Information sharing

01.08.2013 Budget, fusion center, homeland security intelligence, Information sharing, intelligence, intelligence center, Performance Measures, Strategy, Uncategorized Comments Off on DHS Fusion Center Assessment Report is out…How’d we do?

DHS Fusion Center Assessment Report is out…How’d we do?

2012 National Fusion Center Assessment Report (cover) 2The Department of Homeland Security (DHS) released its 2012 National Network of Fusion Centers Assessment Report and the results are encouraging. DHS reported that (overall) fusion centers improved their capability scores by 11 points over the 2011 assessment report card. Summary findings, based on Critical Operating Capabilities (COCs):

COC 1 – Receive

  • All fusion centers (77 or 100%) have access to federally sponsored Sensitive But Unclassified (SBU) information sharing systems.
  • Every fusion center (77 or 100%) has at least one person cleared to access Secret information, but regular staff turnover means that fusion centers will continue to request new clearances (approximately 500 new clearance requests in the next 12 months).
  • A significant number of fusion centers have on-site access to classified information sharing systems (66 or 85.7%).
  • Fusion center use of the DHS Secret Internet Protocol Router Network (SIPRNet) Whitelist (Whitelist) is limited (41 or 53.2%).

COC2 – Analyze

  • Fusion centers are highly involved in assessing threat and risk for their area of responsibility (AOR) (72 or 93.5%).
  • Fusion centers are obtaining and using customer feedback on their analytic products (structured feedback: 65 or 84.4%).
  • Analytic production plans are used widely across the National Network (60 or 77.9%).
  • Critical infrastructure protection capabilities continue to expand across the National Network (75 or 97.4%).

COC 3 – Disseminate

  • Despite progress since 2011, less than half (35 or 45.5%) of the National Network have a process in place to verify that customers are receiving their products.
  • Fusion centers are increasingly designating a single, primary information sharing system (72 or 93.5%), but Homeland Security Information Network (HSIN) Intel is not frequently cited (23 or 29.9%) as the primary system for unclassified communication between fusion centers.

COC 4 – Gather

  • The number of fusion centers that have developed Standing Information Needs (SINs) has increased (59 or 76.6%), but continued attention to SINs development is necessary.
  • The National Network has a robust request for information (RFI) management capability (69 or 89.6%).
  • A significant percentage of the National Network are involved in the Nationwide Suspicious Activity Reporting (SAR) Initiative (NSI), in particular in providing line officers with information on the behaviors identified in the Information Sharing Environment (ISE)-SAR Functional Standard (SAR line officer training: 66 or 85.7%).

DHS has identified three areas for improving fision center capabilities:

  1. Use Standing Information Needs (SINs) as the foundation of a customer-driven fusion process:
    Fusion centers need to have a process for a) deriving and cataloguing regional and federal information and intelligence needs SINs , and b) actively tagging/associating these SINs with the information and intelligence products they produce.
  2. Document key business processes and ensure consistent access to training:
    High turnover in critical fusion center staff positions is going to be the norm, for a number of reasons – staff rotations, augmentation, contract renewals, promotions, etc. Fusion Center Directors must plan for this “churn” by taking the time to a) document the center’s core business processes, b) keep SOPs and policies up to date, and c) develop training and other performance support tools to minimize the impact of staff turnover on center operations.
  3. Implement organizational planning and evaluation processes to continuously improve fusion center operations:
    Fusion centers should clearly develop and communicate their center’s mission, goals, and objectives by developing a strategic plan, and using that plan as a tool to measure its performance. The strategic plan and periodic performance reports should help to communicate how investments in the fusion center result in tangible results, and b) help to drive annual budget requests to sustain or enhance current center capabilities.

I see gaps in these areas in my own work with fusion centers…unfortunately, many fusion centers are so busy with operational activities, that developing SOPs, training, strategic plans, etc., ends up on the back burner.

One other area, not directly addressed by the DHS assessment process is the development of an effective plan and roadmap for building an IT infrastructure that supports the four COCs. This too gets relegated to the back burner. In some cases, IT is addressed, but in a piecemeal fashion – Fusion Center Directors should elevate the need for an integrated IT plan, one developed from Fusion Center business processes and describes three key areas.

Suggested Components of a Fusion Center IT Strategy

  • Information and Intelligence exchanges – what information, data, and intelligence comes-in and goes-out of the Fusion Center?
  • What functional capabilities does the Fusion Center have now and which systems deliver those capabilities? (as-is)
  • What NEW functional capabilities does the Fusion Center need, and how will the center procure them? (to-be)
  • How much money does the Fusion Center need to a) sustain current capabilities and b) to implement the new capabilities?

Feel free to reach out to me if your center would like to discuss enhancing your operational and/or IT planning capability.

r/Chuck

 

06.06.2013 CCTV, crime, Information sharing, law enforcement, public safety, security, Technology Comments Off on LEIM 37th Annual IACP: Tuesday May 21st 2013

LEIM 37th Annual IACP: Tuesday May 21st 2013

mjd 2a smThis was my second year attending LEIM and certainly the most enjoyable as the setting for this year was the beautiful Fairmont Scottsdale Princess Hotel. Coming from a country (Ireland) that has been deprived of good summers for the last few years, I was overwhelmed by the glorious sunshine.

