NOWHERETOHIDE.ORG

Letter to Congressman Reichert: If you want LE information sharing, please aim your pen at a different target

If you want law enforcement agencies to share information, go to the source and help the Chiefs and Sheriffs to push their data in the FBI’s National Data Exchange N-DEx. Trying to impose information sharing with unfunded standards mandates will not work.

As someone who has been in the standards business since 1995, history has proven to me that:

• The business need must drive standards, standards can NEVER drive the business; and
• Trying to SELL the business on standards is a losing strategy.

Hi Congressman Reichert,

You won’t remember me, but a long time ago we were in meetings together in Seattle with the likes of John McKay, Dave Brandt, Scott Jacobs, Dale Watson, and others working on building the Law Enforcement Information Exchange (LInX); I was the technical guy on the project, working with Chief Pat Lee and our very dear lost friend Julie Fisher (may she rest-in-peace, I sure miss her).

A hell of a lot of water has gone under the bridge since then–it’s been nearly TWELVE YEARS. If we look back over this time, we have had so many bills, laws, strategies, policies, papers, speeches, conferences, proclamations, and other assorted attempts to prod law enforcement data loose from the nearly 18,000 agencies across our country. While we are far better off than we were back then, I think we can agree that we still have a long way to go.

Where we differ, I’m afraid, is in the approach to get there – a few days ago, you proposed legislation, the Department of Justice Global Advisory Committee Authorization Act of 2013, as a means to improve information sharing among law enforcement agencies - do we really believe another ”stick” will work to get agencies to share information? Do we really believe it’s a technology or data standards problem that’s preventing law enforcement data from being shared? As a technologist for 34 years, and someone who has been involved in law enforcement information sharing since the Gateway Project in St. Louis, MO in 1999, I can tell you it is neither.

While I applaud the work of the GAC, and I have many colleagues who participate in its work, I’m afraid having more meetings about information sharing, developing more standards, approving more legislation, and printing more paper will NOT help to reach the level of information sharing we all want.

Instead, I want to propose to you a solution aimed at capturing the commitment of the men and women who can actually make law enforcement information sharing happen, and virtually overnight (metaphorically speaking) – namely, the great men and women who lead our police and sheriffs departments across America.

Now to be fair, many of these agencies are already contributing their records to a system I am sure you are familiar with called the National Data Exchange (N-DEx). Built by the FBI CJIS Division, this system has matured into a pretty respectable platform for not only sharing law enforcement information, but also for helping cops and analysts to do their respective investigative and analytic work.

Now, in case you are wondering, I do not own stock in any of the companies that built N-DEx, nor has the FBI signed me up as a paid informant to market N-DEx. I write to you on my own volition as a result of my nearly six years of volunteer work as a member of the International Association of Chiefs of Police (IACP) Criminal Justice Information Systems (CJIS) Committee.

About two years ago I volunteered to lead a small sub-group of the committee who have either built, led, or managed municipal, state, federal, or regional information sharing systems. Our charge was (and still is) to help CJIS take a look under the hood of N-DEx to see what’s in there (data wise) and to help figure out what needs to be done to make it a more effective tool to help cops across America catch more criminals, and maybe, just maybe, even prevent criminals from acting in the first place.

While our work is far from done, I can tell you that one thing we need is more data – as you well know, be it N-DEx, LInX, RAIN, or any other information sharing system, it is only as good as the data that’s put into it.

Believe it or not we already have the data standards in-place to get the data into N-DEx. CJIS has developed two Information Exchange Packet Descriptions (IEPDs) that tells agencies exactly what to do and how to format and package up their data so it can get to N-DEx. Additionally, CJIS has an extensive team ready to assist and my colleagues over at the IJIS Institute hold training sessions sponsored by BJA, to help agencies along the process (NIEM training).

These two IEPDs can help law enforcement agencies today to share the following law enforcement records:

• Service Call
• Incident
• Arrest
• Missing Person
• Warrant Investigation
• Booking
• Holding
• Incarceration
• Pre-Trial Investigation
• Pre-Sent Investigation
• Supervised Release

So what’s the hold up? Speaking only for myself, and I will be very straight with you, I believe the root cause for not getting more law enforcement data into N-DEx is the current piecemeal, politically charged, hit and miss grant funding process that the Act you propose, if passed, will burden even further – see page 3, lines 17-25 and page 4, lines 1-6.

Instead, I ask that you please answer the following question…

If law enforcement information sharing is important enough to push though a Public Act, where is the nationwide project, with funding, to get all shareable law enforcement data loaded into the one system that would give ALL law enforcement officers and analysts access to collective knowledge of the nearly 18,000 law enforcement agencies?

