Amy Sebring: Happy GIS Day everyone and welcome to the EIIP Virtual Forum! Ava is joining us remotely from the IAEM conference and our speaker is on the road as well, and we are hoping his connection will hold up today! Amy Sebring: Today we will be discussing the new "Guidelines for Data Access in Response to Security Concerns" recently adopted by the Federal Geographic Data Committee (FGDC). Amy Sebring: Before we get into our discussion, for the benefit of any first- timers, we will go over the order of business. We will begin with a presentation and then we will proceed to your questions and comments. Amy Sebring: We will be using a few slides today. When a blue URL appears in the text and you click on it, the slide will open in another browser window. You may need to disable any pop-up blocker in order to view it. Amy Sebring: We will pause the presentation to give you time to load and view the slide. The browser window with the slide may not come to the top automatically, so you may need to manually bring it forward. Amy Sebring: We will provide further instructions just before we begin the Q&A section, but you may wish to jot down your questions or comments as we go along. Amy Sebring: Please do not send private messages to our speaker or the moderator, as we will be busy with the presentation. If you need assistance, you may send a private message to Avagene or Lori. Amy Sebring: A formatted transcript of today's session will be available by later this afternoon -- just check back on our home page or the background page (refresh the pages as needed). Amy Sebring: Now it is my pleasure to introduce today's speaker, Michael Domaratz. Mike is a member of the National Geospatial Programs Office of the U.S. Geological Survey. He works on implementing The National Map, a project a plan to provide current and accurate digital map data for the United States. Amy Sebring: His presentation today, however, is based on work he led as co- chair of the Homeland Security Working Group of the Federal Geographic Data Committee (FGDC). In addition to the guidelines, the working group is developing ... Amy Sebring: map symbols for emergency response (which was presented to the EIIP community in December 2003), "standard" geospatial data sharing agreements, guidance on geospatial content useful for homeland security applications, and other activities. Amy Sebring: Welcome Mike, and thank you for joining us today. I turn the floor over to you to start us off please. Mike Domaratz: Thanks, Amy, and hello and welcome to all! Mike Domaratz: Geospatial data underpin one-half of the Nation's domestic economic activities. The data aid our international competitiveness, support a large array of Federal, state, local, and tribal government activities, and serve the general public. Mike Domaratz: Many public, private, and non-profit organizations originate geospatial data. Public dissemination is essential to the missions of many organizations. The events of September 11, 2001, greatly heightened concerns that public access to geospatial data might increase the vulnerability to an attack. Mike Domaratz: Federal and other organizations made different, and sometimes contradictory, decisions about access to data. They withdrew access, attempted to "sanitize" data, or decided to make no changes. In some cases it was difficult to learn the consequences of such actions or why access was changed. Mike Domaratz: The working group developed the guidelines to help organizations decide on reasonable access to sensitive data and to avoid unnecessary safeguards. They balanced (sometimes competing) principles ranging from the public's right to participate in government to the public's "right to know" to protection of sensitive information. Mike Domaratz: The guidelines and related materials are available through the working group's web site at http://www.fgdc.gov/fgdc/homeland/index.html under "policy support." Mike Domaratz: It is important to note that the majority of geospatial data are appropriate for public release. However, a small portion of these data could pose risks to security and may therefore require safeguarding. Mike Domaratz: The Guidelines Mike Domaratz: The guidelines are organized as a sequence of decisions. Each decision is accompanied by related instructions and discussion. The sequence is illustrated in this decision tree. Amy, slide 1 please. Amy Sebring: http://www.emforum.org/vforum/fgdc/slide01.htm Mike Domaratz: The guidelines have three sections that ask these questions: 1. Is it your decision to apply safeguards to these data? 2. Do these data need to be safeguarded? 3. What safeguards are authorized and justified? Mike Domaratz: We'll take each section in turn. Mike Domaratz: Section 1: Is it your decision to apply safeguards to these data? This section answers the question "who gets to decide." Organizations that originate geospatial data decide. Such organizations are best positioned to understand the usefulness of the data, benefits that users receive from them, and comparable sources of information. Mike Domaratz: There are other interested parties who might contribute to the decision. Law enforcement and emergency management agencies experienced in homeland security matters may be sources of information about security consequences of disseminating geospatial data. Mike Domaratz: Users can provide insights into the benefits of data dissemination. Others who benefit from the data also have equity at stake even if they do not use the data directly. Mike Domaratz: Originating organizations should document their use of the guidelines. A record will help organizations review the consistency of their decisions, recall their reasoning during subsequent reviews of a decision, and explain a decision if challenged. Mike Domaratz: So