EM Forum Presentation — November 09, 2011

The Tennessee Fusion Center
Changes in Information Sharing Since 9/11

Steve Hewitt
Supervisory Intelligence Officer/Co-Director, Tennessee Fusion Center (TFC)
Tennessee Department of Safety and Homeland Security

Amy Sebring
EIIP Moderator

A video recording of the live session is available at http://www.emforum.org/pub/eiip/lm111109.wmv
An audio podcast is available at http://www.emforum.org/pub/eiip/lm111109.mp3
Text from presentations slide is embedded below

[Welcome / Introduction]

Amy Sebring: Good morning/afternoon everyone and welcome once again to EMForum.org. I am Amy Sebring and will serve as your Moderator today. We are very glad you could join us.

Today’s topic is the Tennessee Fusion Center. We wanted to learn more about what fusion centers do, and how information sharing has evolved over the years since 9/11.

Incidentally, if you are not aware of it, there is a FEMA Comprehensive Preparedness Guide, CPG 502 titled "Considerations for Fusion Center and Emergency Operations Center Coordination" that is linked from today’s background page that may be of interest. There are a few additional related links there as well.

[Slide 1]

Changes in Information Sharing Post 9/11/2001
Steve Hewitt Tennessee Fusion Center

Now it is my pleasure to introduce today’s guest: Steve Hewitt is the Co-director of the TFC, and Supervisory Intelligence Officer with the Tennessee Department of Safety and Homeland Security. He previously served with the Nashville Metropolitan Police Department from 1985 to 2006, including assignment to the Nashville-FBI Joint Terrorism Task Force. Please see today’s Background Page for additional biographical information.

Welcome Steve and thank you very much for joining us today. I now turn the floor over to you to start us off please.


Steve Hewitt: Thanks for having me today. I am honored to have the opportunity to speak to your group. It is really important, I think, to continue to get the message out to make people aware, despite the fact that we have actually been developing fusion centers for almost eight years in most cases around the country.

There is still confusion, misunderstanding and at times a lack of understanding what fusion centers are all about. It is always appreciated—the opportunity to carry the message.

[Slide 2]
Understand the Body of Work Supporting Information Sharing and the Foundation of Fusion Centers
[Image of covers of 4 documents with brief summary of audience and purpose]

In essence, what we see is following the attacks of 9/11 there was a lot of thought put towards what exactly went wrong in the way information got shared that could have had an impact on the outcome and the actual attack potential itself. The IACP (International Association of Chiefs of Police) is one of the national leaders on law enforcement issues.

They pulled together a symposium of law enforcement professionals to include local, state and federal personnel to actually discuss the successes and failures over the years, but particularly looking at what went wrong that led up to 9/11 in the way information got exchanged back and forth between state, local and federal community and then back down to the state and local from the federal community.

Out of that came some recommendations. We’ll begin with the document on the far left entitled Global October 2003. That is designed and known as the roadmap for criminal information and intelligence sharing. That identified some very specific items and best practices that were recommended to try to correct the gaps of information sharing that were recognized through the efforts of the symposium held by the IACP.

The next document over, the Global DOJ-DHS August 2006 document, came out of a follow-up meeting after the actual Global document was developed. There was an effort underway by several states to establish fusion centers, taking a lead from their experiences with the military fusion centers and its successes there in terms of how information was shared within the military.

They built off of that for a basic law enforcement model. In the end, what you recognize is that a fusion center at the very base model is a task force for information sharing. At the end of the day, that is really what we’re talking about—bringing together representatives from other agencies in a single place and then exchanging information and working together to solve problems, whether they be crime or terrorism problems.

The Global Document of Fusion Centers Guidelines was essentially a way to map the pathway for other states and major urban areas to establish fusion centers. It identified the key types of activities that a fusion center should make an effort to accomplish in order to be an effective fusion center.

The next document over, Information Sharing Strategy, which was released by President Bush’s office in October of 2006, identified just how important state and local law enforcement was to the broader national security picture; particularly where the intelligence efforts were involved in identifying threats to the United States.

The available information within the state and local community was really key to being able to basically dovetail that into the national threat picture and be able to identify new and emerging threats around the country.

The next document over, Global DOJ-DHS September 2008, is more of the refined effort for fusions centers—exactly what fusion centers ought to do in terms of the nuts and bolts of activities in order to be able to deliver on their efforts.

