Mississippi
Lamar S. Smith, Texas Loretta Sanchez, California
Curt Weldon, Pennsylvania Edward J. Markey, Massachusetts
Christopher Shays, Connecticut Norman D. Dicks, Washington
John Linder, Georgia Jane Harman, California
Mark E. Souder, Indiana Peter A. DeFazio, Oregon
Tom Davis, Virginia Nita M. Lowey, New York
Daniel E. Lungren, California Eleanor Holmes Norton, District of
Jim Gibbons, Nevada Columbia
Rob Simmons, Connecticut Zoe Lofgren, California
Mike Rogers, Alabama Sheila Jackson-Lee, Texas
Stevan Pearce, New Mexico Bill Pascrell, Jr., New Jersey
Katherine Harris, Florida Donna M. Christensen, U.S. Virgin
Bobby Jindal, Louisiana Islands
Dave G. Reichert, Washington Bob Etheridge, North Carolina
Michael McCaul, Texas James R. Langevin, Rhode Island
Charlie Dent, Pennsylvania Kendrick B. Meek, Florida
Ginny Brown-Waite, Florida
______
SUBCOMMITTEE ON INTELLIGENCE, INFORMATION SHARING, AND TERRORISM RISK
ASSESSMENT
Rob Simmons, Connecticut, Chairman
Curt Weldon, Pennsylvania Zoe Lofgren, California
Mark E. Souder, Indiana Loretta Sanchez, California
Daniel E. Lungren, California Jane Harman, California
Jim Gibbons, Nevada Nita M. Lowey, New York
Stevan Pearce, New Mexico Sheila Jackson-Lee, Texas
Bobby Jindal, Louisiana James R. Langevin, Rhode Island
Charlie Dent, Pennsylvania Kendrick B. Meek, Florida
Ginny Brown-Waite, Florida Bennie G. Thompson, Mississippi
Peter T. King, New York (Ex (Ex Officio)
Officio)
(II)
C O N T E N T S
----------
Page
Statements
The Honorable Rob Simmons, a Representative in Congress From the
State of Nevada, and Chairman, Subcommittee on Intelligence,
Information Sharing, and Terrorism Risk Assessment............. 1
The Honorable Zoe Lofgren, a Representative in Congress From the
State California, and Ranking Member, Subcommittee on
Intelligence, Information Sharing, and Terrorism Risk
Assessment
Oral Statement................................................. 2
Prepared Statement............................................. 3
The Honorable Jim Gibbons, a Representative in Congress From the
State Nevada................................................... 17
The Honorable James R. Langevin, a Representative in Congress
From the State of Rhode Island................................. 19
WITNESS
Ambassador Ted McNamara, Information Sharing Program Manager,
Officer of the Director of National Intelligence:
Oral Statement................................................. 1
Prepared Statement............................................. 9
For the Record
The Honorable Sheila Jackson-Lee, a Representative in Congress
From the State of Texas:
Prepared Statement............................................. 27
BUILDING THE INFORMATION SHARING
ENVIRONMENT: ADDRESSING THE CHALLENGES OF IMPLEMENTATION
----------
Wednesday, May 10, 2006
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Intelligence, Information
Sharing, and Terrorism Risk Assessment,
Washington, DC.
The subcommittee met, pursuant to call, at 2:03 p.m., in
Room 311, Cannon House Office Building, Hon. Rob Simmons
[chairman of the subcommittee] presiding.
Present: Representatives Simmons, Gibbons, Thompson,
Lofgren, and Langevin.
Mr. Simmons. [Presiding.] The Committee on Homeland
Security, Subcommittee on Intelligence, Information Sharing and
Terrorism Risk Assessment will come to order.
The subcommittee is meeting today to hear testimony on how
the program manager of the Information Sharing Environment, or
ISE, is addressing the challenges of implementing a government-
wide information-sharing architecture. The development of the
Information Sharing Environment, if properly planned and
integrated, could turn out to be America's most important tool
for preventing terrorism.
Terrorist threat information must be shared broadly, both
within the federal government and with state, local, tribal and
private sector partners in order to protect our country and the
American people against attack. However, there are many
challenges associated with creating that environment:
incompatible policies, procedures and systems all across the
homeland security information-sharing landscape.
The challenge for you, Ambassador McNamara, as the 9/11
Commission put it, is to ``unify the many participants in the
counterterrorism effort and their knowledge in a network-based
information-sharing system that transcends traditional
government boundaries.''
In my years of service as a CIA officer and as a military
intelligence officer doing both collection and analysis, the
impression I got in those days was that information was
something to be collected and held and not shared widely or
broadly, to be stovepiped to the national command authority and
to others in order to protect sensitive methods and sources,
point one, and point two, in order to get credit for the
information collected.
So the culture of intelligence as I knew it many years ago
was a culture that mitigated against information sharing. In a
post-9/11 environment, I think America has learned and I think
our government understands that we have to share information to
be safe, but it is an awesome challenge that you face.
Although your tenure has just begun, the program manager
was only given a brief 2-year mandate, time is running out. I
would be interested in what you think you can accomplish and
whether you believe the position needs to be extended or made
permanent. As you well know, your job is vital to the security
of our country, and I hope you will look to this committee and
this subcommittee for any support you need to accomplish the
task.
Now I would like to recognize the ranking member of the
subcommittee, the gentlelady from California, Ms. Lofgren, for
her opening statement.
Ms. Lofgren. Thank you, Mr. Chairman.
I would ask unanimous consent to put my full statement in
the record.
Prepared Opening Statement for Hon. Zoe Lofgren
Good afternoon. I am pleased that we are turning our attention
again to the Information Sharing Environment (ISE) and the obstacles
that remain in the way of creating truly effective government-wide
information sharing policies, procedures and practices.
We need the Program Manager to get this done as quickly and
effectively as possible in order to help the Intelligence Community and
State, local and tribal law enforcement share information that could
thwart the next terrorist attack.
Accordingly, I'd like to welcome the new Program Manger, Ambassador
McNamara, who has taken over these critical responsibilities from his
predecessor, John Russack, who testified before this Subcommittee last
November.
Mr. Russack's rather abrupt departure this past January came on the
heels of his Information Sharing Environment Interim Implementation
Plan--a plan that set new deadlines given the Program Manager's, and
the Administration's, failure to complete the work within the time
frames prescribed by Congress in the Intelligence Reform and Terrorism
Prevention Act.
Much of the delay, it seems to me, came from three main factors:
(1) a lack of personnel and other resources within the Program
Manager's shop; (2) a lack of buy-in and cooperation from the wider
Intelligence Community; and (3) a lack of urgency by the
Administration.
The Markle Foundation in fact bemoaned this lack of urgency in
correspondence it sent to the President on September 7, 2005, noting,
``Sweeping change is needed to remove any pre-9/11 confusion about
information sharing that, regrettably, still exists in some departments
and agencies. . .A single set of policies across the government, while
recognizing the need for some additional rules depending on agency-
specific missions, should end confusion and interagency battles about
whose rules apply in particular situations.''
Accordingly, I look forward to hearing from you, Ambassador, about
what you have learned from your predecessor's experience as Program
Manager--particularly (1) your assessment of the historical
difficulties in getting the policies written and agreed to and to what
extent you are facing those same difficulties (and with whom); (2) what
lessons you will apply going forward as you take up the reins; and (3)
what assurances you can give us that you will be able to meet the new
deadlines set out in the Interim Information Sharing Plan we received
in January.
I am also very interested in hearing about your reaction to the
Government Accountability Office's recent report on information
sharing, the progress made to date with the ISE, and the challenges
that remain in developing appropriate policies for sharing terrorism-
related and sensitive but unclassified information.
Because you are a direct report to the Director of National
Intelligence, Ambassador, GAO invited the DNI to comment on its report
before publication. Mr. Thompson and I were both disappointed by Mr.
Negroponte's refusal to do so--apparently on the ground that GAO's
``review of intelligence activities is beyond GAO's purview.''
That is nonsense, Ambassador. GAO's review of your work did not
involve evaluation of the conduct of actual intelligence activities. On
the contrary, it focused narrowly ``on the procedures in place to
facilitate the sharing of a broad range of information across all
levels of government.''
Indeed, Guideline 1 of the President's own December 16, 2005
Memorandum for the Heads of Executive Departments and Agencies directs
you and other agency heads to ``develop and issue . . .common standards
for preparing terrorism information for maximum distribution and
access.''
Those standards--which are now two months overdue--have nothing to
do with ``intelligence activities.'' They instead have everything to do
with how to ``sanitize'' intelligence information into a format that
can be shared with State, local, and tribal law enforcement.
The DNI's comments frankly would have been a valuable contribution
to this Subcommittee's ability to conduct the oversight with which it
has been tasked. Indeed, we rely on GAO, the Congressional Research
Service, and our respective staffs to help us get the facts so we can
make informed policy judgments.
The DNI's decision not to cooperate with GAO--and in other cases
with CRS--leaves us with one hand tied behind our back.
Our staffs do good work, Ambassador, but we will be able to do our
work even better by having the DNI's and your cooperation with GAO and
CRS when they are tasked with reviewing and reporting on your progress.
It is their detailed reporting, Ambassador that has informed our
process since this Committee's inception and of other Members of
Congress for decades.
