Dec 31 2009

Risky Business on the Border

Stopping illegal border traffic is an information management problem where mistakes can be deadly.

When Anselmo Zamora-Altamirano tried to enter the United States near Palominas, Ariz., early in 2004, his fingers did the talking. Border patrol agents at Naco Station digitally captured two of Zamora-Altamirano's fingerprints using a new biometric scanning system run by the Homeland Security Department's U.S. Visitor and Immigrant Status Indicator Technology program. The US-VISIT Digital fingerprinting is now part of a routine procedure for all foreign nationals entering this country, but nothing was routine at the time.

Zamora-Altamirano's prints matched those stored on a criminal watch list, which immediately set off alarms at a special intelligence unit located in San Diego. A team of DHS fingerprint experts at the San Diego site quickly confirmed the prints matched those of a kidnapping and murder suspect on Mexico's Most Wanted list. Zamora-Altamirano's trip to the United States ended with a surprise detour: extradition back to Mexico.

There are 450 million crossings a year at 300 entry points along the nearly 7,000 miles of open U.S. border. Homeland Security's Customs and Border Protection agents have little chance of stopping foreign criminals and terror suspects without the help of cutting-edge technology. Today, this technology includes electronic identification systems and electronic watch lists that within seconds can determine whether someone is a threat.

But the challenge only continues to grow. In November, when DHS Secretary Michael Chertoff announced the multiyear Secure Border Initiative to beef up controls, he highlighted greater use of detection technology as a cornerstone to controlling northern and southern border traffic.

DHS understands better than most agencies that technology alone won't make our borders safer. Behind the scenes, US-VISIT is still struggling to integrate the streams of data it collects with data from other closely aligned agencies, including the FBI and the State Department. Using disparate data to create master watch lists is critical to safety and one that's had only varying degrees of success.

The risky business of border security, however, could eventually model ways that agencies throughout the government tackle the challenge of integrating disparate data and conducting split-second data analysis. Few agencies, however, face such potentially dire consequences when things go wrong as does DHS. Nonetheless, the challenges remain the same no matter an agency's mission if the effort involves multiple players and multiple systems: overcome culture differences in how work is done; figure out ways to work across agencies; create electronic audit trails; and plan for a multisystem integration strategy.

Connecting the Dots

Although policymakers in Congress and the White House say sharing law-enforcement and intelligence information among separate agencies is essential for national security, the technical and cultural barriers of accomplishing that remain formidable.

Experts believe the problems are especially thorny among law-enforcement and intelligence organizations, which traditionally fret over how well sensitive information will be protected once it moves to another agency. Turf battles over who gets credit for uncovering important data or making a subsequent bust also induce agencies to keep things close to the vest.

"One of the lessons uncovered by 9/11 was the need to connect the dots," says David Lazer, director of the Program on Networked Governance at Harvard University's Kennedy School of Government. "That has created incentives for data sharing." But sometimes deep institutional mistrust among agencies remains as they try to link their databases.

Of particular concern to law enforcement officials, Lazer says, are the down-the-line consequences: If an agency shares its data now, will it muck up an ongoing or unresolved case later on? That's a constant refrain, he says.

US-VISIT has been working through these cultural issues since 2004, when it launched its finger-scanning system, known as the Biometric Fingerprint Identification System, or IDENT, and began linking prints to watch lists maintained by DHS and other agencies. Over the last two years, US-VISIT has processed more than 44 million visitors, whose digital fingerprints remain on file. More than 950 of these foreign nationals had previous brushes with the law that ranged from immigration violations to terrorist connections and convictions for rape, drug trafficking or murder.

But creating a formidable impenetrable electronic wall around the country isn't the goal of US-VISIT, says Jim Williams, director of the DHS program. Its goal is to quickly identify potentially risky visitors while moving people rapidly through security screening. The security screening process of scanning prints at the country of departure and then running a match of those prints against existing prints on file "is underwhelming," Williams says. "People go through and they say, 'It's no big deal.' That's exactly what we want."

He says checks against watch lists normally take about 10 seconds, so visitors without prior records see almost no delay in their security screening.

While US-VISIT can rightfully claim successes, as in its apprehension of Zamora-Altamirano, it has also had its fair share of problems. The program's digital fingerprint scanning system isn't foolproof. One Justice Department study found that IDENT failed to detect more than 70 percent of criminal immigrants arriving at U.S. borders. A Stanford University researcher told Congress that IDENT had slightly better than a 50-50 chance of spotting a listed terrorist suspect who physically modified his prints.

Integration Issues

One of US-VISIT's thorniest problems has been its inability to integrate IDENT with the FBI's electronic fingerprint system, the Integrated Automated Fingerprint Identification System (IAFIS). Congress mandated in 1999 that the two would be aligned.

Photography by Gary Landsman
At DHS, accomplishing a mission led the department to figure out how to work with the systems it had in place and plan on improving the technology later, Homeland Security's Jim Williams, left, and Scott Hastings agree.

