Information sharing imperatives may trump security

While the technical infrastructure required to support information sharing don’t really change from context to context, security and privacy requirements applying to senders and receivers of information do vary quite a bit depending on the domain. In the health information exchange arena, these differing requirements and the inability to reconcile them have served to slow participation in health information exchange initiatives such as the Nationwide Health Information Network (NHIN). One of the information sharing solutions often held up as a model for other domains is the federal Information Sharing Environment (ISE), developed as a trusted infrastructure for sharing information about terrorist threats among federal, state, and local intelligence, law enforcement, defense, homeland security, and foreign affairs organizations. Concerns over establishing and maintaining appropriate protections for the data shared in the type of information exchange envisioned for the ISE have resulted in less actual sharing of information than was intended, a problem the administration is now trying to address.

Noting the proliferation of distinct and often incompatible data classification schemes by different organizations possessing relevant information, the administration in May directed an interagency task force to review procedures on classifying sensitive-but-unclassified data and make recommendations on ways to standardize classification guidance to facilitate the exchange of this information. The recommendations were released last week, and emphasized the importance of greater information sharing with such priority that the lack of consistent or comprehensive security controls should not stand in the way of greater levels of information sharing. This finding might seem counter-intuitive at first glance given the sensitivity normally associated with terrorism data, but the recommendation is actually an excellent example of risk-based decision making on security. Simply put, the value of having more of this data available to those needing it to protect the nation from terrorist threats outweighs the risk from the potential disclosure of this information beyond its intended audience. There is certainly an implied expectation that security will continue to be addressed and more robust security controls will be applied to information exchanges as agencies can come to agreement on the technologies and procedures that will be used, but in the mean time, the report determines that the anti-terrorism mission should not be constrained by insufficient sharing of sensitive but unclassified information.