I therefore look forward to hearing not only your views about the
state of progress with the ISE but also your reaction to the GAO
report, your thoughts on its recommendations, and how you might
implement them as you move forward.
Thank you.
Mr. Simmons. Without objection, so ordered.
Ms. Lofgren. I would just note that we are way behind on
where we should be in this area. The last program manager
rather abruptly departed, and we have not completed the task in
the timeframes prescribed in the Intelligence Reform and
Terrorism Prevention Act, as you know.
I think there were a number of issues, and perhaps more
that I don't know of, but I am concerned that a lack of
personnel and other resources contributed to the shortfalls, as
well as the lack of buy-in and cooperation from the
intelligence community.
I also think there has been a lack of urgency at the top on
this task. As I am sure you know, the Marco Foundation weighed
in on this last fall, bemoaning the lack of progress.
While we don't hold you accountable after 9 weeks for that
lack of progress, I am looking forward to hearing from you
about what you have learned from your predecessor's experience
as a program manager, particularly your assessment of the
difficulties in getting policies written and agreed to, and to
what extend you are facing those same difficulties and with
whom, what lessons you will apply going forward as you take up
the reins, and what assurances you can give us that you will be
able to meet the new deadlines set out in the interim
information sharing plan we received in January, or if there
are challenges that we can assist you in, that you let us know
how we can help.
I am also very interested in the Government Accountability
Office's recent report, which I am sure you have looked at. I
am very disappointed--and I think ranking member, Mr. Thompson,
has just arrived. We were both disappointed by Mr. Negroponte's
refusal to comment on the report and felt that his objection
was misplaced. We asked for comments not on the collection of
intelligence, but on a far different issue, the common
standards for preparing information for distribution and
access, not anything that should compromise his mission.
So we do think that it would be helpful to get that
comment. We know that you report directly to him. Perhaps you
can assist us with that as well. Our staffs do good work, but
we will do even better work if we have the DNI's cooperation,
and I expect yours, with the GAO and CRS when they are tasked
with reviewing and reporting on progress in your office.
So I look forward to hearing not only your views about the
state of progress with the IC, but also your reaction to the
GAO report and your thoughts on its recommendations, and how
you might implement them as they move forward.
Mr. Chairman, I will leave the remainder of my statement
for the record, and I yield back.
Mr. Simmons. I thank the lady for her comment.
I join her in a shared interest in getting some sort of
comment on the GAO report. I think that, again, information
sharing is something that traditionally was not focused upon by
the intelligence community, but it certainly falls squarely
within your domain.
I think that the DNI, as a newly created position, is
designed to achieve coordination across traditional
bureaucratic lines. So once again, the idea of comments on this
report I think is important to us as we do our business.
That being said, we are pleased to have Ambassador McNamara
with us here today. I welcome you. We had a chance to talk a
week or so ago. You have an extensive background in national
security and counterterrorism and have served eight
presidents--my gosh, you don't look that old, but anyway--for
the last 4 decades, including at the Department of State and
the National Security Council.
Following 9/11, Ambassador McNamara was asked to return to
government service as a senior adviser for counterterrorism and
homeland security at the Department of State and was named
program manager of the Information Sharing Environment in March
of 2006.
Thank you, Mr. Ambassador, for being here. Your entire
written statement will be inserted into the record. We would
ask that you try to limit your oral testimony to about 5
minutes so that we can have an opportunity for questions.
Welcome. And you are recognized, sir.
STATEMENT OF AMBASSADOR TED McNAMARA, INFORMATION SHARING
PROGRAM MANAGER, OFFICE OF THE DIRECTOR OF NATIONAL
INTELLIGENCE
Ambassador McNamara. Thank you, Mr. Chairman, and thank
you, Ranking Member Lofgren. It is a great pleasure to testify
before this subcommittee.
I recognize the committee's and the subcommittee's
interest, attention, knowledge and background in this area. So
I am particularly grateful for that attention and the
commitment that the committee has shown and the subcommittee
has shown on this important issue.
I see that my written statement is being entered into the
record, so I will refrain from requesting that a second time.
I think that there is no more urgent issue, no more
critical issue to our ongoing efforts to fight terrorism than
improving our information sharing.
It has been 9 weeks to the day since President Bush
designated me to serve as program manager for information
sharing. I came back into government service this time, as I
did the last time I came back in, because I believed that I was
working on an issue of great national importance.
As the senior adviser at the State Department, I worked
assiduously to make up for some of the problems that we saw in
the immediate aftermath of 9/11. It happens that I am now
coming back into government to try and work on a problem that
came to the fore as a result of 9/11 that is still with us. I
came back into government service to try and make a difference.
But after 9 weeks, I think you will understand that I have
not quite tapped all of the different areas of this issue. It
is an enormously complex one. But I do have some initial
observations that I would like to make here before the
subcommittee.
First of all, to clarify a bit what the program manager's
office is and what it is not. We are a small office. We were
established, as you know, under the IRTPA law, and placed under
the office of the director of national intelligence. We are in
the office of national intelligence, of the director of
national intelligence, but we are not focused only on
intelligence.
This office is responsible, as you noted, Ms. Lofgren, we
are responsible for all terrorism information government-wide.
I have broken this up into what I refer to as five communities
of major importance in this effort.
First is law enforcement. And I don't mean ``first'' in the
sense of more important than the others, just to list the five
of them: law enforcement, defense, foreign affairs, homeland
security, and intelligence. So we serve all five of those
communities.
The next thing that we are doing is we are consulting
government-wide and we will be advising and recommending to the
president how to improve the information-sharing environment.
The office is charged with managing and coordinating federal,
state, local, tribal and private sector participation in that
information-sharing environment for terrorism information.
What we do not do, and what we are not doing, is we are not
replacing the operational agencies that implement the
Information Sharing Environment. Maybe because of my
background, I look at this more or less as an office that has
some parallels with the National Security Council.
One of my very wise leaders in those years in the White
House told me, we don't do the job here; we make sure the job
gets done. We do what we have to do to make sure others do what
they must do in order for the job to get done.
I kind of look at that as part of the approach that I take
in this program management job, that with a very small staff--
we are not quite at our 20, but we are very close to it, and
expect to have a full staff, well, we have had larger numbers,
and then some people have left and now some are coming in
again. We will be at full strength I hope very shortly.
But even at full strength, there is no way without relying
on the agencies to carry out their responsibilities, without
relying on the state, local, tribal and private sector to do
their share. There is no way that 20 people can get this job
done alone.
We also will be relying on the Congress, as well as the
executive branch, to help us to get the Information Sharing
Environment up and running in a manner that is satisfactory to
all.
The last point on this is that the office as I see it has
not been told to start from scratch to build this. We are at
war. There is a struggle going on, a protracted struggle
against terrorism. What we need to do is to build on current
capabilities, take the best that we do have, use it, and make
it better, build on what we have, not tear it down and start
from scratch.
The second point and observation, after this very brief
period in the job, is that, since 9/11, a great deal of the
sharing of national terrorism information at the federal level
takes place within the environments of those five communities
of interest that I mentioned, that is law enforcement, homeland
security, defense, intelligence, and foreign affairs.
It is related to the very important missions and objectives
of those communities. Those missions and objectives are
important and need to be fulfilled. Increasingly, however, in
order to accomplish those missions and those objectives, shared
information across those communities is going to be required.
That, I think, on the federal level is where most of the
difficulty lives, in the sharing of information
intercommunally, so to speak.
Within the communities, I think there is fairly good
sharing of information, within each of those five communities.
But inter-community, across the communities, I see where there
is great need for and great possibilities for improvement.
A third observation: Given that the terrorist threat and
other post-war challenges are as strong as they are, it is
clear to me, and I think it is clear to senior officials in the
executive branch, that the old ways of doing business are
inadequate and have to be changed. We have to integrate. We
have to share more. Not doing so was a failure that I think was
correctly cited as a major defect by the 9/11 Commission.
So let me very briefly share with you some of my initial
high priority items that I want to pay attention to in these
first few weeks.
First is standardizing government-wide SBU procedures and
practices around the entire federal government.
Secondly, I think we need to establish a network of state
and urban area fusion centers. We have to create a national
system that is effective and efficient in sharing information
and empowering all levels of government to greater efforts and
greater success in this protracted struggle.
Thirdly, we need to develop an information-sharing
environment budget investment strategy.
Fourthly, we need to deploy the initial capabilities for an
electronic directory of services, an EDS.
And fifthly, we need to develop guidelines to protect
privacy and other legal rights for American citizens.
I don't want by saying to this to suggest that we have been
inactive up to now. In fact, as I look at it, and I saw it
immediately after 9/11, within 3 weeks I was on duty at the
State Department following the 9/11 events, I think we are much
improved over what we were doing back then in terms of
information sharing.
We have a National Counterterrorism Center, for example. We
didn't have that back then. The National Counterterrorism
Center is now being accepted by agencies and by the leadership
of the executive branch as the focal point of our sharing of
national intelligence and other information with respect to
terrorism.
We have a Terrorist Screening Center that unites numerous
databases that was quite clearly a problem during the period
immediately before 9/11. Those databases existed, but were not
united. They were not integrated and there was no one place to
go to find out information about terrorists. The Terrorist
Screening Center provides that capability now.
I think the fusion centers that have been set up by the
states and urban regional authorities are important elements in
solving the problem of sharing of terrorist information. I will
have more to say about the fusion centers in just a moment.
