Homeland Security Watch

Immediately following is a guest post by Peter J. Brown, a close observer of emergency communications and satellite operations at DHS and FEMA.   The post consists of questions Mr. Brown posed to the Department of Homeland Security about five weeks ago and the answers he received last  Friday. 

According to the official DHS backgrounder the National Applications Office, “is the executive agent to facilitate the use of intelligence community technological assets for civil, homeland security and law enforcement purposes within the United States.”  For more detailed background see the NAO Charter.

NAO has attracted scrutiny, skepticism, and more for the alleged use of satellites to spy on the American people.  Last July, Charlie Allen, former Director of the Office of Intelligence and Analysis, made a case for continuation of the NAO.

Peter J. Brown’s most recent published commentary on emergency communications and related matters appears in the October 2008 issue of  “Disaster Medicine & Public Health Preparedness“, a journal of the American Medical Association (subscription required).  He has also previously addressed the NAO and the National Emergency Communications Plan here at HLSwatch.

On Wednesday the House Homeland Security Committee, Subcommittee on Intelligence, Information Sharing, and Terrorism Risk Assessment held a hearing entitled, Homeland Security Intelligence and Limitations.   Access the link for prepared statements and a video of the hearing itself.

Local law enforcement pressed for a more proactive counterterrorism stance, especially in the use of Suspicious Activity Reports. Local law enforcement also asked for more and better federal cooperation in sharing intelligence.  This is hardly a headline. 

The director of the ACLU’s Washington legislative office offered,  “… an unfocused all crimes, all hazards approach to intelligence collection poses significant risks to our individual liberties, our democratic principles and, ironically, even our security.”  Once again, not exactly a surprise.

Unfolding before us in the Cannon House Office Building  was empirical evidence for quantum theory’s notion of parallel universes existing in shared space.  Each side was complete unto itself and detached from the alternative experience with which it was sharing space.  You could perceive subcommittee members playing political cosmologists and working to link the two. But – so far – this apparently exceeds human wisdom.

Other than space, those testifying seemed to share very  little interest in training and education.  Laws, regulations, internal controls, standards, guidelines, strategies, principles, and priorities were all discussed at some length.  Helping law enforcement  professionals learn how to practice intelligence functions effectively and constitutionally… not so much.

For many years the International Association of Law Enforcement Intelligence Analysts has facilitated helpful training.  The DHS Office of Intelligence and Analysis offers training to its state and local partners.  Last year DHS awarded a grant to the National Consortium for Intelligence-Led Policing.  It received $2.48 million to, in part, develop and deliver training and education.  More is being done.  More could undoubtedly be done.

But sometimes we become so preoccupied by “what” we neglect the “how.”  I have never talked to a cop who wanted to undermine the constitution.  I am sure they exist, but I have not talked to one.  I have talked to plenty of cops and other public safety professionals who do not receive any regular training beyond the absolute minimum to keep their badge.  That’s a problem for all sorts of reasons.

The National Fusion Center Conference opens today in Kansas City.  In her recent testimony before the House Homeland Security Committee Secretary Napolitano signaled that her remarks to the conference should be of particular interest.  She is scheduled to keynote at 3PM Central Time on Wednesday.

The President’s budget proposal to Congress has increased federal support for state-operated fusion centers.  This sustained support is consistent with recommendations of  an April 2008 GAO study .

The fusion centers are an essential element in anticipating and preventing terrorist activity.  In some jurisdictions the counterterrorism mission is combined with an “all-crimes” mission.  This is consistent with the practice of intelligence-led policing. In a few jurisdictions the fusion centers are assuming an “all-hazards” mission that begins to build a regional capacity for real risk analysis.

This week’s Time magazine opens and closes a story on fusion centers by highlighting concerns about privacy rights.   The potential for abuse is present.   Widely criticized covert investigations by the Maryland State Police did not involve the Maryland Fusion Center, but illustrate the cause for concern.   The American Civil Liberties Union is giving fusion centers ongoing critical attention.

Federal guidelines for fusion centers are explicit and detailed in protection of privacy rights.  Federal statutes, in particular 28 CFR, Part 23, establish rigorous standards for intelligence collection, almost always requiring reasonable suspicion or criminal predicate.  Ongoing training and enforcement is needed to preserve the operational benefits of the fusion centers.

