The U.S. intelligence community spent the latter half of the 20th century developing tools and procedures needed to stay ahead of adversaries during the Cold War. But now that conflict is over and new threats and the onset of the Digital Age have made many of those policies and procedures obsolete.
A perfect example is the Department of Defense "Policies for the Management and Control of Information," which was first established in 1976 and last updated in 1982. Since that update, the threat landscape has shifted from tensions between two superpowers to rogue nation-states and terrorist organizations. At the same time, the rise of the internet has created an interconnected, worldwide information network like the world has never seen.
These new challenges call for new procedures around how information on U.S. citizens is collected, stored, accessed and disseminated, according to Michael Mahar, senior intelligence oversight official at DoD.
"It's like the constitution of intelligence collection," Mahar said while unveiling significant changes to the policy during a keynote at the 2016 DoD Intelligence Information Systems (DoDIIS) conference in Atlanta on Aug. 1. "It was developed a long time ago but has stood the test of time. But right now it's starting to show its age."
Mahar and a team of 30 senior officials from DoD, Department of Justice and Office of the Director of National Intelligence when through the policy line-by-line to address the latest advancements in technology and the challenges they create.
Shared Repository, Shared Responsibility
One of the big lessons from the terrorist attacks on Sept. 11, 2001, was the need to share more information among members of the intelligence community, Homeland Security and law enforcement. But with a shared repository of information comes new challenges, including regulating access to sensitive data.
"What we've done is, for the first time, established rules and procedures and responsibilities for both the hosts and the participants in these systems," Mahar said.
For the hosts — the agency or organization managing the information and database — the responsibility will be to support the systems they maintain and, more importantly, manage access to those systems to ensure only the right people are seeing sensitive information.
Participants — outside users given access, whether from DoD or elsewhere — will have to sign an agreement showing they understand the policies and procedures associated with using that database and will ensure they are followed.
One of the more important aspects of the policy establishes how long information on U.S. persons can be held before it must be deleted.
Under the current standard, the clock on U.S. persons information (USPI) begins when the data are "received for use." Using that wording, agencies can hold onto information for an indefinite amount of time, so long as it is not analyzed, Mahar pointed out.
The revised policy redefines the term as "collection upon receipt."
"The big change now is that information, as soon as it is collected and goes into that repository, that stopwatch clicks and the timeline starts," Mahar said.
The types and methods of collection are divided into four categories, each with its own timeline.
Retention, Audits and Queries
Along with the institution of new rules around collection and deletion timelines comes new procedures for auditing and tracking access to information.
The new policy requires repository hosts to implement "reasonable steps" to audit queries to the database — i.e., review who wants access to what information and why — manage access to that information.
Mahar noted the language is meant to be flexible.
"It allows for growth in technology and for innovation and new procedures," he said. "We recognize that what might be practicable today might not be tomorrow — we might expect more."
Finally, the revised policy includes strict rules for disseminating USPI. Mahar outlined three major changes coming with the new policy:
- Dissemination of large amounts of unevaluated USPI require high-level approval.
- To the extent practicable, do not include USPI in a dissemination if pertinent information can be conveyed in an understandable way without including the identifying information.
- If a dissemination includes USPI, must provide notification so the recipient can protect USPI appropriately.