This graduate course provides an overview of information sharing within the national security/homeland security enterprise with a focus on the information sharing necessary to protect and make the Nation’s critical infrastructure more resilient. This is a multi-faceted course that will expose learners to complex public-private sector policies, plans, partnerships, processes, procedures, systems, and technologies for information sharing. The course is designed to promote subject-matter understanding, critical analysis of issues, and insight into senior leader decision-making in both the public and private sectors. It also includes a practical examination of stakeholder interaction through an interactive tabletop (or, alternatively, computer lab) exercise, the development and sharing of a threat-warning product, a research paper, and oral presentation. The overall goal is for learners to gain insights into how the sharing and fusion of information can lead to timely and actionable products that, in turn, will enable private sector owners and operators to become better prepared and be better able to protect the Nation’s critical infrastructure. Finally, the course will demonstrate how information sharing can serve as an enabler to foster a partnership-focused networked protection and resilience regime.
Credits Conferred: 3
PREREQUISITE: Introduction to Critical Infrastructure Security and Resilience
Learner Outcomes/Objectives (As Mapped Against Department of Homeland Security Critical Infrastructure Core Competencies): This course is designed to enable learners to:
Identify the authorities, roles, responsibilities, and capacities of key critical infrastructure public and private sector stakeholders regarding homeland security information sharing:
Federal, State, tribal, territorial, regional, local, private sector, and international
National Terrorism Advisory System (formerly Homeland Security Advisory System) Alerts (e.g., Aviation Subsector)
London Transit Bombings
Christmas Day Bomb Threat
Aviation Cargo Parcel Bombs
Boston Marathon Bombing
Terrorist Surveillance of a Nuclear Power Plant (exercise)
Delivery Method/Course Requirements:
Course delivery will be through directed readings, class participation, information sharing product preparation, research paper, information sharing exercise, and class oral presentation. This is a graduate level course. The learner will gain, in an independent manner, a body of knowledge pertaining to critical infrastructure security and resilience and an ability to communicate his/her understanding and assessment of that knowledge to fellow participants and faculty via discussions and written papers. Learners are expected to familiarize themselves with the assigned topic and readings before class and should be prepared to discuss and debate them critically.
The assigned course readings include a variety of resources, such as authoritative readings (legislation, executive orders, policies, and plans and strategies), implementation readings (government products that are responsive or attempt to fulfill the requirements of authoritative documents), and external reviews (U.S. Government Accountability Office, Congressional Research Service, etc.). Participants are expected to familiarize themselves with the assigned topics and readings before class and should be prepared to discuss and debate them critically as well as analyze them for biases and multiple perspectives.
General Course Requirements:
Class attendance is both important and required. If, due to an emergency, you will not be in class, you must contact your instructor via phone or email. Learners with more than two absences may drop a letter grade or lose course credit.
It is expected that assignments will be turned in on time (the beginning of the class in which they are due). However, it is recognized that learners occasionally have serious problems that prevent work completion. If such a dilemma arises, please speak to the instructor in a timely fashion.
The completion of all readings assigned for the course is assumed. Since class will be structured around discussion and small group activities, it is critical for you to keep up with the readings and to participate in class.
All cell phones should be turned off before class begins.
Class Participation 20%
Information Sharing Product 15%
Research Paper 35%
Research Paper Presentation 10%
Information Sharing Case Study 20%
Activities, Exercise And Research Projects:
Information Sharing Product Preparation (15%)
Each learner will prepare a threat-warning product for sharing. Details are given in Lesson 9.
Research Paper/Oral Presentation: (45%)
Each learner will prepare a 15-20 page research paper on a critical infrastructure information sharing issue of their choice (National, regional, State, local, sector, or international focus). The paper should be completed using the following organizational format: problem statement, background (include key players, authorities, resources, etc.), discussion (presentation of alternatives with the identification of pros and cons for each alternative), and recommendations (including rationale behind the selections). Footnotes and citations, if any, should be included on a separate sheet of paper in the proper format for review. The paper should focus on the benefits, drawbacks, and obstacles to the practical application of proposed information sharing policies, procedures, or mechanisms. The recommendations section should clearly describe the rationale for the policy options of choice.