I think the Department of Homeland Security is now up and
running. It has Web-based portals and other tools that are
great improvements over what we had in 2001. The Department of
Justice law enforcement information-sharing program enhances
sharing across law enforcement jurisdictional boundaries. We
didn't have that before.
The director of national intelligence is transforming the
data-sharing of the intelligence community in a way that is
very, very helpful for the information-sharing environment. And
the Department of Defense, in a step that I think could be an
example for other large agencies, the DOD now has an
information-sharing executive, something that would have been
unheard of before 2001.
Let me take a moment or two to address one aspect taken
from my written statement, which both of you have referred to,
and which I think is central to our being able to resolve some
of the major problems of information sharing. I think more must
be done by all entities at all levels to create an information-
sharing environment that is a truly national system, one that
links state and urban fusion centers with each other, as well
as with the federal government.
To do this, resources are going to be needed at all levels
of government. It won't happen automatically and it will take
an enormous amount of cooperation. I sense that there is a
feeling both at the federal, state, and local levels that such
cooperation is necessary and will be forthcoming.
I think what we are looking for is an integrated, federated
approach that delineates responsibilities of the federal,
state, local and tribal entities, as well as the private
sector. The fusion centers are being created in order to truly
share information that is useful and beneficial to all of the
government entities involved. That federated approach, that
system that is a national system, is my vision of what the
future ISE ought to look like, in very broad terms.
State, local and tribal entities are critical partners in
our nation's efforts in counterterrorism. They are consumers
and producers of terrorist information. As consumers, they need
the information to be brought to them in a more timely, more
actionable, more concise and usually unclassified form. It
needs to be delivered efficiently. We are moving in that
direction on all of those fronts, but I think we need to move
faster and I intend to see that we do move faster.
As producers, assistance is needed so that they can bring
together information at the state and the federal level that is
useful to state and federal authorities and that effectively
and efficiently moves the information through the system. That
is another objective, I think, that we can aim for in this
national system that I referred to.
Many state and urban governments have begun gathering,
analyzing and sharing information, using the fusion centers
that now exist. I think this is a very beneficial approach and
I think it is one that we can usefully look at here at the
federal government as benefiting us as well.
I strongly support fusion centers. I expect them to become
central components of our national capability to gather, to
analyze and to disseminate actionable information. As chair of
the ISC, the Information Sharing Council, I intend to keep in
close contact with state, local, tribal and private sector
partners through regular meetings with them, and by inviting
them to work closely with the Information Sharing Council in
the coming months.
Let me wrap up with a few closing comments.
A critical question for implementing the Information
Sharing Environment is how best to deliver capabilities today,
while we continue with this protracted struggle, while at the
same time addressing the myriad of policies, processes and
technology differences among multiple organizations that must
be done if we are to perform the disparate missions that those
organizations perform.
These differences pose challenges to implementing an ISE.
Those challenges, among others, are incompatible policies and
procedures; classification problems; access by individuals that
need access; vetting to grant clearances; security and privacy
problems that have arisen. These and many more are going to
have to be addressed.
To realize the ISE vision, these impediments are going to
have to be dealt with, I think through adopting common
policies, common processes, common data and technology
standards and guidelines that will be set for all of the ISE
participants.
A comprehensive and complex problem such as this needs a
transformational effort. It is going to require time to fully
implement. However, the information sharing is such an urgent
national imperative that I believe it can and will be moved
forward rapidly. That certainly will be my goal and that will
be what I will do in this job. Much has been done, but much
more needs to be done. We owe it to the American public to fix
this problem.
Let me make two comments based on what you have both said
in your opening comments.
First of all, I fully agree, Mr. Chairman, that the biggest
problem is not technology. It is culture. You pointed out much
more clearly than I could have that the culture has built up
over many, many years, in fact decades. It was a culture that
worked well for the Cold War. It is a culture that does not
work well for the post-Cold War. It is time to change it.
To change the culture, it means changing people and
institutions. That is the major problem I think I face. If we
were pushing the bounds of technology, I would have listed
technology. I think the technology is the least of the problems
of those three that I have listed.
With that, I will close and be delighted to answer and
respond to any of your questions or comments.
[The statement of Ambassador McNamara follows:]
For the Record
Prepared Statement of Ambassador Thomas E. McNamara
Introduction
I'm here this afternoon to provide you my plans for a terrorism
information-sharing environment (ISE) in which terrorism information
can be shared broadly, effectively and seamlessly to protect our
nation. Our ability to share terrorism information across all levels of
governments and the private sector is fundamental to the success of our
efforts to defeat terrorism. Congress has provided us a legislative
basis, the President has provided more specific guidance, and my
predecessor has provided an interim implementation plan, the final that
will be delivered to Congress in July 2006. Now it is time to begin
building capabilities that make the ISE operational to the men and
women who support the national effort to detect, prevent, respond to
and recover from acts of terrorism, and to convey the sense of urgency
with which the Information Sharing Environment (ISE) must be developed.
I want to say, up front, that I assumed the position of Program
Manager for the ISE on March 15, 2006, approximately two months ago. I
thank you for this opportunity to share with you my initial thoughts
and reflections. In time, I look forward to sharing with you more
developed and detailed thoughts and opinions. As you may know, the
Program Manager has a responsibility to report this summer to the
President and to the Congress on the implementation plan and
guidelines. This is a short timeframe, but I take my responsibility
seriously. I also owe it to the President, and to my other superiors
and colleagues to listen to and work with them before coming before you
and speaking on behalf of myself and them.
However, I know that I have a responsibility to the Congress. In
the past, on the several occasions when I have held senior positions in
government, I have had a policy of consulting and working closely with
the Congress to keep you appropriately informed of my work. I intend to
continue that policy in this position. I have already told my staff
that we will offer regular briefings to Members and staff of the
committees that exercise oversight responsibilities for the ISE and I
am happy to report that we have already started that process.
Role of the Program Manager
As the Committee is aware, the Intelligence Reform and Terrorism
Prevention Act of 2004 (IRTPA) established the office of the Program
Manager and designated by Presidential Directive to assist, in
consultation the Information Sharing Council (ISC), in the development
of polices, procedures, guidelines, rules and standards for the ISE at
the Federal level, and to coordinate closely, in collaboration with the
ISC, with State, local, and tribal governments and the private sector
and relevant foreign partners, in the development and operation of the
ISE. The Program Manager must also manage the development and
implementation of that same environment by monitoring and assessing the
implementation of the ISE by Federal departments and agencies to ensure
adequate progress, technological consistency, and policy compliance.
To do all this, the Office of the Program Manager is currently made
up of about 15 Federal employees, plus contract support, and is
situated within the Office of the Director of National Intelligence,
although we are not an intelligence office. My authorities are
government-wide with respect to overseeing development of the ISE. To
be successful, the ISE must satisfy the needs of Federal, State, local,
and tribal governments, and the private sector. Given the size of the
office, you will appreciate that we do not operate as another
bureaucratic layer that could impede progress and we do not substitute
for responsibilities that each agency has to implement the ISE. We have
limited time (two years) and a specific mandate. Each Federal agency,
and State and local agencies, must take the responsibility for
implementing the ISE. Our office will, however, do our best to oversee,
manage, facilitate, and coordinate agency implementation of the ISE and
information sharing mechanisms.
To advise me in this effort the IRTPA also established the ISC,
which I chair, and which is composed of senior officials from 17
agencies and departments of the Federal government. To facilitate
coordination with state, local, and tribal officials in development of
the ISE, we have established a State, Local and Tribal Subcommittee. It
is my intention as chair of the ISC to keep in close contact with
State, local, tribal, and private sector partners through regular
meetings with them, and by inviting them to work closely with the ISC
in the coming months.
To understand the complexity of the ISE one needs to realize that
it affects the operations of a very large number of agencies of the
Federal government. I divide those agencies into what I call five
``communities.'' Those communities are: the intelligence community, the
law enforcement community, the defense community, the homeland security
community, and the foreign affairs community. Each community is a
collection of departments and agencies with a specific focus on
terrorism and terrorism related information. The development of the ISE
will impact a large number of similar governmental entities at State,
local, and tribal levels of government, and many entities in the
private sector.
WHAT THE ISE MUST DO TO SUCCEED
The ISE must accomplish four key things. First, it must facilitate
the establishment of a trusted partnership between all levels of
government, the private sector and our foreign partners to mitigate the
effects of terrorism against the territory, people and interests of the
United States of America. The ISE, as we envision it, will enable the
trusted, secure, and appropriate exchange of terrorism information, in
the first instance, among those five communities, and also to and from
State, local, and tribal governments, foreign allies, and the private
sector, at all levels of security classifications.
Second, the ISE must promote an information sharing culture that
eliminates information gaps between partners and facilitates the
creation and sharing of validated, actionable information. We want to
get the right information, to the right people, at the right time to
ensure success within a system of rules established to protect the
information privacy and other legal rights of Americans as well as
sensitive sources and methods. I believe that right now the main
problem is not too little information flow from the five federal
community members to State and local ISE elements, but too much flow of
uncoordinated information to the State and local levels. There is,
also, too little flow of the right kinds of information in actionable
form. Part of the cultural change we need is for all participants at
all levels of government and the private sector to understand that the
purpose of the ISE is to serve and satisfy consumers of information,
who are at the same time all members of the ISE. In contrast, there is
little information flow from the local and tribal levels to the State
and Federal levels. This means that valuable information potentially is
being wasted because it is not reaching the proper consumers.