The immediate answer might be “we already have one; N-DEx;” however, N-DEx is only a piece of the answer…it’s as they say, “one hand clapping.” And in all fairness to my friends and colleagues at the FBI CJIS Division, that program was only charged and funded to build the  N-DEx bucket, they were never funded to actually go get the data to fill the bucket.

The strategy, for whatever reason back then, was relegated to a ”build it and they will come” approach, that IMHO has not worked very well so far and may take another 5-10 years to work. I should also note that the bucket isn’t totally empty…there are quite a number of agencies and regional projects, like LInX, that have stepped up and are helping to fill the bucket – however, if we want to expedite filling up the bucket, focusing on mandating more standards is not the answer

What I submit  is the “other hand clapping” is the need for a shift focus, away from policy, standards, and technology, and establish a funded nationwide project that will offer a menu of choices and support packages to the Chiefs and Sheriffs that will enable them to start sending as many of their shareable records as possible to N-DEx.

Some of the options/support packages could include:

1. Provide direct funding to agencies and regional information sharing systems to develop N-DEx conformant data feeds to N-DEx;
2. Grant direct funding to RMS and CAD system providers to develop N-DEx conformant data feeds from their software, with the stipulation they must offer the capability at no additional cost to agencies that use their products;
3. Establish a law enforcement data mapping assistance center, either bolted on to IJIS NIEM Help Desk, as an extension of NLETS menu of services, or through funding support at an existing information sharing project like the Law Enforcement Technology, Training, & Research Center who works in partnership with the University of Central Florida.

At the end of the day, we all know that the safety and effectiveness of law enforcement is greatly affected by the information he or she has at their fingertips when responding to that call.

Do you really want to leave it to chance that that officer’s life is taken, or a criminal  or terrorist is let go because his or her agency wasn’t “lucky enough” to win the grant lottery that year?

So, let’s empower the single most powerful force that can make sure the information is available - the Sheriff or Chief leading that agency. Let’s stop with the unfunded mandates, laws, standards, studies, point papers, etc., and let’s finally put a project in-place with the funding necessary to make it happen.

v/r

Chuck Georgo,

Executive Director
NOWHERETOHIDE.ORG
chuck@nowheretohide.org

Signs, signs, everywhere are signs: We have to take better care of each other

Pop quiz…what do the following have in common:

• Bradley Manning, US Army soldier who released 750,000 documents to wikileaks
• Jacob Tyler Roberts, another young man who shot up an Oregon mall
• Adam Lanza, young man who killed 26 at a Newtown, CT school
• Marijana Bego, NYC art gallery owner who jumped to her death yesterday

The answer? One or more people knew something was wrong BEFOREHAND.

I am now convinced that EVERY incident, whether it is a tragic shooting, a terrorist act, espionage, or a sole suicide, there were signs ahead of time that something was not quite right with the individual(s) involved.

So what can we do? We have to take better care of each other. When we see signs that someone isn’t quite the way they used to be, call them on it. Ask questions. Take action BEFORE something bad happens.

Scared that you’ll embarrass them? scared you’ll embarrass yourself? If so, just think how you will feel if you don’t take action and something even worse happens…how will you feel then?

• In Bradley’s case, the Army knew there were reasons NOT to put him in a position of trust, and they did anyway!
• In Jacob’s case, his own roommate said he acted weird and talked about moving and selling his possessions!
• In Adam’s case, the school district security officer knew he had disabilities!
• And, in Marijana’s case, many people around her knew she was erratic and not happy.

I would hate to be in any of those person’s shoes…

so, for 2013, let’s try and take better care of each other, and vow to intervene early, maybe we can save a life.

Merry Christmas and Happy New Year

r/Chuck

LEIM 36th Annual IACP: Internet Profiling and Intelligence Gathering

I have always thought that Private Investigators were sleazy peeping toms who spied on others to make money catching people in compromising positions—very useful if you’re the wife of a philandering jerk.

Boy was I off the mark. I attended a presentation by Michele Stuart, an Investigator with her own company, JAG Investigations, Inc in Arizona. From the moment she started her presentation, we were on the edge of our seats. For about 40 minutes, she made us all sit up and listen to what she had to tell us about the challenges and tools of using the internet to conduct investigations and to share with us her impressive knowledge of public records and on-line databases.

With over 18 years of investigative experience behind her, Michele knew a lot about websites that rob your personal information, how to find someone on the internet, and many more informative pieces of information that would help those who use the internet to find people.