The White House issued President Bush’s final Homeland Security Presidential Directive (HSPD-24) on June 5, 2008. Entitled “Biometrics for Identification and Screening to Enhance National Security,” HSPD-24 provides a framework to align Federal executive departments and agencies in the “collection, storage, use, analysis, and sharing of biometric and associated biographic and contextual information of individuals.”

The PD tasks multiple agencies – led by the AG – with developing an implementation plan by June 2009. DHS has a significant stake in coordinating federal use of biometrics. DHS is the steward of the Biometric Storage System. DHS runs the Screening Coordination Office. DHS operates the U.S. Citizenship and Immigration Services, which conducts 135,000 national security background checks, including the collection of 11,000 sets of fingerprints, every day.

On Jan 27-28, 2009, NDIA convenes its Biometric Conference 2009, which is intended to bring together stakeholders (including federal implementers) to address challenges of successfully implementing HSPD-24, along the lines of the following:
• Policy development
• Existing and planned U.S. Government programs
• Examples of commercial application of biometrics to address mission critical business goals
• Enabling technologies
• Initiatives within the international community
• Challenges to achieving true interoperability and information sharing.

NDIA states that the conference’s goal is to develop a “mutual understanding and cardinal direction for possible solutions wherein jurisdiction gaps are closed, technologies are interoperable and policies are cohesive.”

For more one the conference, check out the agenda here.

The 9/11 Commission Act included a section called The Federal Agency Data Mining Reporting Act of 2007, which requires the DHS Privacy Office, led by the Chief Privacy Officer, to report to Congress on its implementation of the Act. The Privacy Office just released its report. The new report, “Data Mining: Technology and Policy,” discusses current data mining activities, as well as those under development in the Department. It covers the following ground:

• How DHS programs satisfy the Act’s definition of “data mining”

• The Privacy Office’s public workshop, Implementing Privacy Protections in Government Data Mining (July 24-25, 2008)

• The Principles for Implementing Privacy Protections in S&T Research Projects, which are the newly-announced privacy principles, including those that involve data mining

The report focuses on three major programs:

1. Automated Targeting System (ATS) Inbound, Outbound, and Passenger modules (CBP)

2. the Data Analysis and Research for Trade Transparency System, (ICE)

3. Freight Assessment System, (TSA)

The report provides each program’s purpose and methodology, technology, legal authority, and sources of data, along with an assessment of how well the program is doing.

A challenge for the homeland security community has been the reactive nature of the privacy-related efforts undertaken. Often the Privacy Impact Assessments and other measures are conducted after a technology is developed. Many in the broader policy community and industry have begun suggesting that privacy protections be made a part of technologies, or that technologies be developed for the sole purpose of protecting privacy.

The Privacy Office’s public workshop on Implementing Privacy Protections in Government Data Mining assembled academics, government researchers, policy and technology experts, and privacy advocates this summer to discuss the privacy issues associated with government data mining. One of the outcomes of the workshop was an effort by the Privacy Office and DHS S&T to develop privacy principles that could be embedded in S&T’s research and development projects involving data mining.

This effort led to a set of Principles for Implementing Privacy Protections in S&T Research, which S&T has agreed will govern “new research performed at S&T laboratories, S&T-sponsored research conducted in cooperation with other Federal government entities, and research conducted by external performers under a contract with S&T.”

Many thanks to reader WRC for sending in the notice about this report’s release.

Earlier this year DHS and the airlines went head-to-head over who should be responsible for checking passengers’ names against the federal no-fly list. DHS said they would maintain a list of names of people that would either be subject to additional screening (“selectee”) or not be permitted to fly (“no-fly”). It did not take long for the air lines to object, claiming an undue burden on their operations, and DHS fretted over inconsistent application of the list by the private air carriers. Eventually, all agreed the situation wasn’t working and today Secretary Chertoff issued a new “rule” reversing the process.

