Saying security can come later, panel pushes for more information sharing

The federal government should create a new way to share sensitive information, even if technology safeguards are not initially in place, according to a White House task force.

A May 27 memorandum, had called for an interagency task force to recommend how agencies should share sensitive information that does not meet the standards for classification, including controlled unclassified information that is terrorism-related.

Obama asked for the recommendations because of concerns that inconsistencies among agencies in handling such information were leading officials to not share data, which reduces transparency. Each agency has its own system for categorizing and handling sensitive content, leading to more than 107 labels for classifying information such as "Law Enforcement Sensitive," "For Official Use Only," and "Limited Official Use."

The recommendations, which were publicly released on Tuesday, suggest agencies standardize terminology and procedures for dealing with sensitive information, and gradually phase in information technology protections against unauthorized access and release.

"If we waited to implement [information-sharing procedures] until we could achieve nirvana, then the whole framework would be delayed longer than we want," said task force member William Bosanko, director of the Information Security Oversight Office. "Is any information going to be at risk? I would argue no more than is today -- and ultimately we will better protect information by being more precise as to what requires protection."

Lack of security controls did not drive Obama to request a new approach for handling sensitive information, the Dec. 15 report noted. Rather, he called for recommendations to facilitate information sharing and increase transparency. Forcing agencies to quickly deploy technical safeguards -- such as encryption, which meansor coding data to render it unintelligible, and authentication for remote access -- could strain some agencies, according to the report.

"Full implementation of the [controlled unclassified information] framework requires significant resources, especially with respect to IT safeguards," the recommendations stated. "Accelerating the implementation of the safeguarding requirements could impact resource constraints at certain agencies."

Some security specialists seem to concur with the task force's advice to prioritize information sharing over information technology protection.

Paul Proctor, vice president for security and risk management at research firm Gartner raises the question: If an agency has information that could stop the next terrorist attack, is it more important to send the data to a partner agency that does not have encryption capability, and indicate the message's sensitivity, or is it best to not send the data because the partner agency is not protected

"Even in the absence of technical controls, raising the knowledge of the presence of sensitive data has a huge benefit of getting the organizations to think through their handling of these different kinds of sensitive data," he said.

The two agencies could deploy an ad hoc protection system in which they mutually decide, for example, that the data will be stored on only one machine that is disconnected from the Internet, Proctor added.

"There is a layer of protection provided by that common understanding that would facilitate information sharing, and that's a good thing," he said. "Overlaying this schema will allow people to share more data even if the controls are not fully implemented."

The task force concluded that the National Archives and Records Administration should consult with the federal Chief Information Officers Council to rollout IT standards for safeguarding sensitive information in stages. The group also recommended that federal CIOs help align metadata tagging -- systems for labeling a file with a high or low sensitivity level -- and systems that allow certain individuals access to certain files.