[Slide 3]
Planning Designing and Implementation

[Image of covers of 2 documents Fusion Center Guidelines, 2006 and State and Major Urban Areas Fusion Centers, 2008]

In Tennessee, we really focused on those two documents and built our fusion center around those documents—the first being the basic premise and guidelines to guide the early stages of development, and the second document, the baseline capabilities to develop the more advanced capabilities in the center.

[Slide 4]
72 Designated Fusion Centers Nationwide

[Image of U.S. map depicting locations]

To date, we’ve got 72 designated fusion centers around the country. We have 49 total in the states—Wyoming does not yet have a fusion center, but they do have an intelligence unit that operates out of their state investigative agency. Then you’ve got major urban area centers spread around the nation as well. Those are situated in UASIs. I’m sure everybody on this call is familiar with the UASI term [Urban Areas Security Initiative]. They are located in those UASIs and based upon the total population and critical infrastructure, they warrant regional fusion centers as well.

[Slide 5]
TFC Operations and Staffing

  • TFC established in May 2007
  • All Crimes – All Threats – All Hazards
  • The TFC designated by Governor as state fusion center in June 2008
  • Fully operational at the SECRET level
  • Joint operation between Tennessee Bureau of Investigation & Tennessee Department of Safety and Homeland Security

The fusion center in Nashville is located inside the Tennessee Bureau of Investigation headquarters. Unlike a lot of fusion centers around the country that are typically a single agency, the leadership in Tennessee made a decision to develop a joint fusion center effort between the TBI and my agency, the Tennessee Department of Safety and Homeland Security.

We were established in May 2007. We are described as an ‘all crimes all threat all hazards’ center. I’ll get into more detail about what that means. I think "all crimes" is pretty obvious in the sense we are looking at the total crime picture in the state as opposed to just a terrorism picture, therefore we treat all the crime and potential nexus to terrorism reporting as threats to our state—not merely just focused on only counterterrorism.

The all hazard piece I will come back to in a little bit. Our center was designated by the governor as the state designated fusion center in June 2002. We are fully operational at the secret level. That means the DHS has come in and reviewed our center and operations and has certified us to operate and maintain information at the secret level.

[Slide 6]
TFC Operations and Staffing

  • Hours of operation 7: 30 am – 8:30 pm
  • 7 days a week.
  • After hours contact and call out capable
  • Approximately 36 staff members between all participating full and part time members
  • 877-250-2333

Our operations run between 7:30 AM and 8:30 PM seven days a week. We have an on call process for after hour calls that we can leverage our staff members to bring them up online and support if there is a need after that hour. We have a total of about 36 staff members across all the participating full and part time members and the various programs.

[Slide 7]
Agencies Currently Participating Full and Part Time

  • TN Bureau of Investigation (Full)
  • TN Office of Homeland Security (Full)
  • FBI (Full)
  • DHS (Full)
  • TN Dept of Corrections (Full)
  • TN State Board of Probation & Parole (Part)
  • ROCIC (Part)
  • ATF (Part)
  • Nashville Metro Police Dept (Part)

Weekly Connectivity

  • State and local law enforcement
  • U.S. Attorney’s Office
  • TEMA
  • ORNL/Y12
  • DOD/National Guard
  • EPIC
  • Vital Records
  • Meth Task Force
  • Dept. of Revenue

This slide provides you an overview of just exactly who those agencies are representing. I’ll leave that for you to take a look at on your own. You can see both full and part time representation in our center.

But the other side I want to take a little time to develop is the weekly connectivity. While the left side is where the folks are sitting in the seats doing the work, the right side is incredibly important as it pertains to the kinds of information that we are looking for to be able to identify threat.

You see the third one down—the Tennessee Emergency Management is a part of that. I know the emergency management community is represented today. I just want to emphasize that fusion centers in today’s environment recognize how important it is to not only get information from our EMA partners, but make sure we are providing some value added with the information we have and we can share.

[Slide 8]
Privacy Protection Framework

  • Tennessee Fusion Center privacy policy certified by DHS Chief Privacy Officer to be "at least as comprehensive" as the Information Sharing Environment Privacy Guidelines – Sept 2010
  • Privacy Officers to address privacy related matters and provide training and guidance

The privacy policy is really important for fusion centers to maintain trust and effectiveness of our operation. At the end of the day the information we receive and the way we handle the information has to be consistent with—and our practices have to be consistent with—the United States Constitution, our state laws, and some specific federal regulations that govern the way we handle criminal intelligence information and suspicious activity information.