As I walked around the beautiful grounds of the Fairmont Princess, enjoying the heat, I took in the perfectly manicured lawns, the towering cactus displays and the perfect little bunnies. This was just heaven and so far away from the cold, rainy Dublin I had left some days previous.

I’m glad to say as I write this from my kitchen in Dublin; the sun is streaming in the window, and is bringing back memories of Scottsdale!

I discarded my swimsuit and dressed more appropriately for the Opening Ceremony of LEIM 2013. Scott Edson, the past year’s Chair, opened LEIM with a warm welcome for everyone and a brief outline of the next few days events and sessions. He was joined by Alan G. Rodbell, Chief of Police, Scottsdale and Bart Johnson, Executive Director, IACP; they too gave a brief introduction and welcomed all.

After the opening I went along to my first plenary session of LEIM, The Evolving Role of Technology in Policing. This sessions also included results from the previous days Information Technology (IT) summit. Tom Casady spoke about technology changes over the years and how it changed law enforcement.

  • The telephone was a big innovation from the 1930’s, and is still a critical tool today.
  • Cars and motorcycles changed everything for the average policeman patrolling the street on foot.. Harley Davidson credits Detroit, Michigan as being the first purchaser of police motorcycles as early as 1908. The use of cars and motor cycles by police was widespread by the 1930’s. 
  • Two-way radio with the invention of the Motorola Police Cruiser Radio Receiver in 1936 again changed policing for the better. This was a rugged one-way car radio designed to receive police broadcasts. These have of course evolved into the Police Scanners we know today.
  • In 1968 the first 911 call centre began where people could contact police on a simple but easy number to remember, in an emergency. This highly successful contact is still used to this day.
  • The typewriter was used from the early 20th century and of course has evolved from the 1960’s, to the computers and laptops that are used today.
  • Finally, in 1974, the stun gun was invented. It became an invaluable tool  to subdue fleeing or potentially dangerous persons, and gives officers a less lethal alternative to firearms in many situations. As many lives as it has saved, it is still a subject of controversy, as it’s use has been implicated in some instances of serious injury or death. But having seen its use over the years, and in particular, the British police recently using this device to subdue the two terrorists responsible for the killing of Drummer Lee Rigby in Woolwich on May 22nd, I do agree with police being armed with them.

Of course technology has evolved from all this, to the brilliance of what we have today. From Cell phones, Laptops, Augmented Reality, Wearable Technology, i.e.: Cameras, Voice Recognition, Facial Recognition, Predictive Analytics, DNA Biometrics, Embedded GPS and to Social Media using Twitter and Facebook as a means of getting information from the public at the time and place of a crime or disaster.

There are a few articles and more information on this subject below:

Stay tuned for a couple more blog postings about the 2013 LEIM Conference.

Thanks…r/Mary

02.03.2013 Budget, congress, criminal justice, Data, data sharing, Information sharing, justice, law enforcement, Law enforcement information sharing, leadership, LEIS, N-DEx, NIEM Comments Off on Letter to Congressman Reichert: If you want LE information sharing, please aim your pen at a different target

Letter to Congressman Reichert: If you want LE information sharing, please aim your pen at a different target

If you want law enforcement agencies to share information, go to the source and help the Chiefs and Sheriffs to push their data in the FBI’s National Data Exchange N-DEx. Trying to impose information sharing with unfunded standards mandates will not work.

As someone who has been in the standards business since 1995, history has proven to me that:

  • The business need must drive standards, standards can NEVER drive the business; and
  • Trying to SELL the business on standards is a losing strategy.

Hi Congressman Reichert,

You won’t remember me, but a long time ago we were in meetings together in Seattle with the likes of John McKay, Dave Brandt, Scott Jacobs, Dale Watson, and others working on building the Law Enforcement Information Exchange (LInX); I was the technical guy on the project, working with Chief Pat Lee and our very dear lost friend Julie Fisher (may she rest-in-peace, I sure miss her).

A hell of a lot of water has gone under the bridge since then–it’s been nearly TWELVE YEARS. If we look back over this time, we have had so many bills, laws, strategies, policies, papers, speeches, conferences, proclamations, and other assorted attempts to prod law enforcement data loose from the nearly 18,000 agencies across our country. While we are far better off than we were back then, I think we can agree that we still have a long way to go.

Where we differ, I’m afraid, is in the approach to get there – a few days ago, you proposed legislation, the Department of Justice Global Advisory Committee Authorization Act of 2013, as a means to improve information sharing among law enforcement agencies – do we really believe another “stick” will work to get agencies to share information? Do we really believe it’s a technology or data standards problem that’s preventing law enforcement data from being shared? As a technologist for 34 years, and someone who has been involved in law enforcement information sharing since the Gateway Project in St. Louis, MO in 1999, I can tell you it is neither.