As an example, she launched her presentation with “who owns an android phone”, as several of us raised our hands. Followed with “and do you have the flashlight app installed on your androids”? To which several of us (including me!) left our hands up. Apparently by downloading flashlight, and by agreeing to the terms and conditions, we are allowing this little app to secretly take video (and audio), see what numbers we are calling, and many other things you wouldn’t normally think a flashlight app should do. I suddenly felt my phone was ‘dirty’ and I uninstalled flashlight there and then – for more information, take a look here - http://itunes.apple.com/gb/app/flashlight./id285281827

Michele also warned us of websites that can do harm to our personal information, and websites that will create fake identities like your virtual buddy, which you can set to ring you and possibly get you away from where you don’t want to be by pretending it’s your friend calling and wants to meet you urgently. A great excuse when you do need to leave without appearing rude. She also told us the best sites to find old addresses, and how to find people you have lost touch with.

Of all the sessions I attended at LEIM, Michele’s was the most entertaining. Her quick fire delivery, rarely pausing for breath, as she just wanted to tell us all she could in her allotted time slot. And tell us she did with much passion and plenty of humor, it was pure entertraining (entertaining training). I will certainly keep her business card handy; I may need her help one day.

Some websites Michele mentioned:

www.jaginvestigations.com – Michele’s Company

http://alibinetwork.com – creates fake identifications

http://www.networksolutions.com/ – here you can find old addresses and email addresses by searching domain names.

r/Mary

LEIM 36th Annual IACP: A First Timer’s Perspective

Hi everyone,

My Name is Mary Wood and I recently joined NOWHERETOHIDE.ORG as a Research Analyst. I am from Dublin, Ireland, and new to Public Safety, so be gentle with me! These first few blog postings will tell the story of my experience at the 2012 Law Enforcement Information Management (LEIM) conference that I attended from 19-23 May 2012.

Since this was my first time attending LEIM, I didn’t really know quite what to expect. What I experienced was a whirlwind three days of educational sessions and networking opportunities – I really enjoyed everything about this conference and learned so very much!

I was also in awe of being in the presence of the brave men and women who put their lives in danger every day just to keep the rest of us safe – that in itself was daunting. But as I walked around, amongst Officers, Chiefs of Police, federal agents, and even a British Lord!, I was stuck by the camaraderie and incredible respect they had for each other. I really love Americans, and have always found them to be extremely polite and well mannered, and these three days showed just that, and also an enthusiasm for learning, meeting new people, and sharing of their experiences with dealing with information management in the public safety arena.

I found myself learning something new with each presentation/workshop that I attended. I was very impressed by the high standard of presenting styles and the way most people I encountered delivered their information in a very understandable (essential for a first timer!) and enjoyable way.

I learned quite a bit – using CCTV effectively, getting essential data into systems so Police Departments in other states can access it, predictive Policing, Social Media and how law enforcement agencies use the social media sites to gain information, the latest License Plate readers, what happens when a Police Officer wears a camera, and many more interesting ways that technology is used everyday.

Yes, law enforcement information management has come a long way from the pencil and notebook. Today the paper and pencil has been replaced by an iPhone or Blackberry to access/enter information, to take video and pictures, and to share information. I have learned that it is all about getting information and sharing that information to get the bad guys of the streets.

For any first timers to the LEIM conference next year, I would highly recommend that you arrive early enough to attend the First Time Conference Attendee Orientation and ABC’s of IT for Law Enforcement. This session will help answer any questions first timers may have about the conference. The LEIM Board of Officers together the LEIM Chairperson put on a very informative and straightforward presentation. They will also answer any questions put to them.

Ed Posey, the 2011-2012 Chairman, spoke about his work as a Captain in Gainesville Police Department. He spoke about the Law Enforcement Information Exchange (LInX) Lynx project and answered general IT questions put to him. Lance Valour talked about the way the Police Service works in Canada, and the differences between America and Canada (I loved his Canadian accent!), and Lance should know with 33 years in Ottawa Police Force behind him. They also explained how 9/11/01 changed everything in terms of security and getting essential information and sharing it, so everybody can work together and understand the situation they are dealing with. N-DEx was one of the information sharing systems that was created after 9/11/01. It is designed to share federal, state and local law enforcement information. The types of data being exchanged varies from police case files, arrest reports, warrants, Canadian and Interpol databases, and corrections data.

On the first day there are also other preconference workshops presented, along with the first timers conference. They are each three hours long, but are a must to explain any questions you have or any guidance you need to get you through the three days.