To that end, fusion centers across the nation have been focusing their efforts over the years in developing and completing a comprehensive privacy policy that governs their operations.

To date, those centers across the country have completed those privacy policies and they are considered to be at least as comprehensive as the National Information Sharing Environment Privacy Guidelines, which were developed by the Department of Justice and DHS to govern the way information comes from the state and local community and is shared with the federal partners in the information sharing environment.

That is considered to be a critical piece to the success of our operation in terms of maintaining the strength of our operations through accurate and careful use of the information according to the law, according to the privacy policies, and in a manner that maintains public trust.

[Slide 9]
Privacy Protection Framework

  • Data Systems structured to meet or exceed Tennessee and U.S. Constitutional law
  • Criminal Intelligence Systems adhere to CFR 28 Part 23
  • TFC staff complete Bureau of Justice Assistance (BJA) online training and classroom training

Fusion centers have to consider not only the information they have, but the data systems they have built and are structured to meet those laws. As I mentioned earlier, our fusion centers are required to focus our attention and the use of the information, as it pertains to criminal intelligence information, according to a thing called CFR 28 Part 23, which is a code of federal regulations. They are guidelines that govern the way fusion centers use criminal intelligence information.

Each fusion center has a designated privacy official. Sometimes those are senior leadership of the fusion center. Sometimes they are attorneys that are working on behalf of that agency that manages the fusion center and then advises and serves in that privacy official capacity.

That is in fact the case for Tennessee. We have two privacy officials—one from each agency—that support our efforts.

[Slide 10]
TFC Goals

  • Maximize Tennessee’s law enforcement, public safety agencies, critical infrastructure sector and citizens ability to detect, prevent, apprehend respond to criminal and terrorist activity.
  • Directly support intelligence lead policing and national security initiatives.
  • Directly support critical infrastructure/key resource protection strategies.

I wanted to hit on for a minute the goals for our fusion center in particular. We want to maximize on Tennessee’s law enforcement, public safety agencies, and critical infrastructure sector and citizens ability to detect, prevent, apprehend, and respond to criminal and terrorist activity. That is a broad goal, but nevertheless it encompasses all the customer sets we really want to focus on serving in Tennessee.

Obviously, we want to directly support intelligence led policing. For those who may not be familiar with that term, in essence we are talking about applying intelligence derived from your law enforcement reporting and all other available sources to apply to criminal investigative problems and criminal enforcement problems.

We want to support national security initiatives and directly supporting the FBI’s effort to protect the nation from terrorist attack. Part and parcel to that is how we directly support the critical infrastructure and key resource protection strategies that have been outlined throughout the nation and that is a key part of what we do each day.

[Slide 11]
Activities – Products

  • Analysts conduct direct tactical/operational support to investigators and uniform officers each day.
  • Daily respond to Requests for Information (RFI) from local, state and federal law enforcement.
  • Produce a full product line of information and intelligence products each month.
  • Includes strategic, tactical and operational informational and intelligence products.
  • Training, briefings, national leadership roles

To do that, we are really focused on accomplishing some very specific things in this center. They encompass an array of types of activities our analysts are engaged in. Probably most common is the direct tactical and operational support to investigators and uniform officer that we do each day. We call this a request for information.

In essence, what that means is our analysts take phone calls from investigators, other fusion centers, they may be troopers on the side of the interstate who are engaged in some sort of criminal investigation or enforcement action, and have reached a limit in terms to what they can derive in terms of understanding the individuals, the vehicle, the potential nexus to the criminal activity, other states—they have reached the limit of what they can determine but they think there is more there. They need to go further in terms of their investigation.

They will call the fusion center and we will leverage the various data bases that we use and our connectivity to other fusion centers and other law enforcement agencies to reach out and develop new information and provide that. In most cases, it is in real time while the investigator, trooper or officer is on the side of the road, or engaged in an actual ongoing investigation.

We also produce a full product line of information and intelligence products that cover a host of different topics that are considered primary threat attention for us in Tennessee, and these include strategic, long view, long range type products as well as more tactical and operational products.

We are engaged in training briefings in various national leadership roles to help move the network along in terms of maturity.

[Slide 12]
Critical Operational Capabilities (COCs)

COC 1 – Receive: Ability to receive classified and unclassified information from federal partners.

