1. Paul Hubbard Portfolio Manager, Border and Transportation Security Information Sharing: Barriers and Solutions Sept 9 Workshop Summary Presented to Armed Forces Communication and Electronics Association, Oct 7, 2014

2. Capability Gap around the Exchange of Sensitive Information CSSP motivation for working in this space: a recurring request from partners to fund a solution to: “controlled cross-agency information sharing to enable … Examples: Exploiting sources of data (“Big Data”) for targeting at the border while respecting privacy legislation. Sharing real-time Critical Infrastructure status with EMOs during emergencies – without allowing unfettered access to commercially sensitive information. Sharing vessel details (cargo, destination etc) without revealing personal information (crew names). Sharing stolen vehicle VIN data with foreign authorities without sharing names of owners. Enabling surveillance of Emergency Room data to detect syndromes without divulging personal medical records.

3. Challenge of Domestic Military Support: Marine Security Operations Centre Department of National Defence Responsibility in MSOC: Produce timely situational awareness in the GL - MSOC Area of Responsibility (AOR) by building a Recognized Maritime Picture (RMP) ISSUE: Without addressing information sharing, legislation and security clearances, all of which have a direct impact on collaboration, it will be more difficult for the GL MSOC to achieve its outcomes.

4. Workshop Sept. 9 Summary Full day workshop with participants from provincial EMOs, RCMP, CBSA, Justice Canada, Privacy Commissioner, Public Safety and CSS. Explored 5 use cases, found common barriers and status of project team solutions. Workshop Outcomes: Shared emerging solutions between project teams. Identified common aspects for future S&T investment.

5. Information Exchange “Barriers” Privacy Secrecy Policy Technology Culture

6. Privacy ‘Personal Information’: s. 3 of the Privacy Act “information about an identifiable individual that is recorded in any form” Subject to certain exclusions Contextual The four part test: Necessity, Effectiveness Proportionality, Minimization Beware Data Aggregation Federal Office of the Privacy Commissioner of Canada => Privacy Impact Assessments

7. Secrecy DND classifies sensitive information for national security, and to protect sources and capabilities Classifications do not match across organizations: Protected A, B, C and Secret, TS For Official Use Only (FUOU) emerging from US “Law Enforcement Sensitive” Non-sensitive data elements often embedded with sensitive information (like object level marking on docs) In public security, what is sensitive changes dynamically.

8. Policy When appropriate legislation exists, it is an enabler, example: Sec. 7 and 8, Privacy Act: classified/designated national security information may be shared with an appropriate department/agency based on: Need-to-know, which means the need for someone to access and know information in order to perform his/her duties, and Right to know, which means the legal authority, including the appropriate security clearance, to access classified information. Many organizations have their own policy and Standard Operating Procedure IT security policies inhibit direct connection by external users (air gap networks ‘to be safe’)

9. Technology Our workshop concluded that technology is NOT a barrier to information sharing. Multi-Level security solutions exist but there is a challenge to improve their efficiency. Data-centric solutions exist that may weaken the need for an air gap. One known weakness: Solutions that adapt to changes in sensitivity level

10. Culture Culture of Caution around privacy. As Canadians, we tend to be over-cautious on this, when in fact the impact assessment may permit the sharing. Well-functioning information exchange is often personality based (trust), so personnel change can close a path.

11. Aspects of the solution – Advice to Stakeholders Consider privacy early in projects: Privacy by Design Use the Privacy Impact Assessment to determine limits of what can be exchanged Exploit data standards, use of the National Information Exchange Model (NIEM) Combine Data-centric approaches with network protection Beware the Risks and efficacy in anonymizing data “enough meta-data and you don`t need the content”

12. Way Forward for CSSP Goal: Enhance success ratio of transitioning CSSP investments (which can be limited by info sharing issues) We need to support sharing and exploit best practices, avoid “one-offs”, promote data standards and a library of standard implementations Key Initiatives at CSSP: MASAS: Multi-Agency Situational Awareness System implements a single hub-and-spoke solution SAMSON: Secure Access Management for Secure Operational Networks demonstrates a data-centric solution integrated with existing corporate applications

13. Paul Hubbard Portfolio Manager, Border and Transportation Security Information Sharing: Barriers and Solutions Sept 9 Workshop Summary Presented to Armed Forces Communication and Electronics Association, Oct 7, 2014 Thank you and Questions