Under the new rule, part of Secure Flight, airlines will submit encrypted flight reservation information to TSA. TSA will compare that data with a constantly maintained/updated no-fly list and selectee list. Then TSA will send the results back to the airline “if there’s a problem,” said Chertoff during a press event today. It is unclear if the airlines only hear back from TSA in the event of a “hit” on the list. It may be the case that if TSA doesn’t comment, then the air lines are clear to board the passenger. Silence equals acceptance?

The private sector fell short in carrying out baggage screening, and so we gave it back to TSA. The private sector failed to meet expectations on the no-fly lists, and so it goes back to TSA. This would seem like a clear cut victory for the airlines. They offload all the risk to TSA at the screening lanes and with checking the no-fly lists.

But this is a win for the traveling public, too. Someone once said that “government is the name we give to those things we decide to do together.” This is a classic example. It never made sense to outsource this important process to the private sector.

And then the Secretary made it interesting: Ever wonder how many names are on that watch list? Well Chertoff decided to share some details. Estimates have ranged up to 1 million names. According to the Secretary, “there are fewer than 16,000 — that’s one six — 16,000 unique individuals who are selectees in TSA’s database.” (He further clarified, “That’s 16,000. One six.”)

He went on state that most people on the list “are not even American citizens” and the vast majority of the names are for further screening (selectee status); they are not necessarily banned from flying. That number is closer to 2,500, of which approximately 10% are American citizens, according to the Secretary.

As reported in today’s Washington Post, an employee of investment firm Wagner Resource Group in McLean, VA, traded music or movie files late last year with other users of the online file-sharing network LimeWire while using a company computer. As a result, he inadvertently made the private files of his firm’s clients accessible on the Net.

This exposed the names, dates of birth, and social security numbers of about 2,000 clients, including Supreme Court Justice Stephen G. Breyer.

This puts into perspective the concern expressed by Peter Schaar, Germany’s data protection commissioner, quoted in another story appearing in today’s Post by Ellen Nakashima. Commenting on a new effort by the Department of Homeland Security to gain access to more private information about individuals visiting the U.S. from Europe (as well as sharing such information about American’s with EU countries), Schaar found:

no “clear rules on purpose limitation” or on the storage period. “First,” he said, “which data are of concern is not really completely clear. Second, who are the competent authorities on the U.S. side? Third, and most important, there is a lack of independent supervision in the United States over data protection.” In European states, independent privacy commissions safeguard the privacy rights of citizens, he said.

If we have social security numbers of Supreme Court Justices being accidentally shared on the Internet, I can see why he might want further assurances. The Post article points out that Schaar’s questions over which “data are of concern is not really completely clear,” may actually be addressed. Unfortunately, it is disturbing which data is to be shared. According to the news:

The agreement, which was described by two European officials, also allows for the transmission of “personal data revealing racial or ethnic origin, political opinion or religious or other beliefs, trade union membership or information concerning health and sexual life” in cases where they are “particularly relevant to the purposes of this agreement.” It defines personal data as “any information relating to an identified or identifiable natural person.”

Political opinion, trade union membership, or information concerning sexual life? This is too much. That the agreement “shall take suitable safeguards, in particular, appropriate security measures, in order to protect such data,” does not provide the convincing assurance that such information would not be accessed by the ill-intended (like the State Department employees illegally accessing passport records) or the clumsy (like the case of the investment firm above).

But such assurances seem secondary in comparison to the apparent lack of connection between someone’s sexual orientation, political affiliation, or membership in a trade union to a criminal act. I can see why such things as previous travel destinations, the purchase of a one-way ticket, or the use of a suspicious credit card would be relevant to an investigation with cause, but knowing if the traveler is gay, a Republican, or a member of the American Federation of Teachers seems too much.

Yesterday the White House issued a new directive intended to coordinate efforts by Federal departments and agencies to collect, store, use, analyze, and share biometric and associated biographic and contextual information of “known and suspected terrorists.”

The joint national security and homeland security directive, known as NSPD-59/HSPD-24, seeks to enhance government capabilities in managing biometric data about suspected terrorists. This directive refers to a “Federal framework for applying existing and emerging biometric technologies to the collection, storage, use, analysis, and sharing of data in identification and screening processes.” The framework is intended to better structure the various federal efforts focused on biometric identification for national security purposes as part of “a layered approach to identification and screening of individuals.”

