The Brussels discussion focused on how the the EU and other European organizations and member states can work the Department of Homeland Security, Department of State and other US agencies, to best enable a trusted environment for sharing information.
The Feb 22 session followed a similar discussion in Washington, DC on October 2017 that provided perspective on the American information sharing experience working internally and with European partners, addressing challenges and potential solutions. A full summary of the DC discussion can be found here.
The session on Feb 22nd in Brussels built on these topics with a focus on the European perspective. Major themes for this discussion included data requirements and gathering, data analysis, and dissemination challenges, while recognizing EU privacy and security protections; and how addressing these challenges can help strengthen transatlantic information sharing and collaboration. Roundtable participants addressed achievable outcomes for the EU, NATO and other stakeholders, leveraging expertise within government needed to develop and maintain solutions, along with external linkages needed to ensure successful implementation.
The timing of these sessions is particularly relevant, with the coming full effective dates for the General Data Protection Regulation and the directive on security of Networks and Information Systems; and on the industry side, multiple companies recently announced collaboration around a “Charter of Trust” for cybersecurity at the Munich Security conference in February.
We provide a summary of key points from this non-attribution meeting below. The Center will then develop a more detailed report with actionable recommendations for government leaders.
Centers of Gravity for Discussion
The Roundtable focused on five main topical centers of gravity that built on themes addressed during the US discussion.
A Human Challenge
Deficits in trust about data integrity often exist between the providers and end-users. Agencies work with multiple information sharing networks, some of which lie dormant due to the inability of platform operators to have a trusted relationship with intended end-users. However, advances in policy and implementation by personnel across the EU differ from the US experience. Successful platforms typically allow a degree of ownership by end-user coalitions, who push use and sharing of information from a top down and bottom up approach. Recent centralization and real-time demands for information from EU member states have changed dynamics.
How can the EU, NATO, and other institutions work with member states, US agencies, and stakeholders to incentivize collective action that builds trust?
- Sharing data more effectively across governments and organizations is a key to effective democracy. However, this can only happen in a climate of trust across governments and with companies and citizens.
- Agencies have to make effective and secure use of their existing data stores. Governments often have access to a large volume of information that they do not leverage to anything close to its full extent. By using their current data well, and communicate that use to citizen, industry, and government partners, agencies can build trust in data handling and support for data sharing. Transparency and visibility across stakeholders will create trust.
- Building trust among agencies will help to ensure that the data being shared is used for what the purpose identified. However, hidden system vulnerabilities can enable sources of threats to penetrate systems and misuse that same data, in a way that undermines trust.
- Building citizen trust across different agencies is imperative. Citizens often don’t realize that not sharing information limits government ability to prevent attacks; informing the public about this need will grow in importance with the full implementation of GDPR. Agencies can promote citizen confidence by building practical systems that implement data access rights, and by demonstrating and communicating the benefits of data sharing that respects privacy and security rules in terms of reduced burden and cost. A challenge here involves a policy shift from privacy to secrecy, as with cryptocurrency – agencies will have to develop methods that respect anonymity while also promoting security.
- Transparency also promotes trust. Across Europe, and in the US, too much data is classified that could be made public, even if in a summary form that removes sources and methods. To the maximum extent appropriate, governments can benefit by making data publicly available.
- Standards for sharing allow public and private enterprises to operate under similar understandings, important to ensuring that stakeholder groups have trust among one another. This can promote trust in data integration across borders and can help bridge cultural divides. The DHS Homeland Security Information Network (HSIN), along with the National Information Exchange Model (NIEM), have proven to be an effective example of standards-based information sharing that fosters trust.
How Technology Can Improve Analytics
Lack of interoperability and data integrity across existing information sharing platforms, and the largely previous disconnected and decentralized nature of data across governments, can negatively affect the ability to assess trends and conduct deep, real-time, and predictive analysis. As mentioned previously, the EU has made recent advances in this regard. Leveraging artificial intelligence (AI) and cognitive platforms can bring data integrity and interoperability up to adequate standards to improve the speed to intelligence between raw data and correlated results.
How can technology, including AI-based analytics, help to improve transatlantic threat information sharing and collaboration?
- Artificial intelligence and other emerging technologies have a future in government and law enforcement, but implementation relies on confidence in the accuracy of such technologies.
- Chief Information Officers can help their agencies procure new technology to support information sharing and protection. To do so effectively, CIOs need authorities to support their mission colleagues by building strong and secure platforms, and streamlining business support systems, to enable rapid, secure, and cost-effective insertion of technology.
- Analytics technologies have enormous potential to support sharing of threat information across and outside the EU. Most current systems are built on binary yes/no logic that does not introduce predictive analytics. However, strict privacy protections would require that such data be anonymized before being analyzed, which will be very costly.
- The US and EU must work together to protect their interests given global threat vectors, especially with innovations like new “5G” wireless systems, the Internet of Things (IOT), advanced encryption, and quantum computing.