While I applaud the work of the GAC, and I have many colleagues who participate in its work, I’m afraid having more meetings about information sharing, developing more standards, approving more legislation, and printing more paper will NOT help to reach the level of information sharing we all want.

Instead, I want to propose to you a solution aimed at capturing the commitment of the men and women who can actually make law enforcement information sharing happen, and virtually overnight (metaphorically speaking) – namely, the great men and women who lead our police and sheriffs departments across America.

Now to be fair, many of these agencies are already contributing their records to a system I am sure you are familiar with called the National Data Exchange (N-DEx). Built by the FBI CJIS Division, this system has matured into a pretty respectable platform for not only sharing law enforcement information, but also for helping cops and analysts to do their respective investigative and analytic work.

Now, in case you are wondering, I do not own stock in any of the companies that built N-DEx, nor has the FBI signed me up as a paid informant to market N-DEx. I write to you on my own volition as a result of my nearly six years of volunteer work as a member of the International Association of Chiefs of Police (IACP) Criminal Justice Information Systems (CJIS) Committee.

About two years ago I volunteered to lead a small sub-group of the committee who have either built, led, or managed municipal, state, federal, or regional information sharing systems. Our charge was (and still is) to help CJIS take a look under the hood of N-DEx to see what’s in there (data wise) and to help figure out what needs to be done to make it a more effective tool to help cops across America catch more criminals, and maybe, just maybe, even prevent criminals from acting in the first place.

While our work is far from done, I can tell you that one thing we need is more data – as you well know, be it N-DEx, LInX, RAIN, or any other information sharing system, it is only as good as the data that’s put into it.

Believe it or not we already have the data standards in-place to get the data into N-DEx. CJIS has developed two Information Exchange Packet Descriptions (IEPDs) that tells agencies exactly what to do and how to format and package up their data so it can get to N-DEx. Additionally, CJIS has an extensive team ready to assist and my colleagues over at the IJIS Institute hold training sessions sponsored by BJA, to help agencies along the process (NIEM training).

These two IEPDs can help law enforcement agencies today to share the following law enforcement records:

  • Service Call
  • Incident
  • Arrest
  • Missing Person
  • Warrant Investigation
  • Booking
  • Holding
  • Incarceration
  • Pre-Trial Investigation
  • Pre-Sent Investigation
  • Supervised Release

So what’s the hold up? Speaking only for myself, and I will be very straight with you, I believe the root cause for not getting more law enforcement data into N-DEx is the current piecemeal, politically charged, hit and miss grant funding process that the Act you propose, if passed, will burden even further – see page 3, lines 17-25 and page 4, lines 1-6.

Instead, I ask that you please answer the following question…

If law enforcement information sharing is important enough to push though a Public Act, where is the nationwide project, with funding, to get all shareable law enforcement data loaded into the one system that would give ALL law enforcement officers and analysts access to collective knowledge of the nearly 18,000 law enforcement agencies?

The immediate answer might be “we already have one; N-DEx;” however, N-DEx is only a piece of the answer…it’s as they say, “one hand clapping.” And in all fairness to my friends and colleagues at the FBI CJIS Division, that program was only charged and funded to build the  N-DEx bucket, they were never funded to actually go get the data to fill the bucket.

The strategy, for whatever reason back then, was relegated to a “build it and they will come” approach, that IMHO has not worked very well so far and may take another 5-10 years to work. I should also note that the bucket isn’t totally empty…there are quite a number of agencies and regional projects, like LInX, that have stepped up and are helping to fill the bucket – however, if we want to expedite filling up the bucket, focusing on mandating more standards is not the answer

What I submit  is the “other hand clapping” is the need for a shift focus, away from policy, standards, and technology, and establish a funded nationwide project that will offer a menu of choices and support packages to the Chiefs and Sheriffs that will enable them to start sending as many of their shareable records as possible to N-DEx.

Some of the options/support packages could include:

  1. Provide direct funding to agencies and regional information sharing systems to develop N-DEx conformant data feeds to N-DEx;
  2. Grant direct funding to RMS and CAD system providers to develop N-DEx conformant data feeds from their software, with the stipulation they must offer the capability at no additional cost to agencies that use their products;
  3. Establish a law enforcement data mapping assistance center, either bolted on to IJIS NIEM Help Desk, as an extension of NLETS menu of services, or through funding support at an existing information sharing project like the Law Enforcement Technology, Training, & Research Center who works in partnership with the University of Central Florida.

At the end of the day, we all know that the safety and effectiveness of law enforcement is greatly affected by the information he or she has at their fingertips when responding to that call.

Do you really want to leave it to chance that that officer’s life is taken, or a criminal  or terrorist is let go because his or her agency wasn’t “lucky enough” to win the grant lottery that year?