This dovetails well with the post earlier this week about the discussion with Patty Cogswell of the DHS Screening Coordiantion Office. Note also the potential relationship between this directive and efforts underway at the FBI (Next Generation Identification) and at DHS (Biometric Storage System).

The following orders, directives, and strategy documents bear on this directive’s implementation:
• Executive Order 12881 (Establishment of the National Science and Technology Council);
• Homeland Security Presidential Directive 6 (HSPD 6) (Integration and Use of Screening Information to Protect Against Terrorism);
• Executive Order 13354 (National Counterterrorism Center);
• Homeland Security Presidential Directive 11 (HSPD 11) (Comprehensive Terrorist Related Screening Procedures);
• Executive Order 13388 (Further Strengthening the Sharing of Terrorism Information to Protect Americans);
• National Security Presidential Directive 46/Homeland Security Presidential Directive 15 (NSPD-46/HSPD-15) (U.S. Policy and Strategy in the War on Terror);
• 2005 Information Sharing Guidelines;
• 2006 National Strategy for Combating Terrorism;
• 2006 National Strategy to Combat Terrorist Travel;
• 2007 National Strategy for Homeland Security;
• 2007 National Strategy for Information Sharing; and
• 2008 United States Intelligence Community Information Sharing Strategy.

The main thrust behind HSPD-24 is an intention to make all biometric and associated biographic and contextual information of threatening persons available to all agencies. Sounds sweeping. The HSPD does make explicit that the scope here is to enable information sharing across the Executive branch, not to collect more biometric data. That the Assistant to the President for Homeland Security and Counterterrorism is the primary person responsible for “interagency policy coordination on all aspects of this directive,” this may not mean much. That position has been vacant since last year.

UPDATE: The day before I wrote this post the President named Fran Townsend’s successor. Thomas P. Bossert is the new Deputy Assistant to the President for Homeland Security. This is a promotion from his job as Special Assistant to the President for Homeland Security and Senior Director for Preparedness Policy. Bossert also served as Director of Infrastructure Policy on the HSC staff and, before that, as Deputy Director in the Office of Legislative Affairs at DHS’s former Emergency Preparedness and Response Directorate.

Waiting in the HLSWatch.com inbox upon my return from Big Sky, Montana, were scanned copies of correspondence between DHS Assistant Secretary for Policy Stewart Baker and Montana Attorney General Mike McGrath about the state’s request to opt out of the REAL ID Act.

DHS granted an extension on Friday to the state of Montana so that it can comply with the REAL ID Act. The only thing is that Montana never asked for an extension. Montana governor Brian Schweitzer made news over his intention to defy the law passed by Congress in 2005. Schweitzer is leading a charge (joined by Maine, South Carolina, New Hampshire, and Oklahoma) to oppose the REAL ID Act and any efforts by DHS to impose penalties for non-compliance.

The 9/11 Commission recommended that the U.S. rationalize the state identification regime in order to reduce the risk of fraud (suspected to aid terrorists and criminals alike). The Commission argued that the federal government should “set standards for the issuance of … driver’s licenses.” The REAL ID Act requires that a standardized driver’s license be used for “official purposes.” At this point, DHS proposes to define “official purposes” of a REAL ID as accessing federal facilities and nuclear power plants and boarding commercial aircraft. The main beef states have with the Act is the lack of funding to pay for the mandate. DHS is stretching out the compliance period over almost ten years (2014) to make it easier on states, but that only avoids the REAL problem according to Governor Schweitzer. Schweitzer and the Montana state legislature oppose it on principle.

(It sure doesn’t help that the Secretary suggested contrarians should “grow up” about security measures, such as the REAL ID provisions. The statement emboldened critics to examine his tenure more closely and shift the focus away from REAL ID.)

Montana seeks a complete waiver, but DHS’s Stewart Baker explained in a letter to Montana’s Attorney General that DHS has only the authority to carry out the statute or grant extensions to state’s that “meet the requirements” of the REAL ID Act.