I have grown up, watching cop shows that show us how it’s done. We think we know it all, but it’s a lot different when you are in the presence of the people who really know how it’s done. I came away from my three days with a lot of information and pages and pages of notes, and also had the pleasure of being in the company of people who really do make a difference by making our world safer.

Over the next few blog postings I will share some stories about specific things I learned about…stay tuned.

Thanks for reading…r/Mary

Video Analysis/Analytics: Can we use it to detect criminal behaviors and activities?

I just found this report published by the National Criminal Justice Reference Service (NCJRS). Developed by Nils Krahnstoever, General Electric (GE) Global Research, it describes the development of a wide range of intelligent video capabilities relevant to law enforcement and corrections, and describes features of video surveillance that can help to enable early detection and possibly prevention of crimal incidents.

The study also points out, in a number of places, limitations of the technology, based on response activities and envronmental factors. it’s worth a read, here is the table of contents; you can read the document here Automated Detection and Prevention of Disorderly and Criminal Activities:

 Table of Contents

• 1 Abstract
• 2 Executive Summar
• 2.1 Data Collection
• 2.2 Crime Detection and Prevention
• 2.3 System Evaluation and Feedback
• 2.4 Law Enforcement Relevance and Impact
• 2.5 Dissemination of Research Results
• 2.6 Next Steps
• 3 Introduction
• 4 Data Sets and Data Collections 17
• 4.1 GE Global Research Collection
• 4.2 Airport and “Behave” Data
• 4.3 Mock Prison Riot Data
• 4.3.1 Venue
• 4.3.2 Installation
• 4.3.3 Camera Views
• 4.3.4 Calibration
• 5 Motion and Crowd Pattern Analysis 25
• 5.1 Multi-camera Multi-target Tracking
• 5.2 Detection and Tracking of Motion Groups
• 5.3 Counting and Crowd Detection
• 5.4 Simple Group-Level Events
• 5.5 Group Interaction Model
• 5.6 Group Formation and Dispersion
• 5.7 Agitation and Fighting
• 5.8 Advanced Aggression Detection
• 5.8.1 Feature Tracking
• 5.8.2 Motion Analysis
• 5.8.3 Motion Classification and Clustering
• 5.8.4 Results
• 6 Identity Management
• 6.1 PTZ Camera Control
• 6.1.1 Introduction
• 6.1.2 Related Work
• 6.1.3 Experiments
• 6.1.4 Discussions
• 6.2 Identity Maintenance
• 7 Social Network Estimation
• 7.1 Introduction
• 7.2 Experiments
• 7.3 Conclusions
• 8 Data Collection and System Testing at Mock Prison Riot 2009
• 8.1 Collection and Testing Approach
• 8.2 IRB Approval
• 8.3 Collected Video Data
• 8.4 Mock Prison Riot Detection and Tracking
• 8.5 PTZ Control
• 8.6 Behavior and Event Recognition
• 8.6.1 Meeting / Approaching / Contraband Exchange
• 8.6.2 Aggression Detection
• 8.6.3 Fast Movement
• 8.6.4 Distinct Group Detection
• 8.6.5 Flanking Detection
• 8.7 Performance Evaluation
• 8.7.1 Sequence “Utah Leader Attack” (Nr. 00)
• 8.7.2 Sequence “Utah Leader Attack 2” (Nr. 01)
• 8.7.3 Sequence “Gang Killing other Gang” (Nr. 02)
• 8.7.4 Sequence “Gang Killing other Gang 2” (Nr. 03)
• 8.7.5 Sequence “Gang Killing other Gang 3 – Unrehearsed” (Nr. 04)
• 8.7.6 Sequence “Aborted Attack” (Nr. 05)
• 8.7.7 Sequence “Aborted Attack 2” (Nr. 06)
• 8.7.8 Sequence “Gang Argument – Prisoners get attacked” (Nr. 07)
• 8.7.9 Sequence “Gang Initiation” (Nr. 08)
• 8.7.10 Sequence “Contraband Exchange” (Nr. 09)
• 8.7.11 Sequence “Multiple Contraband Exchange” (Nr. 10)
• 8.7.12 Sequence “Contraband with Fight” (Nr. 11)
• 8.7.13 Sequence “Blended Transaction” (Nr. 12)
• 8.7.14 Sequence “Shanking followed by Leaving” (Nr. 13)
• 8.7.15 Sequence “Gang Hanging Out Followed By Several Fights” (Nr. 14)
• 8.7.16 Sequence “Fight Followed by Guards Leading Offender Off” (Nr. 15)
• 8.7.17 Sequence “Fight Followed by Guards Leading Offender Off” (Nr. 16)
• 8.7.18 Sequence “Contraband – Officer Notices” (Nr. 17)
• 8.7.19 Sequence “Argument Between Gangs – Officer Assault” (Nr. 18)
• 8.7.20 Sequence “Contraband exchange followed by guard searching inmates” (Nr. 19)
• 8.7.21 Sequence “Prisoner being attacked and guard intervening” (Nr. 20)
• 8.7.22 Sequence “Fight breaking out between gang members and officers breaking it up” (Nr. 21)
• 8.7.23 Sequence “Fight between gangs. Guards breaking fight up” (Nr. 22)
• 8.7.24 Sequence “Fight between gangs. Guards breaking fight up” (Nr. 23)
• 8.7.25 Sequence “Gangs fighting. Guards breaking fight up.” (Nr. 24)
• A Public Dissemination
• B Reviews and Meetings
• B.1 Technical Working Group Meeting
• B.2 Kick-Off Meeting at NIJ
• B.3 Sensor and Surveillance Center of Excellence Visit
• B.4 2008 Technologies for Critical Incident Preparedness Expo (TCIP)
• B.5 Mock Prison Riot 2009
• B.6 IEEE Conference on Computer Vision 2009
• C Mock Prison Riot Data
• C.1 Data Recorded while Processing
• C.2 Sequences Processed in Detail
• C.3 Data Recorded without Processing
• D Techinical Details of the PTZ Camera Control
• D.1 Problem Formulation
• D.2 Objective Function
• D.2.1 Quality Measures
• D.2.2 Quality Objective
• D.2.3 Temporal Quality Decay
• D.3 Optimization
• D.3.1 Asynchronous Optimization
• D.3.2 Combinatorial Search
• E Techinical Details of Social Network Analysis 110
• E.1 Building Social Network
• E.1.1 Face-to-Track Association via Graph-Cut
• E.2 Discovering Community Structure via Modularity-Cut
• E.2.1 Dividing into Two Social Groups
• E.2.2 Dividing into Multiple Social Groups
• E.2.3 Eigen-Leaders

