Law-enforcement agencies increasingly need to share information with other nearby agencies, as well as with regional, state, and federal repositories of criminal justice information. A recent report from the RAND Corporation, Improving Information-Sharing Across Law Enforcement: Why Can’t We Know? (http://www.rand.org/pubs/research_reports/RR645.html), reviews progress to date on improving the sharing of law-enforcement information, discusses the sizable barriers remaining, and identifies approaches to overcoming those barriers. As information safeguarding is a vital part of being able to share sensitive law-enforcement information, the report includes several key takeaways on cybersecurity.
The first is that cybersecurity is a major challenge for law enforcement—possible, but not easy, especially given challenges in hiring cybersecurity experts.
The second is that some progress is being made in cyber security. With respect to policy, the FBI’s Computer Justice Information System (CJIS) maintains a core set of information-assurance policies and measures required to get access to FBI CJIS systems (https://www.fbi.gov/about-us/cjis/cjis-security-policy-resource-center/view). Given the increasing cybersecurity threat (commonly discussed on this weblog), the RAND report recommends that agencies procuring records management and computer-aided dispatch systems (RMS/CAD) write request-for-proposal language to ensure that key law-enforcement IT systems comply with the CJIS information-assurance policy.
From a technology perspective, the Global Justice Information Sharing Initiative’s Global Federated Identity and Privilege Management (http://www.gfipm.net/) toolkit supports positively identifying and authenticating users, supporting needed information access, and auditing information usage. It also supports single sign-on, meaning law-enforcement personnel only need to sign on with a set of credentials once to access a variety of systems. In addition, the emerging Trustmark pilot (https://trustmark.gtri.gatech.edu/) offers promise for digitally certifying the cybersecurity protections user and information-provider agencies employ. Such technology could greatly reduce the time needed to permit information sharing, as users and information providers can check whether the other employs needed cybersecurity provisions automatically.
The third takeaway is the growing migration towards shared-services/cloud models for providing key IT functions. This migration offers both cybersecurity opportunities and risks—opportunities in that clouds might be better managed and secured centrally by professionals in ways that ensure compliance with key cyber protections; but also risks and concerns about whether providers used to handling commercial data could properly manage sensitive law-enforcement information. FBI’s CJIS has explicitly noted that its policy is cloud compatible, but it does require that all cloud providers with access to sensitive information pass fingerprint-based background checks and perform all maintenance within the US.
For more information on cybersecurity issues and improving law enforcement information-sharing in general, the report is available for free downloading from RAND’s website.