Frankly, after Montana’s governor has called the law “nonsensical”, “kooky,” and “hare-brained,” and invited other states to join him in a showdown over “the DHS coercion to comply,” I’m impressed with Baker’s dispassionate response. Baker wrote in a response the same day he received McGrath’s letter:

Under the statute, the Department [of Homeland Security] can only grant an extension of the compliance deadline [as opposed to a waiver.] Therefore, I can only provide the relief you are seeking by treating your letter as a request for an extension.

Of course, Schweitzer’s whole deal is that he’ll never seek an extension because it would be interpreted as intention to implement the Act.

Additional public information about the developing cybersecurity policy can be found in an interview with DNI McConnell in the Jan 21, 2008, issue of The New Yorker. In it, interviewer Lawrence Wright describes McConnell’s path to prioritizing cybersecurity, the scale of the challenge to secure both government and private networks, and some of the unique characteristics of the plan that invoke privacy concerns. As noted in yesterday’s post, the President requested $436 million to fund cybersecurity initiatives likely to be driven by this strategy.

Highlights:
• In May 2007, at a meeting with the President and several cabinet members, McConnell asked for authority to wage information warfare against the tech savvy insurgents in Iraq. McConnell identified computer-network defense as an area in which the U.S. was under-invested. The President then charged McConnell to craft a security strategy, not only for government systems but also for American industry and private individuals.

• McConnell’s Cybersecurity Policy, which is still in draft, recommends reducing the access points between government computers and the Internet from two thousand to fifty.

• McConnell expresses concern about private sector defense. “The real question is what to do about industry,” McConnell is quoted as saying. He continues, “Ninety-five per cent of this is a private-sector problem.”

• McConnell suggests that the “real problem is the [cyber crime] perpetrator who doesn’t care about stealing [money] —he just wants to destroy.”

• Privacy protections are considered to be in conflict with enhanced security. A contributor to the strategy and long-time collaborator with McConnell says that the government needs the authority to examine the content of any e-mail, file transfer, or Web search.  Citing a maxim among the info-sec community, he concluded that “Privacy and security are a zero-sum game.”

• Aware of the difficulties in obtaining new powers for security measures, McConnell says that “FISA reform will be a walk in the park compared to this….”

A new office opens in October at DHS that will manage civilian use of intelligence community and DoD assets. The National Applications Office is the post-9/11 incarnation of what used to be called the Civil Applications Committee that started in 1974 as the result of the President’s Commission on CIA Activities Within the United States (Rockefeller Commission).

Beginning next month, the National Applications Office (NAO) will serve as the “principal interface” between the intelligence community and the Civil Applications, Homeland Security, and Law Enforcement Domains.  According to Bobby Block at the Wall Street Journal, it was a May 25 memo that empowered DHS through the NAO to gain access to some of the U.S.’s most powerful intelligence-gathering capabilities.  Director of National Intelligence Michael McConnell designated DHS as the executive agent and functional manager of the National Applications Office.  It was this May 25 memo to Secretary Chertoff that assigned responsibility to DHS for:

• Enabling a wide spectrum of civil applications, homeland security, and law enforcement users greater access to the collection, analysis, and production skills and capabilities of the intelligence community;

• Enhancing intelligence and information sharing and dissemination to federal, state, and local government and law enforcement users;

• Educating customers about the capabilities and products of the intelligence community;

• Advocating future collection technology needs of the civil applications, homeland security and law enforcement customers in the intelligence community and Department of Defense forums; and

• Providing a forum for discussion of proper use oversight and management of new uses of classified information on behalf of domains, in addition to already established uses.

Last week, the House Homeland Security Committee convened a hearing about the NAO as noted here. Witnesses from DHS included Charlie Allen, Chief Intelligence Officer; Hugo Teufel, Chief Privacy Officer; and Dan Sutherland, the Civil Rights and Civil Liberties Officer.

A National Applications Executive Committee will be established to provide interagency oversight. A DHS fact sheet issued on 15 August describes how the NAO will work with the “advice and support” of three customer domain working groups:

• Civil Applications Domain Working Group: This working group will continue the efforts of the Civil Application Committee that have been ongoing for more than 30 years, including scientific, geographic and environmental research.