Security, Privacy, and Innovative Law Enforcement Information Sharing: Covering the bases

So it’s no great revelation that public safety has benefited greatly from public private partnerships, and I’m cool with that, especially when we are dealing with technology that saves lives. However, a press release hit my email inbox today that made me think of the risks to security and privacy when we implement innovative technologies.

Before I get into the story it, let me be v-e-r-y clear…I am NOT here to debate the effectiveness or morality of red-light/speed enforcement systems, nor am I here to cast dispersions on any of the organizations involved in the press release…this blog posting is strictly about using the Gatso press release to emphasize a point about security and privacy - when we engage in innovative law enforcement technology solutions, we need to take extra care to adequately address the security and privacy of personally identifiable information.

Here’s the press release from Gatso-USA:

GATSO USA Forms Unique, Strategic Partnership with Nlets

Earlier this month, GATSO USA was approved as a strategic partner by the Board of Directors of the National Law Enforcement Telecommunications System (Nlets). Nlets is….general narrative about NLETS was deleted. The approval of GATSO is an exciting first for the photo-enforcement industry.

Nlets will be hosting GATSO’s back office and server operations within the Nlets infrastructure. GATSO will have access to registered owner information for all 50 states plus additional provinces in Canada. The strategic relationship has been described as a “win-win” for both organizations.

From Nlets’ perspective, there are key benefits to providing GATSO with hosted service. Most importantly, it virtually guarantees personal data security. Due to this extra step of storing personal data behind the DMV walls of Nlets, the public can be assured that security breaches — such as the recent incident with PlayStation users — are avoided.

From GATSO’s perspective, hosting the system with Nlets will provide a ruggedized, robust connection to comprehensive registered owner information — without the security issues faced by other vendors in this industry. Nlets was created over 40 years ago…more stuff about NLETS was deleted).

The main points I took away from this press release were:

1. Nlets is going to host the back-end server technology that GATSO needs to look up vehicle registration information of red-light runners;
2. Gatso is going to have access to vehicle registration information for all vehicles/owners in ALL 50 states in the U.S. and (some) provinces in Canada; and
3. And, because it’s behind Nlets firewalls, security is not an issue.

Again, please don’t call me a party-pooper as I am a huge advocate for finding innovative ways to use technology to make law enforcement’s job easier. However, I am also painfully aware (as many of you are) of the many security and privacy related missteps that have happened over the last few years with technology efforts that meant well, but didn’t do enough to make sure that they covered the bases for security and privacy matters. These efforts either had accidental leakage of personal information, left holes in their security posture that enables direct attacks, or created opportunities for nefarious evil-doers with legitimate access to use that access to sensitive information for other than honorable purposes.