  • TFC personnel all hold SECRET and/or TS clearances
  • DHS – Intelligence Officer assigned and HSDN operational
  • FBI - IA assigned full time to TFC and full FBI Net system in place
  • TFC analysts embedded in Memphis/Knoxville JTTFs

Earlier I described for you the base line capabilities for states and major urban areas fusion centers and that was one of the leading documents that guide our efforts. From that base line capability document we realized there were some basic critical operational capabilities that each fusion center across the nation needed to strive to attain and be able to accomplish.

Those critical operational capabilities have become a centerpiece for fusion center development and fusion center network development. I am going to emphasize those for you right now. First and foremost is critical operational capability one, or COC 1. That is the ability to receive classified and unclassified information from federal partners.

Early on after 9/11 and during the review by the 9/11 Commission as well as the IACP effort it was recognized that part of the problem was the inability of states and locals to access classified information either because they didn’t have the clearances necessary or they didn’t have the systems in place.

We addressed that in Tennessee as a primary emphasis early on when we established our fusion center. First, all our personnel who work in the center have a secret clearance or higher. In some cases, we have higher clearances based on their roles and responsibilities.

We also have a DHS intelligence officer who is full time assigned to the fusion center. With him he brings his classified network, the Homeland Security Digital Network (HSDN). That has been put into our fusion center and it allows fusion center analysts to access that classified information on a daily basis to conduct the analysis we are responsible for.

The FBI has a full time intelligence analyst assigned to the fusion center as well. He brings the full FBI data system also. That is in place in our fusion center.

Then we have two analysts that work for me that are embedded in the Joint Terrorism Task Force offices throughout the state. One is in Memphis and one is in Knoxville. They directly support the JTTF in investigations and they serve as the liaison and link for fusion center connectivity as well, providing us information and insight into ongoing investigations that take place and serve to provide that relationship point of touch from fusion center to the FBI across the state.

[Slide 13]
COC 1 - Receive

TFC utilizes:

  • Homeland Security Information Network (HSIN & HSIN Intel)
  • FBI Net & HSDN (S)

We also rely upon some key systems that are in the center and that we have rolled out across the state to share the information with our various partners.

One is the Homeland Security Information Network (HSIN) which we consider to be our primary workhorse for information sharing and we are able to use that system to share across all the customer sets that we communicate to, and that includes law enforcement, emergency management, the broader public safety as well as the private sector.

We also use FBI Law Enforcement Online (LEO) because that system was well entrenched across the nation well before HSIN got on the scene. A lot of Department of Justice Agencies rely on that. I have already mentioned the classified systems we have in place.

COC 2 - Analyze
Assess local implications of threat information.

  • Analysts assigned specific threat accounts (International/Domestic/Gangs/Human Trafficking/Amber Alert/Fugitives/Sex Offenders)
  • Focused analysis according to threats
  • Analyzes DHS and FBI intelligence reporting, SARs, law enforcement and open source information for TN specific threat relevance

COC 2 is the ability to analyze, and that means the ability to assess the local implications of the threat information that is coming into the fusion center from across the nation. That means the state and local is assessing the implications of federal information coming to the fusion center as well as other information that could be coming in from other fusion centers or other investigative agencies around the country.

Our analysts are assigned specific threat accounts. That means we have specialists in international terrorism, domestic terrorism, criminal gangs, human trafficking, AMBER alerts, missing children, fugitives, sex offenders—those are all covered—our analysts are specializing in one of those categories and their attention is focused on those each and every day.

Our analysis brings in DHS and FBI intelligence reporting, suspicious activity reporting (known as SARs), law enforcement and open source information that looks at Tennessee specific threat relevance. We are looking to identify where the threats to Tennessee are and where the relevant criminal information may be that we can use to build intelligence products and then push that our to our partners across the state.

[Slide 15]
CIKR Protection Capabilities

  • Designated CIKR/SAR analyst
  • Identifies the capabilities necessary to establish a CIKR protection analytical capability
  • Provides guidance for fusion centers that have chosen to support CIP activities
  • Risk Analysis
  • Trend Analysis

One key component of that is Critical Infrastructure and Key Resource Analysis (CIKR). DHS delivered this module for baseline capabilities back in 2008 that identified a way to establish that CIKR analyst duty within a fusion center and mature it. We took that on as a key piece of the work we do.

We have a designated CIKR analyst and a full line of products that address threats to critical infrastructure and what we are seeing in the way of suspicious activity reporting that may be juxtaposed against other reporting from around the country, and how it looks in Tennessee as a result of that.