that's section 1: The "originating organization" decides, but can get advice from other parties. Mike Domaratz: Section 2: Do these data need to be safeguarded? This section is a three-part test to decide if the geospatial data need safeguards. If the data fail any part, safeguarding of the data is not justified. Mike Domaratz: The test is adapted from the RAND Corporation report "Mapping the Risks: Assessing the Homeland Security Implications of Publicly Available Geospatial Information." (The report is available for free online download and order in book form through http://www.rand.org/publications/MG/MG142) (no need to go to this link now) Mike Domaratz: The first part, "usefulness," is a mini user needs assessment in which an adversary is the user. The questions are: (1) do the data provide information about the location and nature of facilities or features that would allow an adversary to select critical targets and ... Mike Domaratz: (2) do the data provide information that offer intimate knowledge of a facility, its characteristics, or its operations that is helpful in executing an attack and/or maximizing the resulting damage? Mike Domaratz: Concern centers on data that provide very specific and timely information. Examples include information about the relative importance of a feature, the timing of activities, previously identified vulnerabilities; ... Mike Domaratz: and measures for protecting facilities and responding to attacks or damage. In many cases, the attribute component of geospatial data is more likely to be sensitive than is the location component. Mike Domaratz: Sensitive information does not include the fact of existence of a facility at a particular place or the general layout of a facility. Care should be taken not to automatically assume that the high cost or accuracy of data means that the data have high value to an adversary. Mike Domaratz: If the data are "useful," we go to the second part, "uniqueness." This part evaluates the likelihood that actions you take to safeguard "useful" (or sensitive) information will be effective. Mike Domaratz: Efforts to safeguard useful information that is readily available through open sources or observation are unlikely to reduce vulnerabilities. The goal is to identify "useful" information that is unique, not just geospatial data that are unique. Mike Domaratz: Other publications and media may disclose the same information found in geospatial data. Consider relevant historical data in addition to contemporary data. A thirty year-old facility has thirty years of records; depending on the adversary's needs, "newer" may not always be "better." Mike Domaratz: An example might help further explain the "uniqueness" test. This image is an annotated aerial photograph of downtown Washington DC. Amy, slide 2 please. Amy Sebring: http://www.emforum.org/vforum/fgdc/slide02.htm Mike Domaratz: Let's hypothesize that there is a surface-to-air missile battery (shown as a light blue symbol in the upper left) and that this battery is a method of protecting the annotated facilities. Mike Domaratz: So knowledge of it might be "useful" to an adversary and the annotated image passes the "usefulness" test. On to the "uniqueness" part of the test. Amy, slide 3 please. Amy Sebring: http://www.emforum.org/vforum/fgdc/slide03.htm Mike Domaratz: It turns out, however, that the battery is not hypothetical and our geospatial data are not the only source of this information. In fact, as illustrated by the newspaper clippings, the information is quite well known and is readily observable. Mike Domaratz: (If you're ever walking north on 17th Street in front of the Old Executive Office Building, look up.) Mike Domaratz: So the annotated image fails the "uniqueness" test and safeguards are not justified. Mike Domaratz: So those are the "useful" and "unique" tests. On to the last test for the section. Mike Domaratz: If the data are "useful" AND "unique," we go to the third part, "cost and benefit." Originating organizations should consider the magnitude of the security risk incurred versus the benefits that accrue from the dissemination of any particular data. Mike Domaratz: The benefits should be evaluated using quantitative and qualitative measures. Include among the societal benefits the opportunity costs of reduced availability of data resulting from safeguarding. Mike Domaratz: In summary for section 2, safeguarding is justified only for data that contain sensitive information, that are the unique source of the sensitive information, and for which the security risk outweighs the societal benefit of dissemination. Mike Domaratz: Linking back to the decision tree for the guidelines (slide 1), we've gone through section 1 and decided that it was out decision to make. Mike Domaratz: Then we went through section 2, which has three tests: usefulness, uniqueness, and cost and benefit. Mike Domaratz: If the data are not useful to an adversary, then the data are not sensitive. Mike Domaratz: So we don't need to safeguard the data. Mike Domaratz: If the data are "useful" but not "unique" (that is, the information is known or knowable from available sources other than our data), then we don't need to safeguard the data. Mike Domaratz: If the data are "useful" and "unique", then we need to decide the merits of safeguarding versus releasing the data ("cost and benefit"). Mike Domaratz: If the data fails any of the tests in Section 2, then safeguards are not warranted. Mike Domaratz: We'll now go to section 3, which assumes that safeguards are warranted, at least based on our evaluation. Mike Domaratz: Section 3: What safeguards are authorized and justified? The guidelines offer two options: change the data to remove sensitive information or restrict the data. Originating organizations should maximize