Third, the ISE must function in a decentralized, distributed, and
coordinated manner. In effect, we need to implement a federated ISE
that incorporates the full cooperation and coordination of the Federal,
State, local, tribal, and private sectors entities. This way ISE
participants can be governed by an agreed set of common standards and
practices that conform to mandated guidelines. Where these cannot be
common, they must, at least, be compatible. Where necessary and
consistent with proper information flow, these standards and guidelines
must take into account the needs and desires of the constituent
elements, including the security, where required, of the information in
the ISE. The ISE should provide direct, continuous, online access to
information that is readily available for analysis, investigations and
operations without sacrificing privacy and security.
Finally, the ISE must be developed and deployed incrementally by
leveraging existing information sharing capabilities and deploying
centralized core functions and services to provide new capabilities and
value-added business benefits to all ISE members. Only by building from
what we now have functioning can we continue to share information
effectively and uninterrupted.
ISE Implementation Approach
A critical question for implementing the ISE is how best to get it
up and running while addressing the myriad policy, process and
technology differences among multiple organizations tasked to perform
disparate missions. These differences pose challenges and impediments
which include: conflicting or incompatible policies, processes, and
procedures for information classification, access vetting, security and
privacy; incompatible or non-interoperable legacy systems and data
formats; conflicting approaches to information sharing; and conflicting
management structures for overseeing information sharing partners.
In many cases these differences have evolved over decades. It is
not realistic to think that we can overcome them in a short period of
time. But, we must proceed with intelligent, focused, and determined
energy and dispatch. I believe this means that we must prioritize the
many tasks before us. I am in the process of deciding those priorities.
In the past few weeks I have set several priorities--not all of those
that need to be set, but several of the highest ones. Let me turn to
those areas now.
To realize the ISE, the challenges mentioned above, must be
addressed. Common policy, process, data and technology standards for
terrorism information sharing must be implemented across all ISE
agencies. The President's December 16, 2005, Memorandum entitled,
Guidelines and Requirements in Support of the Information Sharing
Environment (The President's Memorandum) established the ISE
requirement to ``implement common standards across all agencies
regarding the acquisition, access, retention, production, use,
management, and sharing of information.'' The comprehensive and complex
nature of such a transformational effort will require significant time
to fully implement. However, the ISE is an urgent national imperative
that cannot wait for such an effort to be completed before enhanced
information sharing is achieved. The key is to achieve initial
operating capability for the ISE in the short term, and continue to
build on existing capabilities, while the comprehensive,
transformational effort proceeds in the longer term.
We have begun the work to assist in more clearly defining roles and
responsibilities among departments and agencies by developing policies,
business processes, and technologies to implement the ISE. There are
already capabilities and initiatives underway to improve the Nation's
ability to share terrorism information.
The DNI has enabled the National Counterterrorism
Center (NCTC) to step up to the Federal leadership role that
the President and Congress have laid out. Admiral Scott Redd
and his staff hold video teleconferences three times a day with
analysts across the homeland security, law enforcement,
intelligence, foreign policy, and defense communities. NCTC
collects intelligence information and analysis from 28
different government networks which come into NCTC and post it
on a single website where it is then accessible by individual
agencies.
The Terrorist Screening Center (TSC) used to receive
terrorism information from NCTC via a computer disk. Today, the
TSC receives this information directly from NCTC in controlled
unclassified format and electronically. This has greatly
enhanced the ability for TSC to efficiently produce the
Terrorist Watch List and distribute it to local law enforcement
partners.
Fusion Centers have been established--or are in the
process of being established in 42 states. Additionally, a
growing number of localities--particularly major urban areas--
are also establishing similar centers. State and local fusion
centers are a critical component of the ISE because they can
dramatically enhance efforts to gather, process and share
locally generated information regarding potential terrorist
threats and to integrate that information into the Federal
efforts for counterterrorism. Federal law enforcement is
working closely with these Fusion Centers.
The Department of Homeland Security (DHS) offers a
series of web-based portals and other tools that support
information exchange, file sharing and chat services among
State & local law enforcement, emergency operations centers, 53
major urban areas, local, state or regional intelligence fusion
centers, and the private sector.
Department of Justice's (DOJ) Law Enforcement
Information Sharing Program (LEISP) implements a unified
Department-wide technology architecture to enable DOJ
partnerships with State, local, tribal and Federal law
enforcement agencies, and identifies which IT investments to
support. LEISP enhances DOJ's ability to share information
across jurisdictional boundaries.
The Department of Defense (DOD) has recently designated a full time
Information Sharing Executive; an initiative I intend to encourage
other large agencies to follow. DOD has also continued to invest in the
development of Global Information Grid (GIG). The GIG is being
developed in concert with ODNI IC Enterprise Architecture (ICEA) to
support all DOD, National Security, and related IC mission and
functions in war and peace.
But, I freely admit that there are many areas where we need to do
better. I intend to determine the highest priority areas and to devote
the time, resources, and commitment to make near term and long-term
improvements in these areas. Among the highest priority matters that
need attention are the following: defining government-wide standards
for Sensitive but Unclassified (SBU) information handling; assisting in
the development of a national strategy that defines federal
collaboration with State and local fusion centers; developing an ISE
budget investment strategy; deploying of initial capabilities for
Electronic Directory Services (EDS); and developing guidelines to
protect the privacy and other legal rights of Americans.
Sensitive But Unclassified Information Efforts
The President's Memorandum contained specific direction related to
the standardization of Sensitive But Unclassified (SBU) information.
Specifically, Guideline 3 required each department and agency to
inventory existing SBU procedures and their underlying authorities
across the Federal government, and to assess the effectiveness of these
procedures and provide this inventory and assessment to the Director of
National Intelligence (DNI) for transmission to the Secretary of
Homeland Security and the Attorney General. Guideline 3 further charged
the Secretary of Homeland Security and the Attorney General, in
coordination with the Secretaries of State, Defense, and Energy, and
the DNI, with submitting recommendations for the standardization of
such procedures for terrorism, law enforcement, and homeland security
information. In response, an interagency working group led DHS and DOJ,
working with my office, initiated a significant multi-agency effort to
address these issues that I believe will lead to tangible improvements
in the way SBU is marked and handled.
This working group completed the initial inventory task in March
2006, and is in the process of evaluating the results. The data
collection also includes responses by agencies to the Government
Accountability Office's (GAO) similar request, supplemental material
volunteered by agencies, and publicly available data. The working group
will use the analysis of the SBU inventory as well as review of related
literature, including SBU reform proposals of concerned communities of
interest, recommendations of the GAO, the Congressional Research
Service (CRS), and a wide range of other legal, academic and policy
sources to develop recommendations for submission to the President
regarding the standardization of SBU procedures by June 2006.
Preliminary assessments indicate that there are no government-wide
definitions, procedures, or training for designating information that
may be SBU. Additionally, more than 60 different marking types are used
across the Federal Government to identify SBU, including various
designations within a single department. (It is important to note,
seventeen of these markings are statutory.) Also, while different
agencies may use the same marking to denote information that is to be
handled as SBU, a chosen category of information is often defined
differently from agency to agency, and agencies may impose different
handling requirements. Some of these marking and handling procedures
are not only inconsistent, but are contradictory.
Initial evaluation of the inventory data also suggests that
different agencies rely on different authorities as a basis for
developing marking and handling procedures. For example, some agencies
rely on Freedom of Information Act (FOIA) exemptions to mark SBU
information, while other agencies may apply markings to SBU data not
necessarily subject to a FOIA exemption. Information characterized as
SBU also can range in levels of sensitivity.
In coordination with my office, the Secretary of Homeland Security
and the Attorney General will submit recommendations to the President
in June on standardization of SBU procedures for terrorism, homeland
security, and law enforcement information. The Guidelines also require
that the DNI, in coordination with the Secretaries of State, the
Treasury, Defense, Commerce, Energy, Homeland Security, Health and
Human Services, and the Attorney General, and in consultation with all
other heads of relevant executive departments and agencies, submit
recommendations and standards applicable to all Federal controlled
unclassified information by December 16, 2006. While many improvements
can be achieved by Executive Branch actions alone, these
recommendations may also involve recommendations for legislative
changes.
The PM, in managing the development and implementation of the ISE,
will closely coordinate all efforts under the President's guidelines to
ensure progress, consistency, and effectiveness, and to ensure that all
partners in the ISE benefit from the implementation.
State and Local Fusion Centers
State, local and tribal governments will continue to ensure that
personnel responsible for protecting local communities from terrorist
attacks have access to timely, credible, and actionable terrorism
information. A number of State and local governments have sought to
address this need for actionable information by establishing
``information fusion centers.'' These centers coordinate the gathering,
analysis and dissemination of law enforcement, public-safety and
terrorism information. As I mentioned, Statewide fusion centers have
been established, or are being established, in 42 states.
There is, however, no national strategy that defines federal
collaboration with these centers. Each State and local fusion center
has developed it own way of interfacing with the various Federal
entities involved in terrorism prevention and response efforts.