COC 3 - Disseminate

  • Disseminate threat information to other state, local, territorial and private sector entities within their jurisdiction.
  • Disseminate federal alerts, warnings, notifications and intelligence products
  • HSIN – LE, Emergency Services, Private Sector portals
  • HS SLIC and LEO used for dissemination
  • LE-Emergency Services-Email groups
  • TLOs – DT Working Group – Intel Working Group – Interdiction Plus - Safe Skies Team-Gang Intel Sharing

COC 3 has to do with our ability to disseminate, and that is disseminating threat information to other state, local, territorial and private sector within the jurisdiction, our jurisdiction being Tennessee. We have the key responsibility for moving federal alerts, warnings, notifications and intelligence products that come out of our federal partner out to the state to the key partners in the state that need that information.

Think in terms of our partner set being law enforcement, emergency services, EMA, the private sector, etc. Based upon the product itself and the permissions that are provided by that product to share by the federal partners, we will use the HISN portal to provide that information, and in some cases directly deliver that information via email.

We have different standards for what information goes in which format based largely on the size of the document itself. Larger documents are only posted on the HISN portal. Small, shorter alerts may be sent directly by emails because we appreciate that fact that leadership in particular works off of Blackberries and Smart Phones and is not in a position to open up secure portals and get information from the portal.

So we are attentive to delivering the information in a manner that is best getting it to the customer it is intended to serve. We also rely upon some working groups. Those working groups are essentially a sub-component as to how we disseminate and how we coordinate efforts in the fusion center.

There are some unique working groups that help us understand the needs of customers across the state and help us to communicate specific threat type information to a select group. As you see in the very bottom bullet—the TLO (Terrorism Liaison Officer program) is one select group and that is a group of both law enforcement, as well as emergency management, public safety specialists who have received advanced training on terrorism recognition and interaction with the fusion center.

Then we have the Domestic Terrorism working group that is focusing attention specifically on domestic threats. Our Intel working groups helps us understand how to work and interact better with various law enforcement intelligence and criminal investigation components across the state. I’ll use those as three examples without going into each and every one of the groups.

[Slide 17]
[Screen shot of HSIN portal]

I want to provide this screenshot to reinforce the position I made earlier that we use the HISN program to reach out to select group. This is a screenshot of emergency services and critical infrastructure portal, and as you can see—some of you may already be using HSIN and may be familiar with it—but we are involved in the content management of documents and information that are shared, and we support that portal and we provide training across the state for the fire service community to use it.

[Slide 18]
[Cover image, Fire Service Integration for Fusion Centers, 2010]

The Fire Service Integration, not unlike the critical infrastructure effort for fusion centers, is another key piece for how we communicate and work within the state. In essence, we have established a unique focus group, a unique homeland security liaison group within the fire service and public safety community.

We recently did a workshop for them to train them on suspicious activity reporting as well as interacting with the fusion center, understanding the relevance of the information we are providing. We provided them specific threat briefings that were offered by the FBI and the fusion center as well.

That group is our focus group. For those of you who are more familiar with the fire service community and the home mutual aid effort, we established this program in accordance with the mutual aid districts. There are 15 of those across Tennessee. Those mutual aid coordinators are the key nodes that will coordinate out to their individual jurisdictions and mutual aid districts to provide the information and coordinate the training and other types of efforts that are deemed appropriate for communicating and coordinating with the fusion center and the broader homeland security effort when it comes to information sharing in particular.

[Slide 19]
[Cover image, Comprehensive Preparedness Guide (CPG) 502, 2010]

The next piece which was noted earlier is the consideration for fusion center and emergency operation center coordination. In Tennessee, we recognized that early on that we needed to take specific steps to establish good lines of communication. One, we wanted to be very clear that the fusion center as we were establishing it was not intended to replicate emergency management operations and certainly not the state emergency management center.

We have a very distinct responsibility for prevention and detection but not response and recovery. We wanted to be clear to delineate the difference between what we do and what the emergency operations community does, particularly at a state level (TEMA) and their role and responsibility.

However, having said that, we also want to make every effort to support TEMA so that they get the information that we have that can support their response and recovery efforts. To that end, we link in the TEMA leadership across the state to both the HISN portal and some distribution groups we have established for pushing information via email when it is appropriate.

Beyond that TEMA provides for us their daily and weekly briefings that identify the activities they are engaged in and the information they are getting in to their operations on a daily and weekly basis.

