Sometimes a missing security badge is just a missing security badge. But if badges belonging to five different employees vanish from transit authorities in five major municipalities, it might be the harbinger of something to come.

If no authority analyzes that information, however, will any agency take action?

Responding to national security threats requires timely information. Investigators and intelligence agencies, however, have struggled to break down some of the walls that prevent information sharing and collaboration. And with over 80 percent of Canada’s critical infrastructure either privately or provincially owned, national and local authorities, let alone private firms and public agencies, have had challenges sharing their information.

In April, the Royal Canadian Mounted Police launched a pilot project in Toronto and Vancouver to break some of those silos, drawing together rail and urban transit authorities with local law enforcement and others to begin collecting incident data in a way that it can be analyzed and disseminated in a timely fashion.

“We had access to information but not in the right way,” acknowledged Francine Levert of the RCMP’s critical infrastructure criminal intelligence (CICI) section, who managed the project from its inception. “We really couldn’t do comprehensive analysis. We had some information, but it was not specific, it was not granular. Our systems weren’t designed to help us from an analysis perspective. There was no process in place to make sure one place got all the suspicious incident information.” In short, much depended on who reported and how much.

“Now, the critical infrastructure stakeholder, the police of jurisdiction, the RCMP, the Canadian intelligence community, and, where necessary, other government departments, will have access to the information they need.”

The electronic Suspicious Incident Reporting System allows transit operators and local police to swiftly and consistently log a range of suspicious incidents identified by rail and urban transit authorities: from the apparently benign such as eliciting information; videotaping, photography and/or other observation; and unattended packages to the more serious such as breach and intrusion (physical or cyber); theft or possession of items such as uniforms, keys or access badges; sabotage, tampering and vandalism; flyovers; weapon discoveries; suspicious substances; and questionable behaviour.

Incident reports will then be analyzed and shared with other national security partners, including the Integrated Threat Assessment Centre housed within CSIS, to identify trends and potential pre-indicators of attacks. “We’ve tried to keep the process as simple as possible,” Levert said, “and hopefully the results will speak for themselves and encourage [participation].”

A need to share
The idea of a fusion centre for suspicious incidents involving critical infrastructure had been percolating within the emergency management community well before 9/11. There was some debate as to who should take the lead – the Privy Council Office, RCMP, CSIS, Transport Canada? – until the RCMP, with its national security mandate, emerged as the logical agency.

When the RAND Corporation, which had begun working with the British government on suspicious incident reporting, extended an offer to Canada, Levert jumped. Following a briefing in California that included the Department of Homeland Security, she was convinced. “I really felt we had to do this. The question was, who does it?”

The project began with consultations in six major cities, including Vancouver, Toronto, Calgary and Montreal, to understand how incident data was gathered and shared. The discussions included rail and urban transit operators, emergency management personnel, local law enforcement and government representatives from the RCMP, Public Safety, Transport Canada and, often, provincial departments. Not surprising, information and intelligence sharing topped their list of requirements.

The consultations were repeated as a framework began to take shape. By the time the pilot was launched, groups ranging from branches within Public Safety Canada to the national security committee of the Canadian Association of Chiefs of Police were all part of the discussion. In addition, monthly meetings were recently instituted with provincial staff responsible for critical infrastructure policy. With varying levels of security clearances involved, how information is disseminated remains complicated, but the intent, says Levert, “is to share information with as many people as we can.”

As the project transitions from pilot to permanent in April 2009, the RCMP will introduce a secure web portal to permit the two-way traffic of information. The first web interface, which Levert expects to be tested and running by April, will gradually initiate levels of classification, allowing users to access reports for their respective level of clearance.

“Right now, every time we produce something we have to do the dissemination by hand – what classification is this, who should get it and are they cleared? By having it institutionalized, with clearances as part of it, they will be able to access to their level of clearance,” Levert explained.

Rather than sequential reporting as occurs now, the permanent solution would permit simultaneous reporting to the police of jurisdiction, the local authority or company, the RCMP and department with a need to know – sharing could be almost instantaneous.

The web portal would also serve as a training platform for security emergency management personnel, standardizing video and other guides for detecting suspicious behaviour and reporting incidents.

Public sector expansion
The RCMP foresee a pan-critical infrastructure program covering all 10 sectors – energy and utilities, communications and information technology, finance, health care, food, water, transportation, safety, government and manufacturing – meaning greater involvement of private industry as it expands.

“The threat, if it happens, is going to be in their back yard,” Levert notes. “And the security stakeholders are the ones who will have to do their risk assessments and decide where to spend security money improving processes, technology, etc. So, at the very least, understanding the type of activity that is taking place in their specific location, in their sector, will be useful to them when they are making those decisions.”

Associations representing the electrical, petroleum and pipeline industries, for example, will soon join the pilot. “We’re working with other sectors as our resources permit. Some of this has to be standardized to do analysis across critical infrastructures.”

But the end result would be access to data showing the number and type of incidents by company, sector and region, and their relationship to similar incidents internationally, helping companies prioritize security and aiding CICI to better assign analysts and investigators.

To ensure the system provides the widest picture possible, the RCMP is encouraging operators and local authorities to provide details of every incident. Though some incidents may not seem important on their own, when compared with other jurisdictions and what CICI is hearing from the international intelligence community, patterns may emerge.

“Even if we never detect anything or nothing ever happens, at least we’ll have real data,” Levert said. “Right now people are going on their best guess. They’re doing risk assessments without a detailed threat piece.”

The pilot has not been without its hiccups, but already it has flagged several suspicious incidents requiring investigation. Most importantly, says Levert, it has allowed CICI to prioritize incidents from the hundreds normally received.

Cross-department partnerships and collaboration have never been easy at the best of times – and information sharing has proven to be one of the major stumbling blocks – but Levert believes cooperation on suspicious incident reporting has changed the way people do business.