Not all problems are IT-related, experts say

When Vance Hitch took over as CIO at the U.S. Department of Justice 18 months ago, he found a variety of applications running on different systems that were hampered by little or no integration.

But when it comes to information sharing and building a security program, such technical challenges can often be the easy part, said Hitch and other experts.

“Strategic information sharing is about assembling disparate data,” Hitch said at the United Nations Global InfoSec Conference here Thursday. However, one of the key lessons that Hitch has taken away from the experience of his department and others is that prior to Sept. 11, 2001, there was no common vocabulary throughout the dozens of federal agencies that have a primary role in homeland security and counterterrorism. In addition to a lack of common terminology, the homeland security effort has at times suffered from “conflicting mandates (and) imperatives,” he said.

Ken Watson, president of the Partnership for Critical Infrastructure Security, a private-sector organization consisting of security coordinators and primary points of contact for each critical sector of the economy, agrees that finding commonalities among infrastructure sectors can be a challenge, but it’s necessary.

“All of these sectors are using different vocabularies and languages, and they have different alert levels,” Watson said. “The railroads are different from electric power, which is different from DHS (the Department of Homeland Security), which is different from IT.”

In an attempt to bridge the terminology gap, one of the first things his organization did was develop a list of terms that are used in the different sectors. However, when it was complete, the list contained more than 6,000 terms, Watson said.

“Phase two of the project will be to create a thesaurus that will translate what an event in one sector means in another,” Watson said. “The third phase will actually be the toughest, and that will be to get people to agree on terms and reduce the number.”

The challenge and the goal, said Hitch, is to continue to move rapidly toward an enterprise architecture that eliminates “organizational stovepipes” and transforms those stovepipes into “secure, task-based communities of interest.”

However, that may prove more difficult for the DHS in the short term than previously believed. “One need look no further than the National Infrastructure Protection Center in the DHS and the InfraGard (program) in the FBI for an example of competing interests,” said the president of a regional InfraGard chapter.

The FBI established InfraGard chapters, or local information-sharing partnerships between the FBI and local businesses, in each of the 56 FBI field offices throughout the country. However, according to the InfraGard chapter president, who requested anonymity, the DHS in Washington makes a document called the Daily Open Source Report available to anyone on the Internet, while the FBI and its InfraGard program maintains the Open Source Report on a secure Web site that requires use of a virtual private network to access the report.

“I suspect it may be symptomatic of bigger problems regarding information sharing,” said the InfraGard source. “There was a bit of a tug of war between DHS and Department of Justice over the InfraGard program. DHS wanted InfraGard to transfer into DHS along with (the National Infrastructure Protection Center), but (the Justice Department) managed to keep the program (in the FBI).”