So, let’s empower the single most powerful force that can make sure the information is available – the Sheriff or Chief leading that agency. Let’s stop with the unfunded mandates, laws, standards, studies, point papers, etc., and let’s finally put a project in-place with the funding necessary to make it happen.

v/r

Chuck Georgo,

Executive Director
NOWHERETOHIDE.ORG
chuck@nowheretohide.org

05.06.2012 Information sharing, intelligence, law enforcement, social media Comments Off on LEIM 36th Annual IACP: Internet Profiling and Intelligence Gathering

LEIM 36th Annual IACP: Internet Profiling and Intelligence Gathering

I have always thought that Private Investigators were sleazy peeping toms who spied on others to make money catching people in compromising positions—very useful if you’re the wife of a philandering jerk.

Boy was I off the mark. I attended a presentation by Michele Stuart, an Investigator with her own company, JAG Investigations, Inc in Arizona. From the moment she started her presentation, we were on the edge of our seats. For about 40 minutes, she made us all sit up and listen to what she had to tell us about the challenges and tools of using the internet to conduct investigations and to share with us her impressive knowledge of public records and on-line databases.

With over 18 years of investigative experience behind her, Michele knew a lot about websites that rob your personal information, how to find someone on the internet, and many more informative pieces of information that would help those who use the internet to find people.

As an example, she launched her presentation with “who owns an android phone”, as several of us raised our hands. Followed with “and do you have the flashlight app installed on your androids”? To which several of us (including me!) left our hands up. Apparently by downloading flashlight, and by agreeing to the terms and conditions, we are allowing this little app to secretly take video (and audio), see what numbers we are calling, and many other things you wouldn’t normally think a flashlight app should do. I suddenly felt my phone was ‘dirty’ and I uninstalled flashlight there and then – for more information, take a look here – http://itunes.apple.com/gb/app/flashlight./id285281827

Michele also warned us of websites that can do harm to our personal information, and websites that will create fake identities like your virtual buddy, which you can set to ring you and possibly get you away from where you don’t want to be by pretending it’s your friend calling and wants to meet you urgently. A great excuse when you do need to leave without appearing rude. She also told us the best sites to find old addresses, and how to find people you have lost touch with.

Of all the sessions I attended at LEIM, Michele’s was the most entertaining. Her quick fire delivery, rarely pausing for breath, as she just wanted to tell us all she could in her allotted time slot. And tell us she did with much passion and plenty of humor, it was pure entertraining (entertaining training). I will certainly keep her business card handy; I may need her help one day.

Some websites Michele mentioned:

www.jaginvestigations.com – Michele’s Company

http://alibinetwork.com – creates fake identifications

http://www.networksolutions.com/ – here you can find old addresses and email addresses by searching domain names.

r/Mary

03.06.2012 Information sharing, LEIM, mobile computing, Sir Robert Peel, social media Comments Off on LEIM 36th Annual IACP: Social Media and Law Enforcement

LEIM 36th Annual IACP: Social Media and Law Enforcement

Today’s generation of chidren and young adults are computer savvy. They don’t question how to use the internet or how to install/uninstall programs, they just do it, because they know how. They are constantly text messaging, checking Facebook and Twitter, and taking pictures and videos every day and posting them onto social media sites…and the police forces around the country are following suit.

Through use of mobile technologies like smart phones, paper in law enforcement interactions is disappearing. No more filling out lengthy forms. Instead information is loaded from a mobile device directly into a database to be saved and shared and used when needed. Most young people today who join police departments, are technology savvy and actually expect new technologies to be in place.

Use of social media is another innovative way Police are using modern technology. Through social media, police are engaging their communities in information sharing and use the information to develop more effective predictive policing strategies by becoming more aware of criminal activity and hot spots around town.

When I returned to Dublin (Ireland not Ohio) after the LEIM conference, I was delighted to find a story in Ireland’s Daily Mail on Monday 28th May. It was titled – Facebook’s Crime Fight, and it explained how communities, particularly in rural areas of Ireland, are combating the closure of Garda (police) stations by turning to Facebook to help fight crime.

Residents are using the site to monitor suspicious activity while text alerts are also sent out to warn locals about any possible criminal behavior. One particular group in County Meath, launched their Facebook site last year and have said that they feel safer in their homes, and it is helping to solve crimes.

The community and the local Gardai (police service), work together. The Gardai contact the webpage’s administrators about suspicious behavior, and then a warning is posted onto Facebook, to notify the community residents. The text alerts are proving to be very successful to notify Gardai of potential criminal activity and to warn members of the community if there is someone suspicious in the area. Everyone in the area now feels safer, and the community has become vigilant in helping to protect their homes.

Expanded use of social media started because of the cut-backs in the Policing sector—as many as 39 Garda stations will be closed across Ireland by the end of June 2012, and more than 40 stations to be closed in the next round.

Facebook has proven to be successful tool to help communities and police communicate and work together to fight crime by gathering information and sharing it. If using social media helps to make people feel safer and gives them more control over crime in their communities, then this is sure to become the future of fighting crime.

It no longer makes sense to sit back and watch crime happening, or expect that the police alone will take care of crime in our communities—as Sir Robert Peel, is often quoted “the police are the community and the community are the police” – social media gives citizens a powerful tool to work together to prevent crime in their neighborhoods. This will also help to strengthen the relationship between police and the public, and that can only be a good thing.