After I read the press release, I thought that it would be a good case-study for the topic of this blog - it involved innovative use of technolgy for law enforcement, a psuedo-government agency (Nlets), two foreign-owned private companies, and LOTS of PII sharing - some might even say it had all the makings of a Will Smith movie.

To help set the stage, here are a few facts I found online:

• Gatso-USA is a foreign company, registered in New York State, operating out of Delaware; its parent company is a Dutch company, GATSOmeter BVGatso.
• Gatso does not appear to vet all of the red-light/speed violations itself; it uses another company – Redflex Traffic Systems to help with that (Redflex is not mentioned in the press release).
• Redflex seems to be a U.S. company, but it has a (foreign) parent company based in South Melbourne, Australia.
• Finally, there are no-sworn officers involved in violation processing. Red-light/speed enforcement cameras are not operated by law enforcement agencies; they outsource that to Gatso, who installs and operates the systems for local jurisdictions (with Redflex) for free, (Gatso/Redflex is given a piece of the fine for each violation).

There are no real surprises here either; there are many foreign companies that provide good law enforcement technologies to jurisdications across the U.S., and outsourcing traffic violations is not new…BUT what is new here is that a sort-of-government agency (Nlets), has now provided two civilian companies (with foreign connections) access to Personally Identifiable Information (PII) (vehicle registrations) for the entire U.S. and parts of Canada…should we be worried?

Maybe; maybe not. Here are nine questions I would ask:

1. Personnel Security: Will Nlets have a documented process to vet the U.S. and overseas Gatso and Redflex staff who will have access to this information through direct or VPN access to Nlets systems?
2. Data Security: Will Gatso or Redflex maintain working/test copies of any of the registration information outside of the Nlets firewall? If so, are there documented ways to make sure this information is protected outside the firewall?
3. Data Access: Will Gatso/Redflex have access to the entire registration record? or, will access be limited to certain fields?
4. Code Security: Will any of the code development or code maintenance be done overseas in the Netherlands or Australia? If so, will all developers be vetted?
5. Network Security: Will overseas developers/site suport staff have access to the data behind Nlets firewalls? What extra precautions will be taken to protect Nltes systems/networks from abuse/attack?
6. Code Security: Will Nlets conduct any security testing on code loaded on the servers behind their firewalls?
7. Stakeholder Support: Have all 50 U.S. states, and provinces in Canada, been made aware of this new information sharing relationship? Do they understand all of the nuances of the relationship? And, are they satisfied that their constituents personal information will be protected?
8. Audit/Logging: Will all queries to vehicle registration information logged? Is someone checking the logs? How will Nlets know if abuses of authorized access are taking place?
9. Public Acceptance: How do states inform their constituents that their personal vehicle registration information is being made available to foreign owned company? Will they care?

How these questions are answered will determine whether or not we should worry…

Did I miss any other important questions?

Beyond this particular press release and blog posting, I suggest that you consider asking these kinds of questions whenever your agency is considering opening/connecting its data systems to outside organizations or private companies—it may just prevent your agency from becoming a headline on tonights news, like St. Louis –> St. Louis Police Department computer hacked in cyber-attack .

The bottom-line is that whenever you take advantage of opportunities to apply innovative technologies to public safety, make sure that you cover ALL the bases to protect your sensitve data and PII from leakage, direct attacks, or misuse and abuse.

As always, your thoughts and comments are welcome.

r/Chuck

Economic Espionage: Spies, damn spies, and the real threat (Part 1 of 2)

When  most people think of spies, they think of the Rosenbergs who gave up atomic research in 1942, John Walker who gave up Naval radio communications in the 1980s, or the likes of  Aldrich Ames and Bob Hanssen who compromised CIA and FBI programs (respectively).  But, have you ever heard of Ho, Yang or Min?

