Simply Security - News, Views, and Opinions from Trend Micro

Posted on October 3rd, 2012 in Reports by Simply Security | Be the first to comment | Tags: Reports

Counterterrorism intelligence initiatives may be placing sensitive personal information in the crosshairs.

Following the 9/11 Commission's conclusion that federal, state and local authorities needed to significantly improve collaboration to combat potential terrorist threats, the Department of Homeland Security (DHS) established more than 70 so-called "fusion centers" to facilitate the real-time exchange of national intelligence. Nearly a decade after their implementation, a report from the Senate Permanent Subcommittee on Investigations has suggested that the national security initiative has produced negligible results and may have infringed upon citizens' expectations of privacy in the process.

"The Subcommittee investigation found that DHS-assigned detailees to the fusion centers forwarded 'intelligence' of uneven quality – oftentimes shoddy, rarely timely, sometimes endangering citizens' civil liberties and Privacy Act protections, occasionally taken from already-published public sources, and more often than not, unrelated to terrorism," the report stated.

Conflicting reports

According to the Los Angeles Times, DHS Secretary Janet Napolitano has praised the fusion centers on several occasions and suggested that they will be the fulcrum of next-generation counterterrorism efforts. The agency has also credited the data centers with identifying and disseminating the intelligence that ultimately disrupted at least two separate plots to attack the New York City subway system in 2009 and 2010. With intelligence shared across most all major metropolitan efforts, law enforcement was able to track one suspect all the way from Colorado before apprehending him in New York.

However, the Senate panel concluded that DHS likely embellished on the role of the fusion centers in these operations. In both cases, Congressional investigators determined that the terrorist plots were foiled via law enforcement channels that existed long before the implementation of the the DHS data centers. In reality, the analytics programs were doing redundant work by scanning previously publicized and documented intelligence.

The fusion centers have also had a record of returning false positives. When a data security breach compromised the industrial control systems of an Illinois water treatment facility in November 2011, intelligence officials compiled a report to suggest that the incident was the result of a Russian hacker that had stolen an untold number of login credentials. In reality, it was later discovered that the alleged intrusion was triggered by an employee accidentally accessing systems remotely while on vacation.

Regulatory irregularities

After taking stock of the output produced by these fusion centers, Senate investigators attempted to trace the quality control issues back to their root cause. One of the predominant conclusions in the report was that DHS lacked effective staffing and training protocols.

"While the training process changed over time, the Subcommittee learned that DHS never required more than five days of intelligence reporting training for DHS personnel assigned to fusion centers," legislators discovered. "Moreover, DHS has not required reporting officials to pass a test or exam, or demonstrate they met any formal standards before they went into the field to gather information, despite the fact that they often collect and report sensitive information on U.S. persons."

One of the issues that emerged time and again as a result of this incomplete training was an influx of Homeland Intelligence Reports (HIRs) that violated consumer data protection rights. More concerning, the majority of these improper assessments came from a very small group of officials that were never reprimanded for their transgressions.

For example, investigators found that one DHS reporter had 26 of his 35 draft HIRs rejected within a 12-month period. In at least a dozen of those cases, document reviewers explicitly noted "civil liberties concerns" related to the collection of Constitutionally-protected private information. Yet while ineffective analysts often received informal counseling, Senators could not find evidence of a single officer who faced "significant consequences" for quality control issues.

Although office directors may have favored more aggressive oversight, many were likely hamstrung by small talent pools and a predominantly contract-based workforce. As a result, it quickly became a numbers game for some departments as they struggled just to keep up with daily workflows. Many were too busy with sourcing enough qualified analysts and reviewers to spend significant time on professional development initiatives.

Moving forward

While a number of the findings were a bit discouraging, Senators insist that the existing fusion center infrastructure can deliver powerful results in the future with improved regulation and better strategy alignment.

Many of the subcommittee's recommendations centered on financial concerns. The current lack of transparency and effective oversight may not only sap public and government support for the initiative, but lead to the misallocation of resources as well. As a result, report authors called upon Congress to begin by clarifying the expectations and performance metrics associated with the program funding it is providing. At the same time, DHS departments should be conducting top-to-bottom audits to ensure that government funding is being applied exclusively to efforts that will directly contribute to the federal counterterrorism mission.

From an operational perspective, Senators insisted that progress can only begin with improved training for intelligence reporters. This should include a greater emphasis on privacy protections as well as a framework for curriculum standardization and analyst certification. Department heads are also encouraged to develop a continuous performance assessment process so that potential problems can be identified earlier and resolved more efficiently.