For more information on on how Social Media is used in Public Safety, check out the International Association of Chiefs of Police website below, and under Topics of Interest, click on Social Media, and it will take you to all the information you need about Social Media used in Law Enforcement, including blog posts, news items of interest from around the country, and a new survey showing the results of the current state of practice of Social Media within the Law Enforcement Community.

http://www.iacpsocialmedia.org/

More posts from LEIM coming soon…r/Mary

 

 

02.06.2011 computer security, cyber security, data sharing, Information sharing, law enforcement, Law enforcement information sharing, LEIS, security, security threats, Uncategorized Comments Off on Security, Privacy, and Innovative Law Enforcement Information Sharing: Covering the bases

Security, Privacy, and Innovative Law Enforcement Information Sharing: Covering the bases

So it’s no great revelation that public safety has benefited greatly from public private partnerships, and I’m cool with that, especially when we are dealing with technology that saves lives. However, a press release hit my email inbox today that made me think of the risks to security and privacy when we implement innovative technologies.

Before I get into the story it, let me be v-e-r-y clear…I am NOT here to debate the effectiveness or morality of red-light/speed enforcement systems, nor am I here to cast dispersions on any of the organizations involved in the press release…this blog posting is strictly about using the Gatso press release to emphasize a point about security and privacy – when we engage in innovative law enforcement technology solutions, we need to take extra care to adequately address the security and privacy of personally identifiable information.

Here’s the press release from Gatso-USA:

GATSO USA Forms Unique, Strategic Partnership with Nlets

Earlier this month, GATSO USA was approved as a strategic partner by the Board of Directors of the National Law Enforcement Telecommunications System (Nlets). Nlets is….general narrative about NLETS was deleted. The approval of GATSO is an exciting first for the photo-enforcement industry.

Nlets will be hosting GATSO’s back office and server operations within the Nlets infrastructure. GATSO will have access to registered owner information for all 50 states plus additional provinces in Canada. The strategic relationship has been described as a “win-win” for both organizations.

From Nlets’ perspective, there are key benefits to providing GATSO with hosted service. Most importantly, it virtually guarantees personal data security. Due to this extra step of storing personal data behind the DMV walls of Nlets, the public can be assured that security breaches — such as the recent incident with PlayStation users — are avoided.

From GATSO’s perspective, hosting the system with Nlets will provide a ruggedized, robust connection to comprehensive registered owner information — without the security issues faced by other vendors in this industry. Nlets was created over 40 years ago…more stuff about NLETS was deleted).

The main points I took away from this press release were:

  1. Nlets is going to host the back-end server technology that GATSO needs to look up vehicle registration information of red-light runners;
  2. Gatso is going to have access to vehicle registration information for all vehicles/owners in ALL 50 states in the U.S. and (some) provinces in Canada; and
  3. And, because it’s behind Nlets firewalls, security is not an issue.

Again, please don’t call me a party-pooper as I am a huge advocate for finding innovative ways to use technology to make law enforcement’s job easier. However, I am also painfully aware (as many of you are) of the many security and privacy related missteps that have happened over the last few years with technology efforts that meant well, but didn’t do enough to make sure that they covered the bases for security and privacy matters. These efforts either had accidental leakage of personal information, left holes in their security posture that enables direct attacks, or created opportunities for nefarious evil-doers with legitimate access to use that access to sensitive information for other than honorable purposes.

After I read the press release, I thought that it would be a good case-study for the topic of this blog – it involved innovative use of technolgy for law enforcement, a psuedo-government agency (Nlets), two foreign-owned private companies, and LOTS of PII sharing – some might even say it had all the makings of a Will Smith movie. 🙂

To help set the stage, here are a few facts I found online:

  • Gatso-USA is a foreign company, registered in New York State, operating out of Delaware; its parent company is a Dutch company, GATSOmeter BVGatso.
  • Gatso does not appear to vet all of the red-light/speed violations itself; it uses another company – Redflex Traffic Systems to help with that (Redflex is not mentioned in the press release).
  • Redflex seems to be a U.S. company, but it has a (foreign) parent company based in South Melbourne, Australia.
  • Finally, there are no-sworn officers involved in violation processing. Red-light/speed enforcement cameras are not operated by law enforcement agencies; they outsource that to Gatso, who installs and operates the systems for local jurisdictions (with Redflex) for free, (Gatso/Redflex is given a piece of the fine for each violation).

There are no real surprises here either; there are many foreign companies that provide good law enforcement technologies to jurisdications across the U.S., and outsourcing traffic violations is not new…BUT what is new here is that a sort-of-government agency (Nlets), has now provided two civilian companies (with foreign connections) access to Personally Identifiable Information (PII) (vehicle registrations) for the entire U.S. and parts of Canada…should we be worried?

