Read also: Multilayered Security: Disrupting Terrorist Attacks Requires More than Connecting Dots
It will likely be months before intelligence officials fully understand what failures allowed Umar Farouk Abdulmutallab, the son of an influential Nigerian banker, to board a plane with explosives secreted in his underwear. Yet, as President Obama told the nation Thursday, we now know that Abdulmutallab’s nearly-successful terrorist attack occurred not because the Intelligence Community failed to collect enough information to discover the bomber’s intentions, but because intelligence officials failed to connect the puzzle pieces they already held in order to see the entire picture.
The National Security Agency learned four months ago that Al-Qaeda in Yemen planned to use a Nigerian man in a coming terrorist attack. And two months ago Abdulmutallab’s father told the State Department and the Central Intelligence Agency that he feared his son had fallen in with Yemeni religious extremists and was dangerously radicalized. Nevertheless, it appears that no intelligence official ever examined these two pieces of information together. Had they done so, it is far more likely that Abdulmutallab would have been caught before he boarded a plane with the intention to destroy it.
This failure to connect the dots did not occur because of bad decisions by policy makers. Indeed, the Intelligence Community is governed by what may be the most ambitious information-sharing policy in the federal government. Rather the Intelligence Community failed to connect the dots because they just haven’t built the IT infrastructure necessary to support its ambitious policy.
On the second day of the Obama presidency, the Director of National Intelligence issued Intelligence Community Directive 501—largely in response to the 9/11 Commission’s finding that a “‘need-to-share’ culture of integration” must replace intelligence agencies’ “‘need-to-know’ culture of information protection.” ICD 501 imposes on Intelligence Community personnel a “responsibility to discover” whether another member of the Intelligence Community holds information that could contribute to their mission and a “responsibility to request” relevant information. Just as importantly, intelligence personnel have a duty to provide the greater Intelligence Community with a description of what they already know so that other personnel with the appropriate security clearance can fulfill their responsibilities to discover and request that information.
The backbone of this web of obligations to discover, request, and share information is an automated database that ICD 501 requires the Intelligence Community to create. Part Google, part Facebook, part Microsoft Excel, such a database allows intelligence officials to comprehensively catalog their knowledge, tagging each data-field according to how it is connected to other information, and what level of security clearance is required to read it. The entry on Abdulmutallab should have been tagged to indicate that he is possibly connected to violent religious extremists, that he is a Nigerian citizen, and that he is located in Yemen. Had an NSA official, aware that Al-Qaeda in Yemen was planning to use a Nigerian citizen to commit an attack, searched the database for a Nigerian who fit the profile of a potential attacker, it is almost certain that Abdulmutallab would have been discovered sooner and flagged for additional screening before he could board a plane to the United States.
But there is a very simple reason why such a search was never conducted. According to multiple software designers involved in creating ICD 501-compliant platforms, the Intelligence Community has not yet built the IT infrastructure required to support this database. ICD 501 was issued almost a year ago, but crucial infrastructure that is essential to the directive’s functioning simply doesn’t exist.
The good news is that President Obama is now aware that the Intelligence Community lacks needed IT infrastructure. Obama issued a presidential directive in response to Abdulmutallab’s failed attack that orders the Director of National Intelligence to “[a]ccelerate information technology enhancements, to include knowledge discovery, database integration, cross-database searches, and the ability to correlate biographic information with terrorism-related intelligence.” The director should follow up President Obama’s directive by announcing rigid deadlines with which intelligence agencies must comply to bring their IT infrastructure in line with ICD 501. If Congress has not yet appropriated enough money to fund such an expedited process, the administration should request additional funding for this purpose and Congress should comply with the request.
But there are also two larger lessons to be drawn from the story of ICD 501. The first is that government officials depend on a free-flow of information to do their jobs well. The 9/11 Commission was right when it warned that “[t]he culture of agencies feeling they own the information they gathered at taxpayer expense must be replaced by a culture in which the agencies instead feel they have a duty . . . to repay the taxpayer’s investment by making that information available.” This warning is no less salient in the context of domestic policy than it is when directed toward the intelligence community. There is little excuse for any agency, regardless of its mission, to silo information that other agencies could use to serve the American people. Consistent with its commitment to open and transparent government, the Obama administration should root out agencies that fail to make information widely available, and it should take swift action to correct these failures.
The other lesson is even more basic: even the most well-conceived policies will fail if they are not matched by a commitment to build the infrastructure essential to their success. ICD 501 is an outstanding policy document—one that recognizes past intelligence failures and makes specific, concrete changes to intelligence officials’ responsibilities to ensure that those failures are not repeated. At the end of the day, however, ICD 501 was not able to protect the American people because of a basic failure to provide intelligence officials with the IT systems they need to do their jobs.