possible access to data, and so the guidelines emphasize the use of the minimum safeguards required to prevent access by a potential adversary. Mike Domaratz: To change data, originating organizations remove the security risk by redacting or removing sensitive information and/or reducing the sensitivity of information. Techniques can include data simplification, classification, aggregation, statistical summarization, or other information reduction methods. Do not place disinformation in geospatial data. Mike Domaratz: For example, one can block details (as in the roof in the image on the left) or reduce resolution (as in the image on the right) in the next slide. Amy, slide 4 please. Amy Sebring: http://www.emforum.org/vforum/fgdc/slide04.htm Mike Domaratz: Organizations should review the changed data to ensure that the change(s) deal effectively with the security concern. Changes should be described in documentation for the data. Mike Domaratz: If changing the data is not an option, organizations can restrict access to, use of, or redistribution of the data. Restrictions should be commensurate with the assessed risk. For example, the maps on the next slide depict the same place at three times. Amy, slide 5 please. Amy Sebring: http://www.emforum.org/vforum/fgdc/slide05.htm Mike Domaratz: Between 1940 and 1953, the valley in the center of the maps was flattened and infrastructure and streams were re-routed. The 1968 map shows buildings in the valley. These buildings were built in the 1940's; information about them was restricted from public access in the 1953 edition of the map. Mike Domaratz: I'll give you a minute to refer between the last text block and the slide 5. Mike Domaratz: Originating organizations that restrict data should have written policies that identify data that can be accessed, used, and/or redistributed, the conditions under which these actions may occur, and organizations that are permitted to access, use and redistribute the data. Mike Domaratz: Include these terms and conditions with transfers of such data to ensure that organizations that receive the data know the restrictions. Care should be taken to ensure that the release of the data does not enable others to force additional dissemination of the data under freedom of information laws. Mike Domaratz: For both changing and restricting data, organizations must ensure that they have the authority to take these actions. If they do not have the authority, they may seek it from an appropriate decision maker. Mike Domaratz: The decision maker may provide the authority to safeguard the data, overrule the conclusion that the data require safeguarding, or find that there are no legal means to safeguard the data. Mike Domaratz: In summary for section 3: Coming out of section 2, we decided that we had data worthy of safeguards. Mike Domaratz: In section 3, two options are offered: changing data (somehow removing the sensitive pieces of data) or, if that's not an option, restricting the data to prevent release of the sensitive pieces. Mike Domaratz: We also are challenged to be sure that we have the authority to take these actions BEFORE we act. Mike Domaratz: As well as have in place an infrastructure (agreements, policies, etc) that make our intentions known. Mike Domaratz: (And our bosses have to know what we're up to and be comfortable with those actions.) Mike Domaratz: One final thought is the need to work with "neighbors" to avoid circumstances in which different organizations make contradictory decisions. Amy, slide 6 please. Amy Sebring: http://www.emforum.org/vforum/fgdc/slide06.htm Mike Domaratz: In this image, the originating organizations that produced the two rows of images in the illustration followed similar advice for the same area, but came up with different results. Do such actions reduce vulnerabilities? Mike Domaratz: So the integrity of individual actions in part also depends on the integrity of the collection of individual actions. Mike Domaratz: That's all I have for the presentation portion of today's activities. I'm now available to answer any questions you'd like to post! I turn the floor back to our Moderator. Amy Sebring: Thank you very much Mike. Now, to proceed to your questions. Our protocol for audience questions is to enter a question mark ? to indicate you wish to ask a question or make a comment. Amy Sebring: Then go ahead and compose your question or comment to have it ready, but do NOT hit your Enter key or click on the Send button until you are recognized by name. Please WAIT your turn. We will take questions in the order the question marks are sent to the screen. Amy Sebring: ONE QUESTION AT A TIME please and please keep your questions or comments reasonably concise. If you have a follow up question or comment, please get back in the line with another question mark. We are ready to begin now. Amy Sebring: I can start us off perhaps ... Amy Sebring: Mike, how does Freedom of Information or state open access laws pertain to this? If you are in possession of somebody else's data under provisions of restricted access, is that data in your possession thereby subject to such requests? Joe Sukaskas: ? Mike Domaratz: First, let me start off with "I'm not a lawyer" Mike Domaratz: But from the Federal side the main point is to understand up front what restrictions if any are needed ... Mike Domaratz: be sure you have the necessary authorities... Mike Domaratz: and then take actions in a way that you safeguard the sensitive data. Amy Sebring: Joe next please. Amy Sebring: (Folks, please enter your question mark at any time, even if you would just like to make a comment.) Joe Sukaskas: Mike, If data sets produced by different organizations who do not choose to restrict them (Sec. 1 - the originating organization decides), but the