Additionally, fusion centers rely on multiple channels to exchange
terrorism information with the various Federal entities involved in
investigatory, prevention, response, and recovery activities. It is one
of my highest priorities to greatly improve this situation.
I strongly support the concept of fusion centers and I expect these
centers to become critical components of our national capability to
gather, analyze, and disseminate actionable information. State and
local fusion centers across the nation should achieve a baseline level
of capability. The Department of Justice Global Justice Information
Sharing Initiative/Department of Homeland Security Advisory Council
``Fusion Center Guidelines'' were developed with Federal funds and
through a collaborative process involving Federal, State, and local
officials and may provide this useful baseline. I intend to help the
collaborative process move forward by working with DHS, DOJ, DoD and
others to develop an integrated Federal approach that describes how the
various Federal entities (law enforcement, homeland security, defense)
can interface with state and local Fusion Centers.
Guideline 2 of the President's Memorandum requires the Secretary of
Homeland Security and the Attorney General, in consultation with the
Secretaries of State, Defense, and Health and Human Services, and the
DNI (which includes the Program Manager), to perform a comprehensive
review of the authorities and responsibilities of executive departments
and agencies regarding information sharing and to submit to the
President a recommended framework for sharing information between and
among executive departments and agencies and State, local, and tribal
governments, law enforcement agencies and the private sector. This
framework is to be submitted to the President through the Assistant to
the President for Homeland Security-Counter Terrorism and the Assistant
to the President for National Security in June 2006.
ISE Budget
In March of this year, OMB issued a budget data request (BDR) in
support of the Information Sharing Environment. This request provided
to my office information on the inventory of systems, programs and
architectures that support terrorism information sharing. The BDR
requested corresponding FY06 and FY07 budget information for those
systems, programs, and architectures.
My office will use this data to develop an investment strategy for
the ISE to shape future budget decisions through the identification of
gaps and opportunities to better enable terrorism information sharing.
Such mechanisms could include system modification and/or enhancement,
as appropriate; new investments and acquisitions; and strategic
leveraging of existing programmatic resources.
Electronic Directory Services (EDS)
On March 31, 2006, we released the initial capability for the ISE
electronic directory services (EDS) within a classified environment--
something that has not existed before. The approach to EDS is
incremental, starting first at the federal level to provide directory
services information within a classified environment; and then
eventually creating the capability at the SBU level. This first
delivery of the EDS provides contact information for Counterterrorism
related watch centers, and is similar to a telephone book?s ``Blue
Pages'' listing. These Blue Pages are available to anyone who has
access to the Sensitive Compartmented Information (SCI) and SECRET
security domains. The Blue Pages reflect agreements and cooperation
among the Information Sharing Council members; in particular, the
Office of the Director of National Intelligence (ODNI), who is hosting
the Blue Pages in the SCI security domain, and the Department of
Homeland Security (DHS), who is hosting the SECRET security domain Blue
Pages.
My staff has a strong sense of urgency to deliver full EDS-People
and Organization (EDS-PO) capabilities defined as a set of registries
that share a common, trusted, and up-to-date view of people and
organization information, which includes identification of necessary
attributes and standardized metadata on people and organizations, to
assist in locating people and resources with relevant knowledge about
intelligence and terrorism information. Current efforts are focused on
White and Yellow Pages and are defined below:
White Pages Concept--Name, personal attributes and at least one
method of contact for named personnel. Additional contact information
may include phone numbers, email addresses and postal addresses. For
urgent needs, an alternate 24/7 method of contact may be included.
Attributes may include such information as skill set, clearance level
and areas of expertise. For certain users, some attributes may not be
viewable or searchable.
Yellow Pages Concept--Organization and contact information, which
may include description of roles and responsibilities and organization
charts. For urgent needs, an alternate 24/7 method of contact will be
included. These may include a pointer to the organization directory.
For certain users, some organization attributes may not be viewable or
searchable. The EDS-PO Implementation Plan developed in February 2006
calls for implementing the Blue Pages on the Sensitive But Unclassified
(SBU) domain by end of July 2006. Due to lack of cohesive and
centralized governance structure of the SBU domain, the solution for
SBU Blue Pages is more complex than the SCI or SECRET domains. As a
result, the SBU Blue Pages data will be a subset of that available on
the SCI and SECRET Blue Pages.
By the end of October 2006 we plan to increase existing ODNI White
Page capability at the SCI and SECRET domains to include non-IC
information. Also planned for October 2006 is the initial iteration of
Yellow Pages at the SCI and SECRET domains. Currently, the
implementation team is working with the Departments and Agencies to
identify the cost of making appropriate content available to the right
users.
Guiding Principles
Creating a culture of information sharing within the various
departments and agencies of government will require us to assign
dedicated personnel and resources; reduce disincentives to sharing; and
to hold our senior managers and officials accountable for improved and
increased sharing of information. And it will require a great deal
more. I have established the following principles to guide the efforts
of each of the entities engaged in developing the ISE.
We will deploy a decentralized, distributed and
coordinated model so that the handling of terrorism information
in the ISE will take place directly among users, using a web-
enabled, network model accessible to each of the stakeholders
in information sharing.
We are working to develop and use common standards and
best practices to promote maximum distribution and access to
terrorism information, including the appropriate method for
government-wide adoption and implementation of these standards.
We will deploy the ISE on the premise of information
``access'' by using the concept of ``shared information
space''. In this model, information is a community asset--not
the property of a particular agency. We will ensure security
and privacy safeguards are in place to protect sources and
methods while ensuring the privacy and other legal rights of
Americans are protected.
We will operate on the basis of ``risk management''
not ``risk avoidance'' to balance the risk of inappropriate
disclosure of information against the risks associated with
inadequate information sharing. This is the approach used now
within most departments and agencies, and it should be used
within the ISE.
I want to build trust through auditing, performance
evaluation, accountability and transparency. Achieving that end
will require significant training and education as well as
strict enforcement of policies and processes relating to the
handling of information that is shared.
Finally, we are striving to facilitate easier user
access to terrorism information for users faced with a wide
variety of systems and tools and by different policies,
procedures and access controls. I want to simplify ISE access
for users regardless of their point of entry into the
environment through the deployment of open standards and
technologies and appropriate policies related to user access.
I want to thank the Members of this committee for your continued
support and dedication to this important issue and look forward to
working with you on building an enduring capability for information
sharing for this Nation. I welcome and look forward to your questions.
Mr. Simmons. I thank you, Ambassador.
I have some questions, and then we will go back and forth
to the members.
My question is a follow-on to what you just mentioned, and
what I mentioned in my opening statement, the issue of culture.
When we talk about the five communities, we could just as
easily talk about the five bureaucracies, if you will:
intelligence, law enforcement, defense, homeland security and
foreign affairs.
Many country teams overseas have four of those five
communities at the country team table. As somebody who served
on country teams, as I am sure you have, you know that
everybody gathers, and you know that everybody listens to the
ambassador and they all smile at each other, and they all plan
to be at the cocktail parties, but not necessarily a lot of
sharing unless there is really strong leadership at the table.
To those four, we add the fifth, which is homeland
security, and we have a new dimension here, which is the non-
federal dimension. The homeland security dimension goes to
state, local and tribal. So you are not just dealing at a
federal level. You have other levels of government. One could
argue that law enforcement goes to state and local,
potentially, through state police and municipal police, for
example.
One could argue the defense community also has a state
component through guard and reserve, principally through the
guard. So there are multiple dimensions here, multiple
bureaucracies, and multiple tasks at a vertical and a
horizontal level.
With your 20 people, what tools do you have? What carrots
and sticks do you have to ensure that this complicated, I think
of it like a lion tamer, almost in a circus, you know. What
kind of a whip can you crack? What kind of incentive can you
provide to ensure that these people are sharing, and in a
productive fashion?
Do you have the tools necessary to get the job done? Can
you enforce the rules, if you will, or provide incentives for
those who cooperate and punishments for those who don't?
Ambassador McNamara. Well, let me start by saying I
understand the country teams concept. I think what I am talking
about here when I talk about that national system that needs to
be set up for information sharing is a kind of country team. It
just happens that it is our country here back home, rather than
our country as projected overseas.
Indeed, all five communities are present in that country
team, if I may note. The country team that is now part of, or
the element of the country team that is now part of homeland
security includes the Coast Guard, the Bureau of Customs, and
other elements that are present overseas in many of our
embassies, Transportation Security, et cetera.
Do I have the tools? I do have the tools. I do not have
tools to enforce the rules. I have tools to recommend the
rules, and the president will make the rules, and I will be
enforcing his rules. But when he makes the rules, that also
means that every member of the Cabinet and sub-Cabinet level
and on down is to obey those rules also.
What tools I have are calling attention to those who don't
follow whatever the rules are, as the rules are established.
Number two, I have the ability to recommend budgetary changes.
I have the ability to go to the OMB and to the president with a
budget strategy for information sharing. That means that I do
not have to pass my recommendations through any particular
agency in order to get them heard at the highest levels.
If I might address in a little bit more detail the
relationship with the DNI, I do report to the DNI on matters
that directly relate to the intelligence community. But the
legislative mandate that I operate government-wide means that I
must also operate in those communities which are not under the
direct authority of the director of national intelligence. He
and I have discussed this and we understand perfectly well that
I go through him sometimes, and other times go in another path.