One area that is particularly fertile ground for a research paper is to identify an information sharing barrier, explain why and how it is a barrier, and then propose solutions to overcome it. A partial list of possible information barriers includes:
Lack of nationwide awareness of the existence of the public-private partnership for critical infrastructure, how to participate in it, including its information sharing mechanisms
Lack of a national integrated communications-collaboration-information system that operates at all required classification levels
The process required for critical infrastructure owners and operators to obtain and maintain a security clearance
Inability of critical infrastructure owners and operators to make the business case for taking the time to participate in information sharing within their critical infrastructure sector and/or with the government
Insufficient Federal government resources to fully support Critical Infrastructure Information Sharing Working Groups, to include staffing, subject-matter experts, and compensation for time and travel
Inadequate attention paid to the front end of the information sharing lifecycle, namely to the definition of critical infrastructure information and intelligence needs and requirements
Lack of U.S. Department of Homeland Security (DHS) statutory authority to declassify or downgrade information classified by other Federal agencies in order to share it more broadly with critical infrastructure owners and operators
Lack of sufficient credible indications and warnings that can be responsibly shared
Lack of training for owner and operator staff and decision-makers about how to deal with marginally credible threat information
Fears of liability that may accompany advance knowledge of risks
Lack of proactive risk information exchanges short of credible threat warnings, such as identification of shared risks and collaboration on how to manage them
Each learner will present a summary of his/her research topic (no more than 6-10 minutes in length) to the class during Lesson 15. The presentation format will mirror that of the research paper. Research papers will be submitted either in person or electronically on the day of the learner’s oral classroom presentation. Prior approval of the topic for the research paper is required. Learners should submit a one-paragraph written description of their proposed topic in class or via email for approval no later than the beginning of class on Lesson 5.
3. Information Sharing Case Study (20%)
Learners will apply critical infrastructure security and resilience knowledge and skills to a case study of the 2001 Howard Street Tunnel Fire. Prior to class, learners should read the specified case narrative and be prepared to engage in critical analysis. Subsequent to the in-class discussion and evaluation, learners will complete a 2-3 page reflection paper chronicling his/her experience and lessons learned. Reflection papers will be submitted at the beginning of the next class.
4. Expectations for Participation (20%)
Participation includes coming to class prepared and participating in class discussion.
Incorporation of Feedback:
The course instructor will provide multiple opportunities for learners to provide constructive feedback over the period of the course. These may be in the form of group sessions or one-on-one sessions with the instructor. Learners will be afforded the opportunity to complete in-class evaluations following the critical infrastructure information sharing case study, as well as at the end of the course. On-line feedback is also encouraged throughout the course. Finally, the instructor will provide written feedback to the learners on the course research paper, oral presentation, and information sharing product paper.
The following textbook is identified as a primary textbook for the course. The textbook will be supplemented by additional readings for each lesson either accessible on-line (with website addresses provided in the lesson description sections that follows below) or provided by the instructor.
Bullock, Jane, Haddow, George, Coppola, Damon P., and Yeletaysi, Sarp. Introduction to Homeland Security, Fourth Edition: Principles of All-Hazards Response. Burlington, MA: Butterworth-Heinemann, 2012.
Lesson 1 Topic: The Need For Information Sharing For Critical Infrastructure Security And Resilience
1. Lesson Goals/Objectives:
Discuss the course scope/content, administrative requirements, instructional methodology, evaluation criteria, and feedback processes.
Explain the evolution of critical infrastructure security and resilience partnerships and information sharing (and related lexicon) as a national policy focus areas.
Analyze why government-private partnership and information sharing arose out of the Oklahoma City (1995) and September 11 (2001) attacks.
Analyze the differences in the needs for information sharing within the Intelligence Community (IC); between the IC and other Federal agencies (including DHS); and between Federal agencies and State, local, tribal, and territorial governments, as well as regional, private sector, and international partners.
Explain the differences and similarities in the kinds of information that need to be shared prior to, during, and after a major natural disaster, a terrorist attack on the homeland, and other man-made events.