- Interoperable and infrastructure platforms that leverage cloud computing in a secure manner will provide a foundation for rapid sharing and analytics. Governments underinvest in updating IT systems, which can be addressed through budgetary rules incentives that prioritize new development and innovation and reduce operations and maintenance spending.
- Risk management is key to advancing IT, and will shift as innovation moves from prototype environments — where failing fast promotes improvements in IT development — to scale environments — where failure is not an open given the risk to human life and health.
- Data integrity is a dependency for sharing – building analytics programs based on automated review of and appropriate response to anomalies will promote integrity, as will establishing audit and review processes.
- Key technical leaders in this field need to hire experts quickly and upskill their workforce over time, to ensure that government capacity keeps pace with commercial innovation.
Bureaucratic and structural challenges affect the management and development of the information sharing enterprise. Recent EU policy calls for greater transparency and centralization of information, alongside the context of recent responses to terrorist incidents. In the US, the establishment of a National Intelligence Manager (NIM) for the Western Hemisphere and the Homeland is a step to build on.
What can the US learn from current European organizational transformations?
- Strengthening multilateral institutions can support intergovernmental research into shared solutions for sharing. Also, cross-government memoranda of understandings (MOUs) can drive collective action. An initiative in Europe involving interagency collaboration has been introduced through a new system enabling searchable sharing across multiple organizations, connecting existing databases and supporting future related efforts. Specifically, multiple organizations are collaborating on a border management database, which aims to provide authorization to travel to the EU for Third Country nationals, and to prevent possible threats from entering the EU member states. co
- EULISA, the EU agency for the operational management of large-scale IT systems, will build a secure threat data platform and Watch List;
- Frontex, the EU Border and Coast Guard Agency based in Warsaw, will analyze threat data from members and reduce the risk of bias; and
- Europol, the EU Agency for Law Enforcement Cooperation, will manage the shared watch list, including updates via checking with Interpol databases in parallel.
- Non-technical stakeholder organizations need education on modern technology, including policy officials, the judiciary, and procurement offices. If leaders in these organizations have little understanding of technology, they will make uninformed decisions – what one roundtable participant coined “the analog hangover” effect. A gap in the digital IQ of policy makers leaves them less able to make and interpret laws that reflect the changing nature of technology to promote secure and privacy-protective information sharing.
- Support for information sharing among partner agencies may emerge more naturally if framed as a way to deliver agency services securely, so as to link sharing goals to digital government that benefits citizens, rather than solely framed through a cybersecurity lens that can drive a “need to protect” rather than a “need to share” approach,
- Even with good policies and good leadership, resources are key to implementation – without an adequate budget meaningful action will be limited. A secure portal for citizen access to information across the EU, for example, would have great value but would require significant investment, which would have to increase for transatlantic access.
The Influence of Industry and Private Sector Partners
Challenges within government may create a need for external stimuli to promote a path toward improvement. Industry and private sector partners can demonstrate how private sector data integrity and sharing standards could encourage much needed reforms. Lessons can be learned from Passenger Name Records/Advance Passenger Information (PNR/API) information sharing activities. Multinational corporations could promote transatlantic consistency for information sharing, security and privacy, and data integrity.
What challenges can industry address to help address EU and member state priorities in promoting a responsible, secure, and cost-effective exchange of information across borders?
- Private public partnerships are key for new forms of digital data governance. For example, the DHS Customs Trade Partnership Against Terrorism (CTPAT) is a voluntary public-private partnership program which recognizes that government can provide highest cargo security only through close cooperation with the principle stakeholders of the international supply chain; participation in CTPAT improves the bottom line, making it a win-win for both sides. Procurement offices need to be more open to innovation that promotes such collaborative arrangements, and oversight entities need to be more open to auditable third party and self-attestation of performance rather than rigid enforcement of inputs.
- The vast majority of data relevant to understanding and addressing threats is owned by the private sector. Government agencies benefit from access to this data because analysis might be useful to developing rapid response and long-term resiliency strategies. The “need for speed” is paramount to enable agencies to keep us with constantly practice by harmful actors, who can include nation-state adversaries, non-state actors.
- Government-industry collaboration can promote data sharing; in the EU, however, the appetite to cooperate across sectors is not facilitated by any legislation that drives collective structures. The most effective solution would involve governments working together with companies, rather than mandates that compel rigid structures. In that context, agencies must think about how collaboration can benefit companies as well.
Next Steps — Lessons to be Shared in Building Trust
The US, EU and NATO member states face similar challenges with information sharing and data integrity. Yet Europe has seen some success regarding data interoperability, trials of progress with information sharing among law enforcement, and data sharing agreements. The EU has committed to a multi-year interoperability program to close gaps in information sharing and improve cooperation across multiple homeland security systems. Much can be learned from future US-EU-NATO exchanges and partnerships.