Maybe; maybe not. Here are nine questions I would ask:

  1. Personnel Security: Will Nlets have a documented process to vet the U.S. and overseas Gatso and Redflex staff who will have access to this information through direct or VPN access to Nlets systems?
  2. Data Security: Will Gatso or Redflex maintain working/test copies of any of the registration information outside of the Nlets firewall? If so, are there documented ways to make sure this information is protected outside the firewall?
  3. Data Access: Will Gatso/Redflex have access to the entire registration record? or, will access be limited to certain fields?
  4. Code Security: Will any of the code development or code maintenance be done overseas in the Netherlands or Australia? If so, will all developers be vetted?
  5. Network Security: Will overseas developers/site suport staff have access to the data behind Nlets firewalls? What extra precautions will be taken to protect Nltes systems/networks from abuse/attack?
  6. Code Security: Will Nlets conduct any security testing on code loaded on the servers behind their firewalls?
  7. Stakeholder Support: Have all 50 U.S. states, and provinces in Canada, been made aware of this new information sharing relationship? Do they understand all of the nuances of the relationship? And, are they satisfied that their constituents personal information will be protected?
  8. Audit/Logging: Will all queries to vehicle registration information logged? Is someone checking the logs? How will Nlets know if abuses of authorized access are taking place?
  9. Public Acceptance: How do states inform their constituents that their personal vehicle registration information is being made available to foreign owned company? Will they care?

How these questions are answered will determine whether or not we should worry…

Did I miss any other important questions?

Beyond this particular press release and blog posting, I suggest that you consider asking these kinds of questions whenever your agency is considering opening/connecting its data systems to outside organizations or private companies—it may just prevent your agency from becoming a headline on tonights news, like St. Louis –> St. Louis Police Department computer hacked in cyber-attack .

The bottom-line is that whenever you take advantage of opportunities to apply innovative technologies to public safety, make sure that you cover ALL the bases to protect your sensitve data and PII from leakage, direct attacks, or misuse and abuse.

As always, your thoughts and comments are welcome.

r/Chuck

11.03.2011 Information sharing, sorna Comments Off on Sex Offender Registration and Notification Act (SORNA): A summary primer

Sex Offender Registration and Notification Act (SORNA): A summary primer

On Monday, February 28, 2011, I attended a webinar training session hosted by the National Criminal Justice Association (NCJA) where panelists discussed the Sex Offender Registration and Notification Act (SORNA). SORNA aims to close potential gaps and loopholes that existed under prior law and establishes the Office of Sex Offender Sentencing, Monitoring, Apprehending, Registering, and Tracking (the “SMART Office”), a component of the Office of Justice Programs within the U.S. Department of Justice.

The SMART Office is authorized by law to administer the standards for sex offender registration and notification that are set forth in SORNA. It is further authorized to cooperate with and provide assistance to states, local governments, tribal governments, and other public and private entities in relation to sex offender registration and notification and other measures for the protection of the public from sexual abuse or exploitation. The SMART Office is a key federal partner and resource for jurisdictions as they continue to develop and strengthen their sex offender registration and notification programs

IMPORTANT AREAS OF REFORM UNDER SORNA

  • Extends the jurisdictions in which registration is required beyond the 50 states, the District of Columbia, and the principal U.S. territories, to include federally recognized Indian tribes.
  • Incorporates a more comprehensive group of sex offenders and sex offenses for which registration is required.
  • Requires registered sex offenders to register and keep their registration current in the jurisdictions in which they reside, work, or go to school.
  • Requires sex offenders to provide more extensive registration information.
  • Requires sex offenders to make periodic in person appearances to verify and update the registration information.
  • Expands the amount of information available to the public regarding registered sex offenders.
  • Makes changes in the required minimum duration of registration for sex offenders.

OVERVIEW

SORNA was passed in July 2006, with a 3 year implementation schedule. A one year extension was added bringing the deadline to July 27, 2011; there will be no more extensions. Jurisdictions that fail to substantially implement SORNA by July 27, 2011 are subject to a mandatory 10% reduction in funding under 42 U.S.C. 3750 et seq. (“Byrne Justice Assistance Grant” funding).

TOPICS ADDRESSED IN SUPPLEMENTARY GUIDELINES

  1. Juvenile Delinquents (post of Juveniles)
  2. Internet Identifiers (concern over identifying children protected by the Kid’s Act 2008)
  3. International Travel (offenders must give 21 days notice to travel)
  4. Domestic Information Sharing – discussion portal
  5. Acknowledgement (notice forms) assuring offender has notice forms
  6. Ongoing Implementation Assurance
  7. Retroactive Classes
  8. Newly recognized tribes

TRIBAL IMPLEMENTATION UPDATE

  • 45 Tribes have submitted materials to review.
  • 125 Tribes are trained in TTSORS
  • 23 Tribes on NSOPW
  • 22 Tribes are utilizing TTSORS

CHALLENGES FOR SORNA TRIBES

  • Tribes face more challenges with hardware and software.
  • Many need more assistance in SORNA.
  • Problems with Tribes submitting DNA and Fingerprints.

NEW TOOLS AND ASSISTANCE FOR TRIBES

  • New technology assistant grant.
  • Indian Country TA grant.
  • Tool kit for Tribes.
  • Updated Model Tribal Code
  • TLOA – Tribal Law and Order Act

QUESTIONS SUBMITTED TO THE PANEL

Q1. When will the first penalty for non-compliance offence?

