Information Sharing

My name is Richard Wilhelm, formerly of the CIA and NSA, a few other organizations of the Intelligence Community, and currently at Booz Allen Hamilton. You are at a conference on information security at a session on information sharing. I have 50 minutes to prove this is not a contradiction. When I started out in intelligence work, the only people who wanted us to share information were Russian spies. But the world has changed, and so must we.

Today we all have an interest in information sharing. It is crucial to our homeland security. We need a trusted submission system and a secure network that both shares and protects information. We must share information in a way that protects sources and methods, does not compromise investigations, and safeguards the equities of industry. We need to address the cultural issues that are an impediment to sharing, and we need to promote trust.

Now that you are all asleep, I don't know if you noticed, but I just recited a list of platitudes. The assertions are true but they're far too timid. Stated as general principles, they are widely accepted. But if you break them down into the hard tasks and tradeoffs they require, they're sure to start a fight. To avoid fights, we avoid specifics. In an effort to be uncontroversial, we have understated the scale of the challenge. We've been having the wrong conversation, and that has slowed our progress in information sharing.

Let me give you one example where progress has come too slowly. An FBI memo in July 2001 warned that Al Qaeda could be training terrorists in U.S. flight schools. The White House has acknowledged that the President's Daily Briefing in August 2001 suggested Al Qaeda might hijack planes in the U.S. Also in August 2001, the FBI arrested an Arab described as having "Islamic extremist beliefs" who approached a flight school in Minnesota offering to pay cash to learn how to steer a 747 — not land or take off. Finally, a report commissioned by the National Intelligence Council two years before September 11 warned that Al Qaeda suicide bombers could (and I quote from the report) "crash-land an aircraft packed with high explosives into the Pentagon, the headquarters of the Central Intelligence Agency or the White House."

New York Times columnist Thomas Friedman wrote that our failure to prevent the 9/11 attacks was "a failure to imagine." It was not. It was a failure to share information. The four facts I just mentioned were all known in August 2001, but no one official knew all four. Had one person known them all, the outlines of a plot might have emerged, and we could have taken action.

Two and a half years later, information sharing is improving across agencies, but not quickly enough, and there is still no process to get information quickly from the federal government to state and local authorities or to private entities like flight schools. We have millions of citizens in different lines of work who can be the eyes and ears of homeland defense. But it's hard to tell what you're looking at if you have only one piece of a jigsaw puzzle. The more pieces you have, the more a picture can emerge. This is the point of information sharing.

It is difficult work, and since September 11, we have done a lot but we have not done enough. If we don't make more rapid change, the terrorists will take us down or blow us up.

I started my remarks by reciting some platitudes that I said are true, but too timid and therefore slow us down. Today, I want to start a new conversation that could speed us up. I want talk about the five timid truths and the hard facts they hide.

Timid truth number one: We all have an interest in sharing information; it is vitally important to our homeland security.

True. Who could disagree? We all have an interest. But not everyone perceives their responsibilities for advancing that interest in the same way. The government believes that the cooperation of CEOs is essential to preventing terrorism. Many CEOs, who already have a crushing burden of responsibility, believe preventing terrorism is the government's job.

In traditional terms, the CEO of a bank is not responsible for national security. For example, the more terrorists target information, and the more that information is flowing on infrastructures that are privately owned and operated, the more clear it becomes that we cannot view national security as solely a government responsibility. And yet government cannot expect business to spend money and resources on issues outside its corporate purpose. We must make a business case for information sharing.

Companies already understand the business case for sharing information in certain areas within their industries. Insurance companies share information on risk factors so they can price policies. Banks and financial institutions share customers' credit histories so they can make prudent loan decisions. We need to make a new business case that private companies can prevent terrorism by sharing more information more widely.

If a cyber-terrorist hits the banking system and causes customers to lose access to their deposits, CEOs can't very well say: "It's the FBI's fault." Even if they do, it's the banks that will face the financial consequences, not the FBI. On the other hand, if the industry develops a sophisticated system of information sharing, which helps them see signs of a cyber attack and prevent it #151; that's not just a gain for national security; it's a gain for the industry as well. The same principle applies to individual businesses. A company that engages in information sharing #151; and keeps its ATMs up while others go down #151; will add luster to its brand. Security can be a great market differentiator.

A lot of work still needs to be done on making the business case. If I were in government today, I would call for a number of studies at the nation's top business schools to research two questions:

1. What combination of government and industry policies would encourage businesses to invest in information sharing and security measures that can help defend against the terrorist threat?



2. What policies would encourage individual companies to cooperate with their competitors to safeguard the common infrastructure they share — and depend on?

The right mix of policies should include incentives, cooperative arrangements, and — possibly — regulations. Such policies might and do include appropriate protections from Freedom of Information Act requirements and other unintended consequences of more open information sharing. It also might include tax incentives or subsidies for measures that also advance national security. But all ideas would flow from one fundamental idea: Government should help make the business case, and then sweeten it — because industry will share information when there is a business case to do so.