Explain the need for routine risk information sharing to support government-private sector planning and resource investment for critical infrastructure security and resilience.
Explain the fundamental barriers to partnerships and information sharing within the critical infrastructure and resilience mission area.
2. Discussion Topics:
What were the barriers to information sharing between elements of the IC and the Law Enforcement community (e.g., FBI) pre-9/11?
Which barriers were legislative/ regulatory and which were institutional/cultural pre-9/11?
How would you characterize the differences — with respect to ease, speed, and content — between information sharing among the following partners: the IC and other Federal agencies, including DHS; between DHS and Federal, State, and local Governments; and between DHS and private sector partners?
What are the barriers to sharing Law Enforcement Sensitive (LES) and classified information with the private sector today? Can these barriers be overcome?
How can unclassified information be used to protect critical infrastructure in advance of a terrorist attack or major natural disaster?
How can classified information be used to protect critical infrastructure in advance of a terrorist attack or major natural disaster?
What did the WikiLeaks event during December 2010 illustrate regarding controls for handling sensitive and classified information?
Give an example, real or hypothesized, concerning how government and industry might share risk information for purposes of planning critical infrastructure security and resilience.
Textbook: Chapters 1-2
Implementing Recommendations of the 9/11 Commission Act of 2007, Pub. L. No. 110-53, 121 Stat. 266 (2006). http://www.intelligence.senate.gov/laws/pl11053.pdf.
TheWhite House.National Strategy for Information Sharing. 2007. http://georgewbush-whitehouse.archives.gov/nsc/infosharing/index.html.
The 9/11 Commission. The 9/11 Commission Report. 2004. chap. 3, 8. http://govinfo.library.unt.edu/911/report/index.htm.
USA PATRIOT Act of 2001,Pub. L. No. 107-56, 115 Stat. 272, (2001). http://fl1.findlaw.com/news.findlaw.com/wp/docs/terrorism/patriotact.pdf.
4. Additional Recommended Reading:
Hoffman, David. The Oklahoma City Bombing and the Politics of Terror. 1998.
The White House, The Federal Response to Hurricane Katrina - Lessons Learned. 2006. http://georgewbush-whitehouse.archives.gov/reports/katrina-lessons-learned/.
Lesson 2 Topic: Legislative And Executive Policy Mandates For Information Sharing
1. Lesson Goals/Objectives:
Explain how the various acts of legislation and Executive Orders and policies governing government-private sector partnerships and information sharing.
Describe the foundation provided by the 9/11 Commission Report for much of the policy put in place over the past decade in this area.
Explain the concepts and functions associated with the Information Sharing Environment (ISE) created by the Intelligence Reform and Terrorism Reduction Act (IRTRA) of 2004, including the ISE private sector component.
Recognize Describe the role of the DHS/Office of Infrastructure Protection as Federal lead for integration of the private sector into the ISE.
Why was there a need to enact IRTRA subsequent to the Homeland Security Act of 2002? What new authorities were provided and for whom did it provide them?
When DHS was reorganized after the Second Stage Review, where was the responsibility placed for sharing threat information with the critical infrastructure sectors?
How do the referenced acts of legislation, Executive Orders, policies, and strategies address the matter of sharing information between government and the private sector, and vice versa? Do any of the legislative or executive mandates direct or request the private sector to share information?
What is the significance of making the private sector an official component of the ISE? How does it affect the Government – private sector relationship?
How do the 2014 Quadrennial Homeland Security Review and DHS Bottom-Up Review address partnering and sharing information for critical infrastructure and resilience?
Taken collectively, do all of the authorities and mandates referred to above provide an adequate basis for a robust information sharing environment? Are any additional authorities needed?
Textbook: Chapters 3-4
U.S. Department of Homeland Security. Quadrennial Homeland Security Review. 2014. http://www.dhs.gov/sites/default/files/publications/qhsr/2014-QHSR.pdf.
U.S. Department of Homeland Security. Bottom-Up Review. 2010.