As for support, thus far in a very short time that I have
been here, I have spoken with almost all of the Cabinet-and
sub-Cabinet-level officials in the major agencies that I am
working with. By that, I mean Homeland Security, DNI, Defense,
Justice, FBI and others. In fact, in some cases I have seen
them several times since I started.
I expect to work at that level and to continue to dialogue
at that level in order to get what I believe to be my job done.
That, I think, will be a significant factor in how well and
also how fast we move forward.
Mr. Simmons. Thanks very much.
The chair recognizes the ranking member, Ms. Lofgren.
Ms. Lofgren. Thank you, Mr. Chairman.
And thank you, Ambassador, for being here with us today.
As you probably know, the National Governors Association
last month surveyed state homeland security directors and found
that 60 percent of them were either somewhat or completely
dissatisfied with the specificity of intel information they
were receiving from the federal government. So I have specific
questions.
We have heard now for several years, obviously not from
you, about the culture and dialoguing and the like. But I am
one for setting protocols and rules, and then you can get some
enforcement.
So first, the president directed in December of last year
that the DNI, and I think through your office, would come up
with standards to convert classified terrorism information into
a sanitized format that could then be shared with state, local
and tribal enforcement. I think the deadline was mid-March. We
didn't make it. We have a new deadline of June 14.
Are we going to make that deadline? Where are you on it? If
not, what can we do to help you make that deadline?
Ambassador McNamara. I expect to make the deadline. I would
be less than candid with you if I said I was absolutely certain
at this point, after only 9 weeks on the job, that I have in
effect gathered in all of the information I need in order to
make that report. But by June, I intend to make that report.
That report will include recommendations with respect to
classified information, and I think even more importantly, what
to do about the unclassified, but controlled information.
Ms. Lofgren. That is my second question, because, as you
know, the GAO identified 56 different sensitive but
unclassified designations across the government, and identified
that there are no government-wide policies and procedures for
making those designations. I think your office is to develop
those procedures. In the absence of that, each agency is kind
of ad-hoc'ing it.
We learned from the GAO that there is no review process,
and further that there is apparently no legal standard that has
been developed for this either, which means that ultimately the
sensitive information is going to end up being published unless
we have some legal hook for keeping that from happening.
So I am wondering, I am sure you have read the GAO report,
the deadline for that is December of this year, but I am
hopeful that we can get something done prior to that time. What
are your thoughts on that? Where are you? Do you have the
resources necessary to do that? And how can we help?
Ambassador McNamara. I think we can meet that deadline, and
I hope we can come in early. I intend to make some
recommendations in June. That, as I listed in my top
priorities, that was one of them.
A couple of comments. Here is another example of how we are
working against the culture. It is a culture that was quite an
effective and useful culture when it was working during the
Cold War.
Ms. Lofgren. If I may, I don't think we are disagreeing on
the culture issues, but if we don't have any policies, then it
is very hard to insist that they be adhered to.
Ambassador McNamara. That is right.
Ms. Lofgren. There is no argument on the culture, but you
have to have some rules that you ask people to obey.
Ambassador McNamara. And that is what I intend to make
recommendations on in June, and then again in December.
Specifically, I think what has happened is indeed we have since
the GAO report was written continued to get information with
respect to the SBU problem, and 56 is a low number. We are well
above that now, and I expect the number will go up in the
coming weeks as more information becomes available to us.
I think what we have to do, and for this I was referring
back to the Cold War, we thought the classified information
during the Cold War, national security information needed to be
classified, and we created a rational system which we then
propagated throughout the federal government, and we insisted
that everybody observe that system.
In the post-Cold War period, it seems to me, that during
the Cold War we said, with respect to nonclassified matter, do
whatever you want with it. We are not interested; that is not a
danger; that is not a problem; do what you will. So for 50
years those 56 or 60 or 70 systems got built up.
Now comes the time, I think, to set up a system which in
some respects would mimic what we have been doing in classified
information, and that we will restrict the use of the SBU to
certain categories that need to be controlled, and there are
some legislatively mandated, and in some cases via regulation,
truly do need to be controlled.
But the great majority of the information which is now
controlled can be put in a simple unclassified, uncontrolled
category, it seems to me. And that is the system that we are
trying to put together, a rational limited set of categories
that, like the system that we have for classified national
security information, can be applied to controllable
information, but leave most of it as fully unclassified.
Ms. Lofgren. My time has expired. I appreciate the
chairman's indulgence. We will do a second round, and I will
ask some further questions.
Mr. Simmons. The distinguished gentleman from Nevada, a
member of our Intelligence Committee.
Mr. Gibbons. Thank you, Mr. Chairman.
Ambassador McNamara, welcome. Thank you for your service,
and I especially thank you for voluntarily coming back into
government and trying to put your arms around a very difficult
issue.
As I look out there, and I look at all of the agencies, and
certainly can understand the inability of some agencies to work
well with others, I am aware that there is a degree of mistrust
between various organizational agencies within the federal
government.
You are telling us that already we have intra-agency
cooperation that is fairly good. I still see this mistrust out
there, though, on information sharing, either because it is
going to jeopardize the source or method by which we receive
that information, or it will jeopardize the utilization of that
information in, for example, the prosecution of a case.
What can we do to bridge that mistrust so that we can get
this information out there without giving the sense that we are
forcing somebody to sacrifice either the prosecution of a
terrorist or result in the loss of a source or a method by
which the information is generated? What needs to take place to
build that bridge?
Ambassador McNamara. Again, after 9 weeks, I hesitate to
give you a full answer to that, but I think I see, based on
prior experience, a way out of this conundrum. And that is that
we now practice a system of information sharing within agencies
that is called ``risk management.'' That is to say, you
understand what the nature of the information is, how sensitive
it is, and then you manage that information according to
certain risk criteria. Within agencies, that has been done now
for many years, a decade or more, depending upon the agency.
What is interesting is that the risk management approach is
not practiced between agencies very much. Occasionally it is,
and on a limited basis. Instead, what is practiced interagency
is risk avoidance. That is to say, if there is any risk, no
sharing. It seems to me to be irrational and illogical to
practice risk management within an agency of many tens of
thousands of employees, and not risk management with respect to
other agencies where the clearances and the process of vetting
the employees is very similar, and in some cases identical.
So I think the way to get from where we are now in sharing
information among the various federal agencies, and indeed by
extension down to the state level, is to change the culture of
risk avoidance, a zero-risk approach, and consider what we are
doing within agencies, within the CIA, within the Department of
Defense, within the Department of Homeland Security, within the
Federal Bureau of Investigation, and practice risk management.
Mr. Gibbons. Now, in your position, are you comfortable
that that can take place? Because it reminds me of what my
mother told me when I was a young boy about changing the way I
did things. She said, ``Jim, change is not a difficult thing if
you are willing to let go of the old way you do things.'' I am
sure that there are some institutional problems within those
various agencies that will make this a challenge, and I am sure
we see that even today.
My time is about to run out. I wanted to ask you one final
question here. We talked about state fusion centers. I think,
along with you, they are very, very important to the future of
our intelligence network nationwide.
What gives you the comfort of knowing that when we have 50
state fusion centers up and running, that we are going to be
able to have the same bridged sharing of that information among
those 50 states and in many territories that would also be
sharing in those as well?
Are we doing things today to set the proper stage so that
these states when they begin to set that up--and I know my
state is looking at doing one, modeled after what California
has done. I want to make sure that the federal government is
playing an active role in making sure that we are all
interoperable, so to speak, for that information sharing.
Ambassador McNamara. I think the answer, Congressman, is
that yes we have started down that path. Indeed, the Department
of Justice and the Department of Homeland Security jointly have
put out guidelines for those fusion centers.
Those guidelines are quite extensive, and they are
guidelines; they are not rules. They are no ``you must do,''
because cookie-cutter approaches are not going to work with 50
states, and indeed more than 50 states because you have cities
such as New York, Los Angeles, Chicago and others that wish to
see urban regions and urban areas united in a fusion center.
Those guidelines, and I have read them, and experts that
put them together, both from the federal, state and local
governments around the country, believe those guidelines are
adequate to set up a system, a national system, indeed, of such
fusion centers that would integrate the fusion centers
effectively.
The 42 that are now up, most of them, particularly the
larger ones, are following the guidelines. We believe that most
of those that are in the planning stages are using the
guidelines as their planning tool for setting up those centers.
Once again, the federal government can't dictate to the states
and there are local conditions and variations that need to be
addressed at the state level and below.
But that, I think, is a very important tool and, again,
that did not exist a year ago. It exists now, and in fact we
hope very, very shortly to have that published. I am pushing
very hard to get that published as soon as possible. It has
been informally distributed, so the publication will simply
sort of put a final mark of approval on the document itself.
There are other ways also I think that we have been able to
help through grant programs with the various states that are
setting them up. I would point out that in some cases states
are making decisions as to whether they want just a single
state fusion center, or whether they should join with some
neighboring states to set up a fusion center for that group of
states. In other instances, we are going to find fusion centers
will be multiple within a state, California being a prime
example, as is New York.
Mr. Gibbons. Mr. Ambassador, my time has expired. I want to
thank you again for your presence here today.
Mr. Chairman, thank you.
Mr. Simmons. I thank the gentleman.
The chair recognizes the distinguished gentleman from Rhode
Island, Mr. Langevin, a member of the Armed Services Committee.