Timid Truth number two: We need a trusted submission system and a secure network that both shares and protects information.

True. We need technology to do these things. But the high-speed development of new technology, combined with the slow-moving gears of government, has created a world in which technology leads the change — and that is backward.

A successful information sharing network does not start with technology; it starts with strategy — why should we share, what should be shared, and who should be sharing it. Once these questions have been addressed, it then makes sense to ask the technology question: how do we share. The strategy must drive the technology, not other way around.

What is the strategy? Let's go to the basic questions:

Why share information? There are three reasons: To lessen the probability of a terrorist attack; to build more resilient infrastructures; to respond more efficiently in the event of an attack.

What information should be shared? Information on vulnerabilities and threats should be shared. If one part of a network discovers a virus on its system and immediately shares that information with the wider network, there could be a patch available for it before it hits other nodes.

If one financial services company uncovers an ingenious method of hacking into its computer system, and shares that information, others are more likely to catch it — or prevent it from ever occurring. Companies who share security problems and solutions develop better security and are less appealing to hackers.

Capabilities and operational details should also be shared — not to prevent attacks, but to respond to them. After an incident, and let's shift gears for a moment from the cyber domain to a more generalized bioterror incident, what matters most is instant communication among many people to resolve questions like: Where are the empty hospital beds? What are the symptoms of anthrax poisoning? And where is the largest, closest supply of antibiotics?

Who should share information? The rise of terrorism has changed the "who" part of the question dramatically. Law enforcement and public health, for example, had little need to share with each other. Then the threat of bioterrorism emerged and bridged these two groups.

The nature of the terrorist threat means it's no longer effective to distribute information on a "need-to-know" basis, because we no longer always know who needs to know. That's why the network must be large and agile — able to incorporate new members as needs change.

The essential point is this: "why", "what" and "who" questions must be asked and answered. Then we ask how — and develop the technology to serve the strategy.

Timid Truth number three: We must share that information in ways that protect sources and methods, do not compromise investigations, and safeguard the equities of industry.

True. We have to preserve everyone's equities — as much as possible. But we talk about the issue as if there is a magical approach that preserves everyone's interests, and there is not. We simply cannot share more information than before without accepting more tradeoffs than before. We have to be forthright about that.

With the proliferation of strong commercial encryption, you all will remember the clipper chip — a technology proposed to allow law enforcement to decipher encrypted communications of suspected criminals and terrorists. When this issue hit the White House in early 1994, I had just been hired as the subject matter expert in this area on the National Security Council staff, a frightening fact in and of itself — given that I had only received my first briefing on public key encryption a week before. My job was to develop a policy to protect the national security interest while advancing the interests of industry and of privacy groups. After a few days, I came to my conclusion: this was impossible. There was simply no process in place to do this.

In my first week I had to represent the White House at a bizarre public policy debate at Georgetown University Law School on the pros and cons of Clipper Chip. You had somebody from the White House. You had somebody from the FBI. You had somebody from the privacy community and somebody from the vendor industry, and each had cheering sections. Somebody would make a point, and there would be a boo or a cheer. We were making national security policy by applause meter.

This issue deserved a policy developed in a candid public conversation about the tradeoffs. But instead of a national conversation, there was a one-on-one conversation between me and a young White House staffer, who said: "We're rolling this out tomorrow, let's type up some talking points." We weren't given the authority to open a dialogue on how to balance contending stakeholder interests, so all we could write was: "Everyone's equities will be protected." But all the equities couldn't be protected — because some were in direct conflict. Tradeoffs were called for, but could only be brought about if we reached a consensus on a national security rationale that was understood and accepted by all parties.

Eventually, the national security advocates caved somewhat, because the Administration never managed to make a national security argument that the business and privacy community felt obliged to accept.

That is a lesson of precisely how not to deal with the tradeoffs necessary when the interests of national security, privacy, and economic vitality collide again over the issue of information sharing. The higher purpose of preventing terrorist attacks should be the constant backdrop of the conversation. The need for tradeoffs has to be acknowledged, and the burdens should be fairly distributed and freely accepted.

If we keep holding onto the fiction that everyone can have it all, then we can't discuss tradeoffs, no one will give up anything, and we will never have the information network we need for our homeland defense.

Timid truth number four: We need to address the cultural issues that impede sharing.

True. But we need to understand that a culture is built around how people are rewarded, and that can be changed only from the top. In 1989, I was working at the NSA, where I was responsible for the flow of information from a number of satellite systems. When we were able to identify a ship likely to be running drugs, we would go to the Coast Guard, DEA and Customs, and say, "We've got some information. Are you interested?"

Now I'm over-simplifying a bit each agency said: "We're interested if you give it only to us." The Coast Guard wanted a bust on the high seas. Customs wanted to get it when it was coming through the port. The DEA wanted to follow the drugs to see where they went and then do the bust there.

Each agency wanted credit for the bust, and each knew there was no credit for an assist. A culture that promotes information sharing will be a culture that gives credit for an assist.

