Thursday, December 31, 2009

NSPD-54: The Risk of Privacy...

It has been six days since one of the latest attempts to compromise the "Air Domain" and attack the United States. Aviation, homeland security and transportation, intelligence and law enforcement officials are burning the midnight oil but this is standard operating procedure. Operational Risk Management is in the cross hairs of the core conversation associated with the threat and the likelihood of a similar incident happening again. The Washington Post is now reporting:

President Barack Obama said he would meet the heads of U.S. intelligence agencies on Tuesday to discuss ways of preventing a repeat of the attempted bombing of a Detroit-bound airliner on December 25.

Obama said in a statement he expected to receive assessments from several intelligence agencies Thursday evening and would review them during the weekend. He ordered the assessments after criticizing what he called the systemic failure that allowed the accused bomber to board the plane in Amsterdam.


So what does this incident have to do with NSPD-54? What is the nexus between information collection, analysis and action to defend our cyber infrastructure while simultaneously defending the public from other threats to the homeland?

NSPD-54 known as the CNCI (Comprehensive National Cybersecurity Initiative) attempts to unify agencies' fragmented approach to federal cybersecurity by reworking and expanding existing programs and developing new security programs that are better at reducing the risk that networks can be hacked.

The initiative's budget officially has been kept secret, but some cyber analysts estimated it to be $40 billion, spread over several years. According to the Washington Post, Bush's single-largest request for funds in the fiscal 2009 intelligence budget was for CNCI, although specific figures were not released.


Monitoring your information whether Personal or not is a National Priority and the telecom companies are collaborating with the correct US agencies to make sure that privacy is at the forefront of the conversation. The risk of too much privacy will continue to be one of our greatest vulnerabilities and the bad guys know this.

The "Risk of Privacy" and Einstein 2 or 3 will be at the top of the agenda for Howard Schmidt and his new role as Cyber Space Coordinator. The industry groups are pleased that he understands the private sector and the fact that he has served in previous administrations may assist in his ability to build important bridges across deep chasms of relationships.

There are some that would say that the reason why the "Dots are not Connected" sooner, faster or more efficiently is because we are drowning in too much information to analyze. The automation of collection is the easy part. The filtering and pushing relevancy through the digital cheese cloth to get the most vital intelligence assets is a bit harder to accomplish. The human analysis and applying "Gray Matter" to the problem set and understanding the current "State-of-Play" is the ultimate challenge.

Beyond this, the average "John Q" citizen has probably never heard of 28CFR Part 23. The privacy assurance mechanism put into place in the 90's pertaining to the fusion of criminal intelligence. Perhaps this is the single greatest impediment we face to insuring our safety, security and threats from transnational eCrime syndicates, non-state actors and even the most sophisticated Nation States.

It is recognized that certain criminal activities including but not limited to loan sharking, drug trafficking, trafficking in stolen property, gambling, extortion, smuggling, bribery, and corruption of public officials often involve some degree of regular coordination and permanent organization involving a large number of participants over a broad geographical area. The exposure of such ongoing networks of criminal activity can be aided by the pooling of information about such activities. However, because the collection and exchange of intelligence data necessary to support control of serious criminal activity may represent potential threats to the privacy of individuals to whom such data relates, policy guidelines for Federally funded projects are required.

Fortunately for most, the opportunity exists for our government to "Connect The Dot's", prevent the next significant or systemic intelligence failure with the use of the correct technologies. After all, the human factors will continue to compromise our ability to achieve the level of "Predictive Analytics" and the intelligence we seek.