• Chester Ho, a naturalized U.S. citizens, was arrested after stealing the plant cell culture technology from Bristol-Myers Squibb–nearly $15 million loss
• Hwei-Chen Yang was arrested after stealing adhesive trade secrets from Avery Denison–nearly $60 million loss
• Yonggang Min walked out the door of Dupont with more than 16,000 documents from DuPont’s electronic library–nearly $600 million loss

While the Rosenbergs, Ames and Hanssen were guilty of National Security Espionage, Ho, Yang and Min were clearly engaged in Economic Espionage, or “the act of theft or misappropriation of (commercial) trade secrets.” What makes this particularly significant is the fact that the potential for economic espionage exists in virtually every corner of our way of life–government agencies, small companies, large corporations, colleges, universities, overseas research and development laboratories, and economic espionage is largely driven by one of three motives:

1. Profit;
2. Patriotism to home country; or
3. Desire to achieve academic/scientific notoriety.

While the majority of the threat can come from any of the 108 countries actively seeking to collect information about American innovations, and (a sub-set) of the 30,000,000 non-immigrant visitors to our nation every year, the threat can also come from within; companies in like sectors would love to know what the others in that sector are working on–new prescription drug? Next Ipod? Alternative fuel technologies?

So, who can threaten your innovations and intellectual property?

• Insider threats–people working for you;
• People and companies that you partner with;
• Subcontractors providing services
• University students doing research for you;
• Visitors that have an interest in what you do; or
• Competitors who seek to do you harm.

Interesting side note:  75% of the 40 proprietary and confidential information thefts studied between 1996 and 2002 by Carnegie Mellon’s CERT program in a July 2006 study were committed by current employees. Of those current employees committing intellectual property thefts, 45% had already accepted a job offer with another company. “In between the time they have another offer and the time they leave is when they take the information”

At the end of the day, you (and your organization’s leaders) are responsible for the survival of your organization, and only you can really know “Who’s in Your House” and what they are doing. The other way to put it is that if something bad happens, only you will be standing there explaining to your board of directors and shareholders what happened.

So what can you do to protect yourself? I suggest five key strategies:

• Ask the right questions;
• Do the math;
• Trust, but verify;
• Use the velvet rope and black cloth; and
• Educate, communicate and reward.

1. Ask the Right Questions

Corporate presidents and CEOs should regularly ask their security officers the following five questions:

1. What technologies/projects are most at risk?
2. Why are others interested in it?
3. Who are the specific threats?
4. Where are the vulnerabilities?
5. How are we stopping them from getting it?

Establish a good idea of what an adversary might be after, why they’re after it, and what your organization is doing to protect it from compromise. For larger organizations, with many projects, you should go through this exercise with each program/product.

2. Do the Math

You cannot protect everything, so develop a strategy to identify and protect those projects and technologies that can cause the most dire consequences to your bottom line. I suggest dividing up your organization’s projects/products into three piles.

• Pile One = those projects that the future of your company rests on or those that you risk jail time for compromise;
• Pile Two = Those projects that are important, but expendable; and
• Pile Three = Those projects that are commodities or already in the open source.

 Here is some sample criteria to help you decide which pile a project may belong in:

Sample Criteria for Pile One

• Classified or sensitive national security project
• New research and development effort
• Loss would mean significant loss of revenue and new CEO

Sample Criteria for Pile Two

• Company future doesn’t hinge on product survival
• No significant IP or trade secrets involved
• Product at the middle of “S” curve

Sample Criteria for Pile Three

• No IP or trade secrets involved
• Commodity type product or service; top of the “S” curve
• Already in the public domain

Remember: Focus on Pile One FIRST–do not be tempted to go after the low-hanging furit in piles two or three.

To be continued…In Part 2 of 2, I’ll finish with Key Strategies 3, 4 and 5.

As always, comments and houghts are welcome.

Chuck Georgo, chuck@nowheretohide.org

Chuck has served as a strategic planner, business analyst, and technologist for the National Security Agency, Federal Bureau of Investigation, Department of Homeland Security, Naval Criminal Investigative Service, Naval Security Group, Illinois State Police, and many other public and private sector organizations. He helped these agencies to develop meaningful strategies, to implement innovative technologies, and to assess their success towards achievement of desired public safety and homeland security results. He currently serves as Executive Director for NOWHERETOHIDE.ORG, First Vice President of the InfraGard Maryland Members Alliance, and Chairman, IJIS Institute Security and Privacy Committee.

NIEM and JIEM: Two Great Tastes In Justice Information Sharing

Remember the old Reese’s Peanut Butter Cups commercial? “You got chocolate on my peanut butter “…”No, you got peanut butter on my chocolate “…?  Well, this is one of these stories…

It’s no secret, the National Information Exchange Model (NIEM) is a huge success.  Not only has it been embraced horizontally and vertically for law enforcement information sharing at all levels of government, but it is now spreading internationally.  A check of the it.ojp.gov website lists more than 150 justice-related Information Exchange Package Documentation (IEPD) based on NIEM–it’s been adopted by N-DEX, ISE-SAR, NCIC, IJIS PMIX, NCSC, OLLEISN, and many other CAD and RMS projects. 