aggregate effect of those data sets is sensitive (Sec. 2 - useful, unique, cost/benefit), how does the model work? For example, if a major gas line and major telecom line intersect, but the owners of those infrastructures don't know about the others' existence, what happens? Mike Domaratz: The combined data would be a new set subject to the rules of its "originator". Mike Domaratz: Although I'm not sure that merely knowing about the intersection is particularly useful. Amy Sebring: Other questions, comments? Tim Nolan: ? Amy Sebring: Tim, when you are ready please. Tim Nolan: I work at a local gov't (County). We have trouble getting the other Local Gov'ts to share critical data with us. Do you have any suggestions? Mike Domaratz: What is the nature of the problem? Burt Wallrich: ? Chidi Ugonna: ? Amy Sebring: Tim, are they restricting your access because of the sensitive nature? Tim Nolan: Each city, for instance, is suspicious about releasing data to our local Homeland Security Dept. How can we convince them that we share the same goal? Mike Domaratz: This obvious is a tough problem, and not unique to security concerns ... Lonnie Meinke: ? Mike Domaratz: what we've found in Katrina/Rita is that organizations in the area that were unwilling to share before the event ... Mike Domaratz: suddenly were open to sharing. The problem is that an event is a terrible time to be on a learning curve. Amy Sebring: Burt next please. Burt Wallrich: I just want to congratulate you on developing a model that does not use the very real security threats we face as a basis for unreasonable secrecy. I wish there was more of this type of thinking in the federal government. Mike Domaratz: So that's why the working group is working on a common set of agreements. Thanks Tim. Amy Sebring: Chidi next please. Mike Domaratz: Thanks Burt, but there's lots more work to do in the area. Chidi Ugonna: What independent measures can be put in place to ensure that information that is critical to the public is not stifled according to criteria 3? Mike Domaratz: We've encouraged organizations to document their decisions. We also encourage them (to the extent possible) to make these decisions public. Amy Sebring: Lonnie next please. Lonnie Meinke: You mentioned the data may be considered sensitive but must be unique to warrant protection. What would you respond to the comment "Why make it easier to find?" Anyone who has done a data search can attest to the frustration of not being able to locate data simply because your search parameters were not specific enough. The more times/places the data set is available the more likely it is to be found. Mike Domaratz: And we encourage them to work with their user communities. Isabel McCurdy: ? Mike Domaratz: "Uniqueness" is a tough one for people to take ... Mike Domaratz: but the point is that the facts are ALREADY known and easy to find ... why spend time on useless activities that provide a false sense of security? Amy Sebring: Isabel next please. Isabel McCurdy: Mike, what is an 'adversary'? Maybe the question is Who is the adversary? Mike Domaratz: "People who would do you harm" Initially we used "terrorist" ... Amy Sebring: ? Mike Domaratz: but they're not the only people about which to be concerned. Amy Sebring: Mike, you mentioned the workgroup is working on a common set of agreements? These will be models for data originators to use I gather. Do you know when these will be available? Mike Domaratz: That group's schedule calls for something to be available the middle of next year (I think ... I'm not on the group) Lori Wieber: ? Amy Sebring: Lori, when you are ready please. Lori Wieber: If I understand this correctly, it would be inappropriate to attempt to mask new aerial photos of a critical infrastructure installation...for example an electrical substation.. if there were already older aerial photos already in public arena. Newer photos could reveal additional security measures. In this case is the data originator the aerial photographer? Amy Sebring: ? Mike Domaratz: Each edition could have a separate originator ... Chidi Ugonna: ? Mike Domaratz: and if the newer version showed sensitive info not on other versions, it might be worthy of safeguards Amy Sebring: Mike, do you know if the workgroup interested in getting feedback from those who attempt to apply the decision tree for future consideration? If so, what is your suggestion for providing feedback? Mike Domaratz: The group is looking for examples of people applying the guidelines ... Mike Domaratz: for examples of their use to share with others and for finding shortcomings Mike Domaratz: In the short term you can provide feedback through me. Amy Sebring: Thanks. Chidi next please. (This will be the final question for today.) Chidi Ugonna: Are there similar activities like the FGDC guidelines happening in other countries at risk from adversarial actions? any moves towards an international collaboration? Mike Domaratz: Not that I'm aware of. Although international access like that provided by Google might spur something. Amy Sebring: That's all we have time for today. Thank you very much Mike for an excellent job. We hope you enjoyed the experience. Would you like to put up your email for follow up? Mike Domaratz: mdomarat@usgs.gov Amy Sebring: Thanks. Please stand by a moment while we make a couple of quick announcements .... Mike Domaratz: And thans to all of you Amy Sebring: Again, the formatted transcript will be available later today. If you are not on our mailing list and would like to get notices of future sessions and availability of transcripts, just go to our home page and click on Subscribe. Amy Sebring: Thanks to everyone for participating today. We stand adjourned but before you go, please help me show our appreciation to Mike for a fine job.