Answer: The first penalty will take place in FY12; again the final deadline is July 27th 2011.

Q2. What constitutes a State working towards implementation?

Answer: NCJA know the status of all states, some states have done very little, and they will need a plan to know how to use the 10% funding. Most jurisdictions are working towards implementation.

Q3. Will there be a 3rd deadline extension

Answer: Absolutely not, no more deadline extensions, the deadline stands at July 27th 2011.

Q4. States and Tribes – Can States use the grants for more staffing?

Answer: Absolutely, most grants have been used for staffing. Areas include:

Project Managers, Office Managers, Law Enforcement Officers, Data Entry Personnel, Police Officers.

Q5. One State has a problem with Sex Offenders going underground?

Answer: Yes, this is to avoid registration, they are non-compliant with SORNA, but they will be prosecuted as it is a violation of registration.

Q6. There are some concerns over juveniles registering; can you provide clarification?

Answer: All Juvenile Sex Offenders should be registered on SORNA. Juveniles are from ages 14 and over, these include all Juvenile Sex Offenders, delinquents, serial sex offenders, and juveniles with a history of aggravated sexual abuse. Some cases are exempt; i.e. Romeo and Juliet cases are excluded from SORNA.

Q7. Can some States go above SORNA with issues?

Answer: Yes, some States have done. Indiana, Alaska and Maine, the NCJA are working with them on certain issues. States can go over and beyond the requirements if needed.

Q8. Should we be concerned about privacy rights of individual Sex Offenders?

Answer: All Sex Offender registrations are public

Q9. How are tribes implementing SORNA?

Answer: Most tribes are collaborating with their States. The vast majority of Tribes will be working on implementing SORNA for many years. Help is needed for some Tribes.

Q10. If a State has been working very hard to implement SORNA, and does not have the review ready by the deadline, will the State still be penalized, or will it be taken into account the hard work achieved?

Answer: If the States submits what has been reviewed on July 27th 2011, it will be considered and noted that hard work and communication has taken place to implement, so no penalties will ensue, provided the hard work will continue. Unfortunately Tribes are not included in this.

Q11. Any other suggestions to support help in implementing SORNA in various States?

Answer: The problem here is that there is no one organization in place to oversee or overview the implementation of SORNA in every State. This is a problem, and every State is working independently. Also there still are ongoing problems with Tribes, this is a concern and they do need help.

SOME ADDIITONAL COMMENTS

  • I think it is in every parent’s interest that SORNA is implemented for the safety of their children. I do not know if parents in each state are aware of SORNA, if they are not, public meetings should be held to inform all parents of what SORNA is and how it can help track all sex offenders in and around their general area.
  • I am concerned about the slowness of SORNA implementation; many States need additional assistance in implementing SORNA. A point was raised that there was no one organization to assist in tracking every States’ implementation of SORNA and to produce up to date reports on the advancement of each State in implementing SORNA.
  • I feel such an organization could be created to assist States that are slow to implement, or are just not sure as to what is required of them. This organization could oversee all States, and keep up to date information available to the NCAJ and the Government as to where the States are at with implementing SORNA, who needs more help in meeting the deadline, and also helping with any concerns that some States may have re: privacy laws etc that may be slowing them down with their advancement.
  • I am also concerned about SORNA implementation with the Indian Tribes. Each Tribe is different, and has different problems in implementing SORNA, and they have concerns that are slowing them down too. They also need help in different areas, software, hardware, submitting DNA and fingerprinting. It is essential that they receive help and assistance, and possibly look into more funding for them. If they are penalized by not meeting the deadline they will lose 10% of their funding, and this will hinder them even more, and may even cause them to lose interest in SORNA. So we may need another independent organization set up to help the Tribes to implement SORNA.

The bottom line is that our children have a right to be protected, and by not having SORNA in place, we are letting our children down. Parents should be made aware of SORNA, and should write to their local government offices to inquire as to what stage SORNA implementation is at in their State.

28.01.2011 data sharing, Information sharing, Law enforcement information sharing, LEIS Comments Off on Information Sharing: The main thing is to keep the main thing the main thing

Information Sharing: The main thing is to keep the main thing the main thing

Almost two years ago, i responded to a blog posting by Jeff Jonas entitled “Nation At Risk: Policy Makers Need Better Information to Protect the Country.” After a recent discussion about law enforcement  information sharing with a colleague, i thought it might be worthy to re-run my response here…read the posting below and let me know what you think…r/Chuck

March 17, 2009

Hi Jeff,

With sincere apologies to Sean Connery, I am dismayed that people are still bringing a knife to an information sharing gun fight—the importance of information sharing, data discoverability, security protections, metrics and incentives, and empowerment have been documented many times over since I became involved in information sharing in 1999 and have proved to be of little value to making information sharing happen.

I believe a significant reason for this is that information sharing has been seen as the “main thing.” Information sharing should NEVER be seen as the main thing; it is simply a means to an end. I have never forgotten what Scott McNealy of Sun Microsystems said—“The main thing is to keep the main thing the main thing.” And, the main thing for government is safe streets, clean air and water, a strong economy, etc…NOT information sharing.