Mr. Langevin. Thank you, Mr. Chairman.
Ambassador, I want to thank you for being here today and
for your testimony. I know you have a tough job on your hands.
We look forward to working with you.
With respect to information and intelligence, the most
important thing, I am sure you would agree, is to make sure
that those who need the information have the information that
they need to do their jobs. That often means people on the
frontlines, law enforcement most especially.
So far, I can tell you that most state and local law
enforcement entities have not been impressed with the level of
communication they have had with the federal government, the
Department of Homeland Security in particular.
So I guess I would like to start with the question of, has
there been a general agreement reached in terms of your
understanding of the type of infrastructure that will be used
to share information?
Law enforcement, to be honest with you, doesn't want to
reinvent the wheel. By way of example, the regional information
sharing network, RISSNET, is something that law enforcement is
very comfortable with. They use it all the time for sharing
basically law enforcement intelligence.
Many in the law enforcement community feel that there
should just be a component added for sharing terrorism-related
information within RISSNET. Obviously, Homeland Security may
feel differently. I have raised this with Charlie Allen, by the
way, and to his credit he dispatched his deputy up to RISSNET
to actually see this in operation and how it is in terms of
what law enforcement is familiar with, and how they work now.
But could you answer the question of, is there general
agreement on how we are going to share this information,
particularly with those on the frontlines who need it most,
particularly law enforcement?
Ambassador McNamara. I think there is an understanding of
what is necessary in order to create that national system that
I was talking about. The complexity of the systems,
particularly at the local level, are a major obstacle to
getting a single, if you will, pipeline in place.
I think in the end, we are probably going to do something
of what you suggested. Rather than creating new lines, use
those that we now have, but expand their use so that we don't
have to create something new.
What we can do is build on the ones that are out there. And
there are things like RISSNET and there are networks within the
Department of Defense, within the Department of Justice itself,
as opposed to the FBI, and also in Homeland Security that can
be usefully expanded so that they can handle more and better
information.
I think a major problem is in packaging the information. I
was surprised, one of the many surprises when I came to this
position was my impression that the information flow from the
federal government to the state and local governments was
insufficient. That is, it was inadequate. I found out that it
was not inadequate in volume. It was inadequate and
insufficient in quality and in the manner in which it was
packaged.
What we need to bring to this issue is an understanding of,
and I think it is understood within the intelligence community
better than it is in some other communities, of managing it so
that the consumers of the information can benefit from it, so
that sending out information, as we have done in the past, in
which we didn't take into account that the local police chief
needs that packaged in a way that he can use. It has to be
actionable. It has to be something that is relevant to his
situation.
I heard the story of a police chief from a major city,
after the London bombings, who said that he got no useful
information about the London bombings from the federal
government. He had about 3 or 4 hours at most to decide what he
was going to do about the commuters who were going to be using
buses and subway systems in his city for the morning rush hour.
What he was looking for was information that would tell him
what can he put out to the public and how should he react to
the London bombings in a way that would make the community feel
more comfortable about going to work in the morning. He got
that by getting on a telephone and phoning four other chiefs of
police in four other major cities, and the five of them came up
with an effective recommended way of handling the morning rush
hour problem.
I think if we had a national system such as I am talking
about, if wouldn't have to be ad-hocced at 5 o'clock or 4
o'clock in the morning. It would be a system that would come
online and it wouldn't be necessarily the chiefs of police that
would be the first ones to communicate with each other.
There would be a communications system that would go into
emergency mode among the fusion centers, and the information
would be gotten out not just to five police chiefs, although
that was certainly a benefit, but maybe to 55 or 155 or 255,
because the system would work for the benefit of all.
I think that is what we are talking about. We are talking
about setting up a limited number of pipelines with information
that will be packaged in a way that is useful to the consumer,
which means we have to go to those police chiefs. We have to go
to those state homeland security officers and get them to tell
us what is useful to them.
And then I think we need to use the NCTC, the National
Counterterrorism Center, as a major focus of our effort to
package the information so that it is useful to those at the
state and local level. That, it seems to me, means bringing
state and local people up here to Washington to work with us so
that we will get out of the product that we have here in
Washington something that can be used either in an emergency
situation such as after the London bombing, or that can be used
for, let's say, investigations, protection of infrastructure,
managing public fears, managing the difficulties of a
particular sector in the private sector.
All of that needs to be packaged in a way that is useful
for the consumer, and the consumer is the person at the other
end of the line. It is not the analysts sitting in Washington
writing out what is a perfectly good piece of paper, useful to
people here in Washington, but of no use to that police chief
who has to make a decision about what to do before the
commuters go to work at 6 in the morning.
It is a very long answer to a short question, but that is
my understanding of where we need to go and how we need to do
it.
Mr. Langevin. It is obviously an important subject. I like
what I am hearing, and obviously you are identifying the
problem. I hope you will follow through with working very
closely with law enforcement people on the frontlines who are
going to ultimately be the end-users of this information they
need. It is so important to involve them from the get-go, and
listen to them to hear what is going to be most helpful.
So I know my time is expired. If we do a second round, I
had additional questions.
Thank you, Mr. Chairman.
Mr. Simmons. I thank the gentleman. We will do a second
round.
I appreciate the comments on the fusion centers. I agree
completely that that is a tremendously useful tool to
facilitate information sharing. But I would like to go back for
a few minutes to the sensitive but unclassified issue.
You are absolutely correct. During the Cold War, a security
system was established of confidential, secret and top secret,
and then various compartments, based on sensitive methods of
collection that were pretty much at the top secret level, but
simply a top secret clearance didn't give you access to those
compartments. You had to be signed in and signed out.
So I have traditionally looked at the classification system
as three parts: confidential, secret and top secret. We have
this unofficial use only; we have law enforcement sensitive; we
have various other caveats that really aren't classifications.
They are controls.
Ambassador McNamara. Controls, right.
Mr. Simmons. I suspect that you could spend the rest of
your life trying to figure out a system to get everybody happy
to accommodate all of these different controls.
Somewhat hypothetically, but I will ask the question
anyway, why don't we clear the deck? Let's take all of those
SBUs and just wipe them out. Start with a clean slate, and then
ask ourselves, which ones absolutely have to be added back and
in what fashion?
Now, law enforcement is sensitive. It has been around for a
long time. As Mr. Langevin said, people don't like to reinvent
the wheel, et cetera, et cetera. Okay, so that should be added
back. Perhaps that should be added back as something that is
classified confidential. I don't know.
But it seems to me that, again, you could spend the rest of
your life working this problem and never reach a completely
satisfactory conclusion, and in the meantime other critically
important initiatives such as, you know, we have to share,
folks; we have to figure out how to share; we have to make sure
the guys in the fusion center and the police officers in the
municipalities have actionable intelligence. We have to make
sure that pipeline is working.
So if we were to take the SBUs and just clean the slate,
how many would we count as being really critical to add back in
some form or another? Has anybody on your staff taken a look at
this? Has anybody tried to address this problem from that
standpoint, of erasing and adding back, as opposed to trying to
accommodate what we have?
Ambassador McNamara. Let me make one comment about the
``wipe it out and start over again.'' If we assume that we were
to wipe it out, and let's say it took 6 months to start it up
and get it working again, or even if it only took 6 weeks, the
question arises as to whether or not all that information that
rightly was controlled?
Mr. Simmons. If I could interrupt for just a second. I
understand. It is like an academic exercise. We have all this
stuff on the chalkboard, and we erase it all, and then we ask
the class, okay, who is upset at what we just did? Who
absolutely cannot deal with the fact that we have erased
everything of the chalkboard? Who absolutely insists that we
have to add their SBU back to the slate?
Ambassador McNamara. That is part of the process that we
are going through right now, is determining what is essential
to control, and if so, if it is essential to be controlled,
under what rational set of categories, what legislative
mandate, or government-wide regulation should it be controlled
under?
It varies. We are not at that point of actually setting up
the final list of categories, but my initial observations would
be that certainly no more than a half-dozen or so categories
would probably do the job. And then you would determine,
depending upon the level of sensitivity, whether or not
something that is now personal health information, for example,
which under various privacy laws must be controlled, or whether
it is proprietary information, again under other laws must be
controlled.
It has nothing to do with national security. In fact, the
federal government doesn't really have an interest in itself of
doing the controlling. It is that proprietary information needs
to be controlled because of other interests.
So setting up those categories and then, you might way,
wipe it out, but then inserting those categories that
definitely require under legislation or government-wide
regulation, require controls, that they be put in the proper
category of control. And that the rest of it I would think
would just become unclassified, with no control mechanism.
Mr. Simmons. I think that would be a very useful exercise
for you to pursue between now and June.
Ambassador McNamara. I am pursuing it. I will pursue it
beyond June if necessary until I get it done. I have until the
end of the year, according to the rule. I would be delighted to
get it done by June. July, I would be less delighted, but more
delighted than September or October.
Mr. Simmons. Before the August vacation.
The ranking member?
Ambassador McNamara. I will do my best.
Ms. Lofgren. On that same point, and perhaps we are honing
in on this because we had such a useful workshop with the GAO
on this very subject. As you are describing the process, you
are using, you are getting a reading, you are getting the
temperature from various agencies. I am wondering what, other
than just their druthers, what kind of objective criteria that
you are proposing to them?