U.S. Gov’t Accountability Office GAO-08-492, Information Sharing Environment: Definition of the Results to Be Achieved in Improving Terrorism-Related Information Sharing Is Needed to Guide Implementation and Assess Progress, (2008), http://www.gpo.gov/fdsys/pkg/GAOREPORTS-GAO-08-492/content-detail.html.
Homeland Security Act of 2002, Pub. L. No. 107-296, 116 Stat. 2135 (2002). http://www.dhs.gov/xlibrary/assets/hr_5005_enr.pdf.
Intelligence Reform and Terrorism Prevention Act (IRTPA) of 2004, Pub. L. No. 108-458, 118 Stat. 3638. http://www.nctc.gov/docs/pl108_458.pdf.
The White House. National Strategy for Information Sharing. 2007.
ISE. ”Sharing with the Private Sector.” Accessed July 1, 2014. http://www.ise.gov/sharing-private-sector.
Information Sharing Governance Board. DHS Strategy for Information Sharing.
The White House. Guidelines and Requirements in Support of the Information Sharing Environment. 2005. http://www.fas.org/sgp/news/2005/12/wh121605-memo.html.
The 9/11 Commission. The 9/11 Commission Report. 2004. chap. 13. http://govinfo.library.unt.edu/911/report/index.htm.
Additional Recommended Reading:
Best Jr., Richard A. Cong. Research Serv., RL33873. Sharing Law Enforcement and Intelligence Information. 2007. http://www.fas.org/sgp/crs/intel/RL33873.pdf.
IT Law Wiki. “Information Sharing Environment.” Accessed June 19, 2014.
Paul, Kshemendra N. InformationSharing Environment: Annual Report to Congress. 2010.
http://www.fas.org/irp/agency/ise/2010report.pdfPiette, D.C. and Radack, J. “Piercing the ‘Historical Mists’: The People and Events Behind
the Passage of FISA and the Creation of the ‘Wall’.” Stanford Law and Policy Review
Information Sharing Environment.
Information Sharing Environment Implementation Plan. 2006.
Why is developing one-on-one relationships within the information sharing community so fundamental to enabling the sharing of sensitive information?
What are the draw backs to ‘personality driven’ information sharing relationships?
What barriers to the sharing of sensitive information do trusted relationships overcome?
What venues are available for government and the private sector to develop trusted relationships?
Why is obtaining management support necessary for initiating and sustaining information sharing?
What are some of the mutual benefits gained by government and the private sector through information sharing?
What are some of the most effective communication and workflow processes and practices?
What kinds of skills do government and the private sector need training on in order to sustain a successful information sharing community?
3. Required Reading:
Textbook: Chapters 5-6
Dorner, D. Logic of Failure: Recognizing and Avoiding Error in Complex Situations.
Perseus Books: Cambridge, 1996.
Heimer, C.A. “Doing your Job and Helping your Friends: Universal Norms about Obligations to Particular Others in Networks.” In Networks and Organizations Structure: Form and Action, edited by N. Nohria and R.G. Eccles. Harvard Business School Press, 1992.
Wohlstetter, R. Pearl Harbor: Warning and Decision. Stanford University Press: Stanford, 1962.
Lesson 4 Topic: Framework For Information Sharing
1. Lesson Goals/Objectives:
Identify the five-dimensional framework for effective information sharing, including the following key component elements:
Information Sharing Terminology and Definitions
Systems Used to Handle or Control Information Dissemination
Senders and Receivers
Performance Metrics and Feedback Mechanisms
Explain how each information sharing partner should be both a “sender” and a “receiver” of information,
Explain the key critical infrastructure and resilience partnership and information sharing nodes and information flows between them as discussed in the NIPP.
Identify the various methods, processes, and systems that the various critical infrastructure security and resilience partners use to share information with one another.
Explain the requirement for adopting common information sharing lexicon in the context of critical infrastructure security and resilience.
2. Discussion Topics:
What are some of the most important terms used in discussing information sharing and what do they mean? Is there a common lexicon you can identify that defines these terms? Why or why not?
What are some of the most commonly used systems for sharing information between the government and industry for purposes of critical infrastructure security and resilience? Why is it important that there be a common set of systems used by all information sharing partners?