For at least the last four years, Search.org has been maintaining the Justice Information Exchange Model (JIEM) developed by Search.org.  JIEM documents more than 15,000 justice information exchanges across  9 justice processes, 75 justice events, that affect 27 different justice agencies. 

So if JIEM establishes the required information exchanges required in the conduct of justice system business activities, and NIEM defines the syntactic and semantic model for the data elements within those justice information exchanges…then…

Wouldn’t it make sense for JIEM exchanges to call-out specific NIEM IEPDs?

And vice-versa, wouldn’t it make sense for NIEM IEPDs to identify the specific JIEM exchanges they correspond to?

Here’s a diagram that illustrates this…

Let me know what you think..

r/Chuck

chuck@nowheretohide.org - www.nowheretohide.org

Intelligence Fusion Centers: A threat to personal privacy? Not if they can answer "yes" to these 10 questions.

Time Magazine just released “Fusion Centers: Giving Cops Too Much Information?” – another article in a long line of articles and papers published over the last few years by many organizations describing how fusion centers are a threat to our personal privacy.  In the article, they quote the ACLU as saying that

While I disagree with their assertion that “legal limits” are the answer (we already have lots of laws governing the protection of personal privacy and civil liberties), I do think that more can be done by fusion center directors to prove to groups such as the ACLU that they are in-fact operating in a lawful and proper manner.

To help a fusion center director determine their level of lawful operation, I’ve prepared the following ten question quiz.  This quiz is meant to be criterion based, meaning that ALL ten questions must be answered “yes” to pass the test; any “no” answer puts that fusion center at risk for criticism or legal action.

Fusion Center Privacy and Security Quiz

1. Is every fusion center analyst and officer instructed to comply with that fusion center’s documented policy regarding what information can and cannot be collected, stored, and shared with other agencies?
2. Does the fusion center employ a documented process to establish validated requirements for intelligence collection operations, based on documented public safety concerns?
3. Does the fusion center document specific criminal predicate for every piece of intelligence information it collects and retains from open source, confidential informant, or public venues?
4. Is collected intelligence marked to indicate source and content reliability of that information?
5. Is all collected intelligence retained in a centralized system with robust capabilities for enforcing federal, state or municipal intelligence retention policies?
6. Does that same system provide the means to control and document all disseminations of collected intelligence (electronic, voice, paper, fax, etc.)?
7. Does the fusion center regularly review retained intelligence with the purpose of documenting reasons for continued retention or purging of outdated or unnecessary intelligence (as appropriate) per standing retention policies?
8. Does the fusion center director provide hands-on executive oversight of the intelligence review process, to include establishment of approved intelligence retention criteria?
9. Are there formally documented, and enforced consequences for any analyst or officer that violates standing fusion center intelligence collection or dissemination policies?
10. Finally, does the fusion center Director actively promote transparency of its lawful operations to  external stakeholders, privacy advocates, and community leaders?

Together, these ten points form a nice set of “Factors for Transparency” that any fusion center director can use to proactively demonstrate to groups like the ACLU that they are operating their fusion center in a lawful and proper manner. 

As always, your thoughts and comments are welcomed…r/Chuck

"Shovel-Ready" Projects for Public Safety

Change you can believe in!  Change is here!  Yes we can! 

While we eagerly wait to see how our 44th President translates these memorable election mottos into tangible projects for rebuilding our nation’s infrastructure, one colleague of mine, Charles Jennings, CEO of Swan island Networks stepped up and laid out eleven very forward leaning “shovel-ready” ideas for investing in America’s “virtual” infrastructure.  Below I point out three of Charles’ ideas that have a direct impact on law enforcement and public safety,; and include some personal thoughts.

- National Information Exchange Model (NIEM) – Let’s speed-up development and implementation of NIEM; this is critical for expediting law enforcement and homeland security information sharing programs such as N-DEx, LInX, ISE-SAR, and others.

- Rural Broadband – While this is good for our ecomomy, it’s VERY good for small rural law enforcement agencies, many of which who still do not have decent internet access.

- State/Local/Tribal Clouds – While this is good for agencies of any size, this will (again) benefit the smaller law enforcement agencies who don’t have the time, expertise, or resources to be in the “IT” business; shared-services using in-the-cloud strategies can bring advanced capabilitis to these agencies very quickly.

You can see Charles’ paper in its entirety here –> http://www.swanisland.net/solutions/Shovel-Ready.pdf

As always, your thoughts and comments are welcomed…r/Chuck