I assume that in this process, you will get buy-in from
across the federal agencies. But have we reached out? I mean,
one of the things that I thought was interesting in the GAO
exchange was that it is not all clear that we have any legal
basis, in some cases, for actually keeping this information
private. So if we don't set up objective standards that will
withstand scrutiny, it doesn't matter how we define these
things, we will not succeed in protecting them from an assault.
Can you shed any light on those questions?
Ambassador McNamara. Again, a tentative observation at the
start. I don't pretend to be an expert in this. I have begun in
the last 2 weeks to get more and more involved in this, so
therefore that means in the first 6 or 7 weeks, I was busy with
other things.
There are instances where it is very clear. There are 17,
in fact, that are required by law, by a legal mandate. There
appear to be others that are equally meritorious, but there was
never a problem, and so no law was passed. In other words, in
17 cases, something happened and the Congress said, that should
not have happened; we will fix it with a law.
But there were other cases where agencies did things on
their own in order to control something that should have been
controlled, and therefore no problems ever arose. If we were to
wipe that out, we would find problems arising. That is one of
the reasons why I am a little bit cautious.
Ms. Lofgren. If I can clarify. I am not suggesting, because
I don't know in fact--I don't think either one of us knows all
of the things that are being kept confidential. I am not
necessarily assuming those judgments are wrong, because I don't
even know what those judgments are.
All I am suggesting is there needs to be a framework for
that decision making, and there needs to be a legal basis for
enforcing that decision, or else ultimately this scheme will
fail.
Ambassador McNamara. Or come back to the Congress to create
the legal basis, and that is one of the options that is open to
us; that is, to set up the framework, apply what law is
currently available, see where it falls short, and possibly
come back up. There is much, quite frankly, that has no legal
basis and doesn't deserve any legal basis. We should be getting
that stuff out.
Ms. Lofgren. In some cases, when in doubt, stamp it
confidential.
Ambassador McNamara. That is right, or otherwise control.
That gets back to this thing about risk management versus risk
aversion. This is another area where the process has been risk
aversion. Does that look like it might cause a problem? On goes
the control stamp.
Ms. Lofgren. A final question. In a free society, we have
more actors than just the government. We have a free press. We
have the citizenry at large. Have you built into your work-plan
outreach into advocates for the press or for civil liberties?
Not that they should see the information, but that they should
evaluate the standards and get their input up front?
Ambassador McNamara. Honestly, I don't know what the answer
to that is. I hope the answer is yes, but I haven't asked it. I
will go back and ask it. And if it is not yes, I will try and
make it yes.
Ms. Lofgren. Thank you.
Mr. Simmons. The gentleman from Rhode Island?
Mr. Langevin. Thank you, Mr. Chairman.
Ambassador, are you familiar with the term ``electronic
discovery''?
Ambassador McNamara. Electronic discovery?
Mr. Langevin. Electronic discovery. Basically, it is a
relatively new technology or concept, you might say, and
basically it allows us to take massive amounts of data and
organize it into a understandable and usable format. They are
using it, for example, on some of the highest profile criminal
cases right now in the corporate world that you have read about
in the newspaper.
I would think that this would be something that would be
very useful in organizing this intelligence information and
then being able to disseminate it into usable type where you
have a format. And so maybe at some point we can talk a little
bit more about that if you are not familiar with the concept.
Ambassador McNamara. I have heard of it, and I have heard
it in these last few weeks mentioned. It is also data-mining,
is another--
Mr. Langevin. It is data-mining, but it is also organizing
one you have mined it--
Ambassador McNamara. Once you mined it, right.
Mr. Langevin. --to organize into a useful form.
Ambassador McNamara. I am not that familiar with all the
details, but I understand that there are both privacy concerns,
as well as security concerns that are involved in how one goes
about managing, if you will, the data-mining and the electronic
discovery.
Mr. Langevin. Sure. I welcome the opportunity to talk more
about that.
Ambassador McNamara. I would like to. I will try and get
myself more informed on it also.
Mr. Langevin. The other thing is, I would like to ask you,
the Department of Homeland Security right now has a clear
mandate to be the point of contact between federal government,
state, local and tribal law enforcement agencies in terms of
information sharing. Accordingly, I would think that the
department would have a lot of say about the policies that you
are developing for this vertical type of information sharing.
What is the precise role of the Department of Homeland
Security in the work that you are doing to advance the
information sharing environment? And what support is Charlie
Allen, the chief intelligence officer, providing to you
specifically?
Ambassador McNamara. The answer is that I recognize that
the Department of Homeland Security is basically the lead
agency in many of these areas, and that it has a primary
responsibility under the law to move information to the state,
local, tribal and private sector.
I have worked very, very closely with them. I have met with
Secretary Chertoff, Deputy Secretary Jackson, with Assistant
Secretary Allen, whom I have known and worked with before over
a period of 20 to 25 years. He is a good friend of mine, as
well as being a colleague that I have now come to work with one
more time after being out of government. I have also worked
with and met with Assistant Secretary Stew Baker and others in
the Homeland Security Department.
I think their role is going to be central in this national
system that I am talking about. My initial observation is that
the three chief, if you will, largest players in this are going
to be the Department of Homeland Security, the Department of
Justice, including the FBI, and the Department of Defense.
Those are the three majors. Then there are other departments,
but to focus in on Homeland Security, I think they will play a
central role, and they should and will expect to fulfill their
legislative mandate in that regard.
When I make my recommendations with respect to what I think
ought to be done, I will be taking that into account.
Mr. Langevin. Thank you, Ambassador. I look forward to
working with you further.
Ambassador McNamara. Likewise.
Mr. Langevin. Thank you, Mr. Chairman.
Mr. Simmons. I thank the gentleman.
Are there any other questions from the members of the
committee present?
Ms. Lofgren. I said I didn't have a question. This really
isn't one, but I am hopeful that we can get, at least in
writing, periodic progress reports on where we are on these two
pressing questions on classified-to-distributable information
and the SBU issue.
Ambassador McNamara. If I may add a comment. As I said in
my written statement, and probably should have in my oral, but
I was trying to keep it very compressed, it has been my policy
over many years to work carefully and closely with the Congress
and to keep them informed, whether I was working in political-
military affairs or terrorism, to keep the Congress informed.
I think that is doubly the case on this particular issue. I
have already told my staff that I want regular contact with
members and staff. We have already been meeting periodically
with House members on the House side and on the Senate side. I
intend to do that. And anytime we are not doing enough, please
give me a call and let me know and we will do enough.
Ms. Lofgren. Okay.
Mr. Simmons. Mr. Ambassador, thank you for your testimony.
And thanks to the members for their questions.
Members of the committee may have some additional questions
for you, and will ask you to respond to these questions in
writing. The hearing record will be held open for 10 days.
I think it is fair to say, Mr. Ambassador, we want you to
succeed in what we understand to be a complex and difficult,
perhaps even overwhelming task. I would suggest to you that the
GAO report should be considered a useful tool. It is a tool for
us, of course, and it could be a useful tool for you as well,
if properly utilized. I think you know what I mean by that.
We look forward to keeping in touch with you. Thank you for
your past service and for coming back to the government once
again to rise to the challenge that we face.
Homeland security is something that is incredibly important
to all of us, and all you have to do is look at some of the
pictures on the wall to see the consequences of our failure. We
never want that to happen to our country and our loved ones
again.
I thank the members.
Without objection, the committee stands adjourned.
[Whereupon, at 3:15 p.m., the subcommittee was adjourned.]
For the Record
Prepared Statement of Sheila Jackson-Lee
Thank you Mr. Chairman and members of the Subcommittee. I thank the
witness for testifying today. I speak to today on the challenges of
implementation on building the Information Sharing Environment (ISE).
According to the Intelligence Reform and Terrorism Prevention Act,
Congress intended the ISE as a method to ``provide and facilitate the
means for sharing terrorism information among all appropriate Federal,
State, local, and tribal entities, and the private sector through the
use of policy guidelines and technologies in a manner consistent with
national security and with applicable legal standards relating to
privacy and civil liberties.'' However, the advance of ISE has been
very slow due to lack of resources and a lack of commitment from the
Intelligence Community.
The Government Accountability Office (GAO) released a very critical
report detailing slow progress of ISE. The report goes on to describe
that the Department of Homeland Security and other agencies presently
use 56 different sensitive but unclassified designations to protect
information that they deem critical to their mission.
The GAO's report goes on to note that the Director of National
Intelligence (DNI) refused to comment on the report deeming it a
``review of intelligence activities'' that was ``beyond the GAO's
purview.'' In fact, GAO's report was solely a study of the development
of government wide information sharing policies and procedures which
did not involve evaluation of the conduct of actual intelligence
activities. Instead of there being government wide policies and
procedures governing information sharing, each agency determines for
itself what designations and associated policies should apply to their
sensitive information. Even with agencies, more than half of the
agencies the GAO examined reported challenges in sharing such
information because they do not have a formal policies and procedures
on the matter. It is clear that there seems to be a disconnect and lack
of communication between intelligence agencies internally and
externally. Today, I look forward to learning how Ambassador McNamara
will go about setting realistic policies and procedure that
intelligences will be able to disseminate and follow.
I look forward to hearing the witness and learning how we can
better protect this nation. Thank you Mr. Chairman.