That effort has had a rocky history. Oversight agencies, including the Government Accountability Office and Justice's inspector general, regularly have faulted US-VISIT and the FBI for their slow progress at integration. In late 2004, an inspector general official told Congress that high-level policy disagreements among the departments of Justice, Homeland Security and State were the biggest factors thwarting integration.

At the core were disagreements over whether US-VISIT should continue IDENT's strategy of capturing two prints per person — the right and left index fingers — or conform to the FBI's practice of capturing prints of all 10 fingers, which experts at the National Institute of Standards and Technology and elsewhere view as much more reliable and more difficult to tamper with. Nonetheless, DHS stuck with two prints for US-VISIT until only last summer. During the program's initial phases, that put the much smaller IDENT system, with fewer than 20,000 criminal prints on file, at a disadvantage compared with the FBI, which houses the prints of almost 50 million people.

But last summer, DHS announced it would adopt the FBI's 10-print model for first-time visitors and finished rolling out the capability at entry points nationwide. "When we encounter someone who we intend to investigate, we will be able to capture 10 prints and access both our IDENT system and FBI's IAFIS system," says Scott Hastings, CIO for the US-VISIT program.

Moving to 10 prints will increase IDENT's accuracy, Williams adds, noting that the current false positive rate of 0.1 percent will be reduced. Williams says this policy evolution on the prints represents progress in the sometimes cool relationship between his program and the FBI. "To be honest, a year or two ago, the relationship was not that collegial," he says.

Trust but Verify

US-VISIT and the FBI are experiencing firsthand the challenges that arise when multiple agencies try to combine classified information, says Bruce Walker, director of homeland security for Northrop Grumman. He's involved in programs that create a secure backbone for communicating classified information for DHS.

"Secret data from the Justice Department with secret data from the military and DHS, and the intelligence community activity each has some special handling requirements. That makes it difficult to say, 'OK, I've got all of these aggregated objects and they are all secret, therefore I can make one secret document out of them when I fuse the intelligence,' " Walker says. "We can create some pretty sophisticated information processing and information-handling systems. But if we have policy issues that are unresolved between the primary users and owners of the data, nothing goes anywhere until that is fixed."

He adds that merely establishing policies doesn't guarantee open collaboration. Stakeholders insist that information-sharing systems use electronic auditing tools that can uncover where security breakdowns occurred if sensitive information inadvertently falls into the wrong hands, Walker says.

"People aren't comfortable until they can do the forensics and the auditing," he says. "Because if I get a piece of information from the CIA and I make a copy of it and I stick it on my system, I just created another vulnerability from the CIA's perspective for release of that data. There are distinct and unique requirements for departments that collect intelligence that mandate that they control their own information."

Today, US-VISIT says it's on track to achieve full interoperability with the FBI's fingerprint records, albeit not for several years. "We have an interim data-sharing model where we can start to get more of the 'bad guy' fingerprints the FBI has and we can share some of our information, such as visa refusals," Williams says. Williams estimates that IDENT has identified more than 14,000 foreign nationals who for various legal and security reasons are ineligible for U.S. visas. "We are very proud of this data-sharing model because it's the kind of thing that stalled in years past."

Tight Deadlines

Digitally capturing an adequate number of fingerprints wasn't the only challenge US-VISIT faced. The program also grappled with mixing the new biometric technology with creaky legacy database platforms. US-VISIT links together six databases, including three within DHS relating to customers and immigration, as well as Justice and State records. Now, the US-VISIT team is also folding in files from the Transportation Security Administration.

The US-VISIT team has coordinated efforts across DHS bureaus and with departments to make the available data on travelers interoperable and accessible. The program team also has implemented biometrics to enroll and verify travelers. By doing so, US-VISIT provided real operational capability in a short amount of time to State and DHS users, Hastings says.

Sometimes, the team had to trade technology sophistication for expediency, he says.

"There was a pretty cold, hard assessment as we looked in the existing portfolios of operational systems of what could be relied upon to perform and scale appropriately for what we saw on the immediate horizon," he says. "So that was the first assessment, 'What do we have to work with?' Obviously in a six- to seven-month period, you are not going to invent a lot of new systems."

Once Hastings' group and its partners decided to focus on orchestrating and organizing usable existing information systems, they knitted together the resources of four separate IT shops to mix and match the development, configuration management, testing and evaluation processes that were already in place. "It was not always easy to get ownership issues resolved, but with the support of the secretary at the top and the collaboration of the various IT elements at lower levels, we were able to achieve an incredible amount of technical capability with very few missteps," Hastings says.

But there's still work to be done to move to more modern platforms and applications. "Very few of the systems are Web-enabled or are capable of quickly moving to a modern service-oriented architecture," he says, referring to orchestrating numerous kinds of small computer programs on the fly versus writing single complex apps.

"Instead, we chose to have a lot of point-to-point interfaces, knowing that over time we would have to come back and do some modernizations," Hastings adds. "We are now engaging in discussions about what needs to be Web-enabled and what DHS services potentially could be reusable. So as we move forward, we feel like we are going to see a more flexible, more scalable environment."