The “guns” that we need to bring to the information sharing table are simply engaged executive leadership and accountability for mission results.

Of the many significant information sharing projects around the country that I have been a part of, I can tell you that the most important ingredient for successful information sharing is: “An agency executive who actively communicates an operational imperative for mission success and then holds their managers accountable for using information sharing as a critical enabler for achieving desired mission results.” [I have a few blog posts on the subject at http://www/nowheretohide.org/wordpress]

While I agree that good security, good technology, good project management, good metrics and the like are necessary, none of this will matter if the need for information sharing is relegated two or three levels down the organization chart or is just seen as an edict from above—federal, state, and municipal agencies are already choking on multiple (and often conflicting and unfunded) mandates.

With my apologies to our President, the PM-ISE, and the Markle Foundation there is nothing more they can print on a sheet of paper to make information sharing happen—hundreds of executive orders, national strategies, task force reports, and security policies have been published—what more could they possibly say?

I believe it now comes down to the individual will of executive leadership in those federal, state and municipal agencies who hold the information that should be made shareable and their capacity to make it happen within their respective agencies. And that Jeff is the one area where I do believe that President Obama and our Congress can help—by simply ensuring that the people they choose to lead those agencies a) truly embody the will, character, and leadership qualities to achieve the mission and b) understand the value that information sharing brings to help make that happen.

r/Chuck Georgo
chuck@nowheretohide.org

29.05.2010 Award, fusion center, Information sharing, ISE-SAR, NIEM Comments Off on Utah SIAC Takes Honors: Fusion Core Solution Success Story

Utah SIAC Takes Honors: Fusion Core Solution Success Story

On May 4, 2010, e.Republic’s Center for Digital Government and Emergency Management honored first responders demonstrating measurable improvements in the lives of the people and businesses they serve. Among the  recipients of the inaugural Emergency Management Digital Distinction Awards was the Utah Statewide Terrorism and Information Analysis Center (SIAC).  Core to SIAC’s capapbilities is the Microsoft Fusion Core Solution technology platform. Here’s a snippet from the Center’s website:

Best Collaboration and Information Sharing

Fusion Center Empowers Utah’s Crime Stoppers, Utah Department of Public Safety, Statewide Information & Analysis Center

The Utah Statewide Information & Analysis Center (SIAC), managed by the Utah Department of Public Safety, is a public safety partnership collaboration with all of the state’s law enforcement and public safety agencies to collect, analyze and disseminate intelligence appropriately for enhanced protection of Utah’s citizens, communities and critical infrastructure. As the state’s intelligence fusion (terrorism and response) center, SIAC replaced a legacy system that lacked effective data management practices and included manual, duplicative efforts. SIAC implemented a new set of technologies which utilized existing assets, integrated domain-specific applications, and improved business processes for information collection and management, and analysis and information sharing with Utah’s 29 county Sheriff’s Offices, 180 law enforcement agencies, and more than 26 specialized task forces.

Fusion Core Solution is an open and extensible information sharing and analysis product, based on the National Information Exchange Model (NIEM) and Information Sharing Environment-Suspicious Activity Reporting (ISE-SAR) Functional Standard, developed to help municipal, county, regional, state, and federal intelligence and fusion centers improve operations through workflow management, information sharing, and geospatial intelligence technologies. For more information about Fusion Core Solution see http://www.microsoft.com/fusion

30.01.2010 data sharing, Information sharing, Law enforcement information sharing, privacy, security Comments Off on Having trouble convincing the boss to spend on Security and Privacy protection? Read on…

Having trouble convincing the boss to spend on Security and Privacy protection? Read on…

The Poneman Institute, considered the pre-eminent research center dedicated to privacy, data protection and information security policy, released its 2009 Ponemon Institute “Cost of a Data Breach” Study on January 29, 2010.

In the report, they published the results of their fifth annual study on the costs of data breaches for U.S.-based companies. They surveyed 45 companies represnting 15 various industry sectors–significant contributors were financial, retail, services and healthcare companies.

Numbers-wise, the companies they interviewed lost between 5,000 and 101,000 records, at a cost range between $750,000 and $31 million.

What was really interesting was that the average per-record cost of the loss was determined to be $204.00–and how many records does your law enforcement/public safety agency hold?

Some factors they considered in computing the cost of the breach included:

  • Direct costs – communications costs, investigations and forensics costs and legal costs
  • Indirect costs – lost business, public relations, and new customer acquisition costs

The report also lists a number of causes for the data breaches, such as:

  • 82% of all breaches involved organizations that had experienced more than one data breach
  • 42% of all breaches studied involved errors made by a third party
  • 36% of all breaches studied involved lost, misplaced or stolen laptops or other mobile computing devices
  • 24% of all breaches studied involved some sort of criminal or other malicious attack or act (as opposed to mere negligence).

You can download the full report here: http://www.encryptionreports.com/download/Ponemon_COB_2009_US.pdf

Thoughts and comments welcomed…r/Chuck