Academic journal article Homeland Security Affairs

Prototyping Fusion Center Information Sharing: Implementing Policy Reasoning over Cross-Jurisdictional Data Transactions Occurring in a Decentralized Environment

Academic journal article Homeland Security Affairs

Prototyping Fusion Center Information Sharing: Implementing Policy Reasoning over Cross-Jurisdictional Data Transactions Occurring in a Decentralized Environment

Article excerpt

Introduction

After 9/11, a cry arose within the United States that the terrorist attack could have been averted if government agencies had shared what they knew with each other. While the accuracy of that claim remains in debate, there is significant evidence that agencies were sharing less than expected and that they would operate more effectively if they shared more information. Three years later, having not made significant progress towards that goal, the White House issued an Executive Order mandating the creation of an Information Sharing Environment; this goal was reinforced by Congress later the same year when it was mandated in a new statute.1

In the years since the goal was set, an impediment to implementation has been identified. The sharing is mandated to be performed "[t]o the maximum extent consistent with applicable law." However, a gap exists between the laws and policies enacted by government to regulate the handling of information and the ability to enforce those policies in computer systems. There is a strong need to bridge that gap as more data is or is desired to be collected, shared, and manipulated. Responsible managers and interested citizens alike are seeking the means to ensure that systems more effectively implement rules about privacy, security, and the appropriate conduct of government business. But, while people can express rules with complex reasoning, context, and reference to information not contained in the subject data, information systems historically have not been able to process policies written this way.

For example, consider the following snippet of legislation enacted by the state of Maryland:

A. Subject to the provisions of Regulation .12B, the Central Repository and other criminal justice agencies shall disseminate CHRI, be it conviction or nonconviction criminal history record information, to a criminal justice agency upon a request made in accordance with applicable regulations adopted by the Secretary. A criminal justice agency may request this information from the Central Repository or another criminal justice agency only if it has a need for the information:

(1) In the performance of its function as a criminal justice agency; or

(2) For the purpose of hiring or retaining its own employees and agents.2

It is clear that the intent of this legislation is to regulate the transmission of sensitive criminal history record information so that it is only used for appropriate purposes. However, the interactions between this specific policy and other policies at the organization, state, and federal level could potentially be very complex, and it is not feasible for humans to reason over all of them simultaneously. In addition, the rules and terms used in policies often reference other policies and pieces of information located in different databases or organizations, which makes it difficult to efficiently verify compliance by hand. Finally, given the number of transactions that happen per day, if a violation does occur, it is difficult to verify exactly which information sharing transaction was non-compliant with the applicable policies.

Given that computers are already ubiquitous in data sharing environments due to the ease of sharing and aggregating information, it is worthwhile to investigate whether or not they can also solve the problems listed above. We built a prototype of an "accountable system" to address this challenge by using semantic web technology. Semantic web technology generally seeks to express data on the internet in a way such that machines can reason over the semantics of the data more readily. An accountable system is one that both knows which policies apply to which data (policy awareness), and one that can reason over complex policy and the details of data transactions. These two functions together allow organizations to fulfill their obligations in a transparent and policy-aware manner. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.