Let me give one example of an operational change that this mindset would bring to the IC. Traditionally, the IC has kept all its information tightly held with narrow distribution on a need-to-know basis.

In practice, that meant that an agency would first write a classified report — then, maybe, write an unclassified report that could be more widely distributed. To make sure more information is available to partners in the private sector, agencies could reverse that process — to initially write an unclassified report designed to be useful to the broadest audience possible and then add the tear line that's got the classified portion for a narrower group of consumers.

This kind of change will happen only through a mandate from the top in the form of new incentives that create a new outlook and — over time — a new culture. But rewarding information sharing is only one side of the coin; there is also the challenge of trust.

Which brings us to Timid truth number five: We need to promote trust.

True. We need to promote trust — but that doesn't capture the challenge. In the old model, information was shared in limited amounts, between similar organizations, among people who knew each other. Today, information must be shared in large amounts, among dissimilar organizations, between people who don't know each other.

The old model gives little guidance for building the new model — because a system of information sharing can't be scaled up if it depends only on trusting people we know. We have to find ways to trust people we don't know.

There is an important role here for technology. In the example of the eBay online auction site, the Web site has increasingly taken on the role of a trust broker — because its own success depends on creating trust among people who don't know each other. Law enforcement has used technology to scale up trust with HIDTA — or High Intensity Drug Trafficking Area. HIDTA is a network that builds personal relationships with police officers, accepts information from them, and shares it with other officers. By transferring information between officers who don't know each other, HIDTA becomes a bridge of trust between the two.

Our challenge is to transfer the trust we have in individuals into a trust of institutions and processes. We cannot do this — no matter how effective our technology — unless we recognize that trust is a two-way street. On one side of our coins and bills we print the phrase: "In God We Trust." The other side should say: "But Does God Trust Us?"

I was in New York with a group of top banking security officials on September 10, 2002. Tom Ridge had gotten their CEO's on the phone to say, "In 20 minutes I'm going to go on television and announce that we're going to raise the threat level to Orange." That was it. Everybody was saying, "Wait a minute. If we're partners, why didn't you tell me a little more?"

They weren't asking for much. They didn't want to know Dick Cheney's location. They just wanted to know if there was anything specific to look out for — if there was anything they could do to protect their businesses.

You can't expect people to trust you with information unless you trust them with information.

When I lived in Japan, I was fascinated by the way the Japanese prized the blowfish, fugu, both as a deadly delicacy and a culinary masterpiece. The blowfish contains a poison that is 1,200 times stronger than cyanide; a single fish contains enough poison to kill 30 people. Improperly prepared, it kills its consumer. For this reason there is an elaborate certification program for those licensed to prepare it for the public. The chef must himself catch, clean, and prepare the fish — and then eat it. The popular joke is that — either way, the you get a certificate.

If you want others to take a risk, you have to be willing to take a similar risk.

I told you I have five timid truths — in fact, I have another, and here it is: Timid Truth number six — and this runs through all the other timid truths — "We need to ...." "We need to do this" "We need to do that."

True. We need to do a lot of things. But who the hell is "we"? You and me? The United States and France?

In my view, our goals on information sharing require difficult tradeoffs and tough decisions that cannot be made without a massive national conversation; a conversation that is perhaps started by the President and joined by agency leaders, industry leaders and the public. This can't be like that staged debate over the clipper chip at Georgetown University, where everyone left with the same convictions they came with. It has to be a sincere process where stakeholders come together, as equal partners, to agree on the national security imperatives, debate the tradeoffs, work toward solutions, and commit to making sacrifices to defend the homeland.

It is reasonable to expect — in the case of a national project this urgent and important — that the President would sponsor a White House initiative to build a national information sharing concept that will prevent terrorist attacks, make our infrastructure more resilient, and enable a better response to a terrorist event. It is hard to see how we can improve the pace and scale and focus of our efforts without high-level White House leadership.

I opened my remarks by reciting the timid truths. Let me close by summarizing the hard facts.

1. Government must make an aggressive business case for information sharing; industry will share information when there is a business case to do so.



2. Technology is important, but strategy comes first. We have to answer why we share, what we share, and who should share. Then, we deal with how.



3. We cannot share more information unless we accept more tradeoffs. Everyone has to give up something to protect the country from terrorism.



4. Changing cultures requires changing incentives. This can be done only at the top.



5. We have to scale up trust — to find ways to transfer trust in an individual into trust of an institution and processes.



6. If we're going to get the information-sharing network we need, the White House must lead.

These challenges are tough and will require some sacrifice. It's rare to find long lines of people waiting to sign up for sacrifice. But think for a moment of the actions of firefighters and police and ordinary office workers on September 11. People's willingness to sacrifice for others is the most heroic act there is — and you could see it everywhere on September 11. America's challenge is to make sacrifices to save lives over the long-term — the way the heroes of September 11 were willing to make sacrifices to save lives in the short-term. If we are going to build a network to defend the homeland, we have to sound the alarm before we feel the heat.

Thank you.