• Homeland Security Domain Working Group: The “Homeland Security Domain” includes those government agencies and activities involved in the prevention and mitigation of, preparation for, response to, and recovery from natural or man-made disasters, including terrorism, and other threats to the homeland. This domain can encompass the many operational and administrative components of DHS, as well as other federal, state, local, and tribal elements who partner with the department. Its work will complement the Civil Applications Working Group in areas like natural disaster response.

• Law Enforcement Domain Working Group: This working group includes federal, state, local, and tribal entities, and those activities which support both the enforcement of criminal and civil laws, and the other operational responsibilities and authorities of these entities.

UPDATE 9/11/07: For video stream and complete statements for the record by those testifying before the House Homeland Committee, click here.

DHS Chief Privacy Officer Hugo Teufel III last Friday announced that the Department has released four Privacy Act records involving DHS’s Automated Targeting System (ATS). These records have been posted to the department’s public Web site and were scheduled to appear Monday in the Federal Register.  The four records are an updated System of Records Notice (SORN), the Discussion of Public Comments Received on the SORN, a Notice of Proposed Rulemaking for Privacy Act Exemptions, and a Privacy Impact Assessment (PIA).  

After receiving hundreds of comments regarding the initial SORN published in November 2006, the department revised it in the following way:

•        ATS-P will retain the information for a far shorter period of time. The retention period is now 15 years (7 years active and 8 years dormant), a significant decrease from the proposed 40-year period.

•        Under ATS-P, the purposes for which Passenger Name Record data (PNR) may be used have been narrowed.

•        The SORN implements the department’s mixed system policy, which administratively extends the protections of the Privacy Act of 1974 to non-U.S. persons by providing access and redress to their PNR data.  

According to Teufel, DHS does not collect information on race, ethnicity, religion, or orientation, or make decisions based on such information, and to the extent such information may be provided by a carrier, the department filters that information.  More information about this announcement is available.

Looks like the U.S. and EU overcame the most recent tussle concerning how the two allies will share private or personal information in pursuit of terrorists (and other criminals, or course).  The press release from this afternoon is available here.  Following are the main points:

• The Department of Homeland Security will collect 19 types of PNR data.
• The data will be maintained for seven years in an active file, and eight years thereafter in a dormant file with limited access.
• How DHS collects PNR data from airline reservation systems changes, too. Air carriers will now transmit PNR data directly to DHS.
• European air carriers get legal assurance that they will not be in violation of EU privacy law.

The Federal Register contained a notice today by the TSA on a new information collection requirement related to a program that has not previously disclosed, based on a quick Google search of its name:

The Rice-Chertoff Initiative (RCI) Department of Homeland Security Traveler Redress Inquiry Program (DHS TRIP) was developed as a voluntary program by DHS to provide a one-stop mechanism for individuals to request redress who believe they have been: (1) Denied or delayed boarding; (2) denied or delayed entry into or departure from the United States at a port of entry; or (3) identified for additional (secondary) screening at our Nation’s transportation hubs, including airports, seaports, train stations and land borders. The DHS TRIP office will be located at, and managed by, TSA. In order for individuals to request redress, they are asked to provide identifying information, as well as details of the travel experience.

The one-year anniversary of the launch of the Rice-Chertoff Initiative is later this month; this program is the result of Chertoff’s promise in that speech to establish a “government-wide traveler screening redress process before the end of this year [2006].”

For more on this issue, see this earlier post.

Today’s edition of the Federal Register provides notice of the interim agreement that was reached in October 2006 between the United States and the European Union on passenger name record (PNR) data, following the European Court of Justice’s decision to strike down the earlier PNR agreement that dated from 2004. There are no surprises in the new notice – its contents had been widely aired last fall – but it’s useful as a complete record of the new agreement.

The DHS Privacy and Data Integrity Advisory Committee has released several interesting documents within the last week, including a report entitled “The Use of Commercial Data” and the transcript of its September advisory committee meeting: Part 1, Part 2. The latter documents transcribe interesting discussion at this meeting on issues related to the Privacy and Civil Liberties Oversight Board, the Office of Screening Coordination at DHS, and progress on establishing an effective traveler redress system.