What are some of the systems used to share classified information? Do you think that many private sector individuals have access, or should have access, to them?
Within the public-private partnership, who are generally the senders and receivers of information? Are there multiple sender roles? Are there multiple receiver roles (e.g., trusted intermediaries)?
What are some of the technologies currently used to control the dissemination of, or access to, sensitive but unclassified (SBU) information? Why are protection and sharing like the two sides of the same coin?
How will implementing performance metrics and feedback mechanisms enhance information sharing? For each information sharing partner identified in the objectives above, give one example of a performance metric.
Textbook: Chapters 7-8.
U.S. Department of Homeland Security. NIPP 2013, Partnering for Critical Infrastructure Security and Resilience. 2013, pp. 1-4, appendices A-B. http://www.dhs.gov/sites/default/files/publications/NIPP%202013_Partnering%20for%20Critical%20Infrastructure%20Security%20and%20Resilience_508_0.pdf.
P. Adriaans, P and Benthem, J.V. “Philosophy of Information.” InHandbook of the Philosophy of Science, edited by Gabby, Thagard, and Woods. Elsevier, 2008. http://store.elsevier.com/product.jsp?isbn=9780444517265.
Barrett, S. and Konsynski, B. “Inter-Organizational Information Sharing.”
MIS Quarterly 6 Special Issue (1982): 93-105.
Constant, D., Kiesler, S., and Sproull, L. “What’s Mine is Ours, or Is It? A Study of Attitudes about Information Sharing.” Information Systems Research 5(4) (1994): 400-421.
Explain the relationships and processes that link the major parties involved in critical infrastructure security and resilience information sharing, including the following pair-wise groupings of partners:
Federal government - Federal government (includes IC agencies to non- Intelligence Community Federal agencies)
Federal government – State and local, tribal, and territorial governments
Federal government – Private Sector (DHS, FBI, Federal Sector Specific Agencies (SSAs) under the NIPP, etc.)
State and local Government – Private Sector (includes Law Enforcement to Private Sector, Fusion Centers to Private Sector, Emergency Operations Centers to Private Sector)
Private Sector - Private Sector (includes Information Sharing and Analysis Centers (ISACs) and Trade Associations to their members)
Describe the key organizations that have formed to facilitate critical infrastructure security and resilience information sharing
Analyze the nature of the State, local, and regional Fusion Centers in the context of the critical infrastructure security and resilience mission area
Describe the special challenges associated with sharing information with tribal and territorial communities.
2. Discussion Topics:
For each pair-wise grouping of partners, what are some of the specific organizations involved and what kind of information do they share?
What role does each of the following organizations play in CISR information sharing?
Sector Coordinating Councils
SSAs and Government Coordinating Councils (GCCs)
State and Local, Tribal and Territorial - Government Coordinating Council (SLTT-GCC)
Critical Infrastructure Partnership Advisory Council (CIPAC)
ISACs and the ISAC Council
State and local Fusion Centers
Joint Terrorism Task Forces (JTTFs)
State and local Emergency Operations Centers (EOCs)
DHS/ Intelligence and Analysis
DHS/ National Infrastructure Coordination Center (NICC)
DHS/Regional Protective Security Advisors (PSAs) and Regional Mission Collaboration Staff
DHS/Federal Emergency Management Agency (FEMA)
What type of information is needed by critical infrastructure owners and operators to better protect and make their infrastructure more resilient? Who provides this kind of information?
Why are the Federal government – Private Sector, State and local government – Private Sector, and Federal government – State and local government the most import pair-wise groupings for sharing critical infrastructure security and resilience information?
What information does the government need from the private sector in order to build its risk management budgets, plans, and policies?
What do you think of the adequacy of Fusion Center plans to develop critical infrastructure security and resilience capabilities, including information sharing with local critical infrastructure security and resilience owners and operators?
How can the Federal government overcome the special challenges associated with sharing information with tribal and territorial communities?
3. Required Reading:
Textbook: Chapters 9-10
ISAC Council. A Functional Model for Critical Infrastructure Information Sharing and Analysis. 2004.