We are also linked into the WebEOC. If the EOC is operational, we can bring up the EOC at the fusion center and monitor the activity and maintain situational awareness and look at what we are seeing in terms of reporting and be able to juxtapose that against what is going on over at the EOC.

Beyond that we typically will have a couple of threat briefs each year that give a broad information dump on the threat within the state and the nation. Those are for members of TEMA who have received their secret clearance and oftentimes are completed with the assistance and participation of our state FBI as well. That is how we connect to our emergency management operations in Tennessee.

[Slide 20]
COC 4 - Gather

Ability to gather locally generated information, aggregate it, analyze it and share it with federal partners as appropriate.

  • Focused analysis according to threats
  • Gather and fuse local, state, federal and open source reporting
  • Tennessee Suspicious Activity Report program
  • TFC Intelligence Products shared with a broad customer base – local – state – federal

COC 4 is the ability to gather locally generated information, aggregate it, analyze it and share it with federal partners as appropriate. We do that through the focused analysis based on the threat groups and the threat specific information that our analysts are looking at.

It is also heavily involved in the Tennessee Suspicious Activity Report program which feeds into the Nationwide Suspicious Report program.

[Slide 21]
Nationwide Suspicious Activity Reporting (SAR) Initiative (NSI)

Tennessee Implementation

Tennessee implemented our participation in the nationwide SAR program in 2010. We have rolled that SAR program out both to law enforcement and citizens through the "See something say something" program that I’m sure many of you are familiar with.

[Slide 22]
Why Is the NSI Important?

  • Umar Farouk Abdulmutallab--Detroit, Michigan
  • Hosam Smadi--Dallas, Texas
  • Michael Finton--Springfield, Illinois
  • Najibullah Zazi--Denver, Colorado, and New York City, New York
  • Colleen R. LaRose, a.k.a. Jihad Jane--Montgomery, Pennsylvania
  • May 2010 car bomb in Times Square

If you wonder why SAR and NSI are some important, take a look at the list of disrupted plots and attempted plots that have taken place in the United States over the last couple of years and certainly since 9/11. What you quickly see is that they are scattered throughout the nation. This is just a small list of them.

Going forward over the last two years, there are a number of disrupted plots that have occurred throughout the nation that were critically involved in the reporting of information from citizens and from other law enforcement components to identify that threat before it was able to be carried out.

The value of rolling out a nationwide program that focuses some consistent training to law enforcement and citizens on the reporting of suspicious activities reports, and then getting that information into the hands of the fusions centers who vet it and can analyze it and share it with the FBI is the absolute way for success in trying to disrupt plots.

[Slide 23]
Why SAR and Why Now

Dhiren Barot

  • In 2000, began plotting to attack a host of financial industry targets in the United States
    • The World Bank, the New York Stock Exchange, Citigroup buildings, and the Prudential Building

Mumbai preoperational planning actions

  • Detailed street maps leading to target locations
  • Detailed diagrams of hotel floor plans/layouts
  • Stayed at target hotels
  • Indian national arrested. Had detailed drawings of targeted Mumbai hotels, train terminal, and other sites

In this slide you see Dhiren Barot. Dhiren Barot was identified as a key Al-Qaeda plotter and reconnaissance man who had completed detailed analysis and detailed reconnaissance of a variety of financial banking facilities in New York City. When he was arrested and his computer was dumped, they found the most comprehensive surveillance packages for those building that anybody had seen up to that point.

It really emphasized the fact that terrorists take the time to conduct analysis and reconnaissance to prepare for attacks. Also we know from the Mumbai investigation that similar types of surveillance and planning were done there in Mumbai that just reemphasized how important it was to report indications of suspicious activity. Because in fact, what you may be doing is reporting on pre-operational activity. You won’t know that unless you have the information and have the opportunity to analyze that against other information sources.

[Slide 24]
Defining SARs

  • Suspicious activity reports are collected every day in a variety of ways
  • A SAR is "official documentation of observed behavior reasonably indicative of preoperational planning related to terrorism or other criminal activity"

A great deal of care was taken to define what SARs are, and that being the official documentation of observed behavior that is reasonably indicative of preoperational planning related to terrorism or other criminal activity. In order to be able to effectively capture that and report that a comprehensive training plan was put into place.

Fusion centers around the nation are leading the effort in getting training out to their states through a variety of mechanisms to make sure we are doing everything we can to identify that reasonably indicative pre-operational planning related information that may be related to terrorism or other criminal activity.

[Slide 25]
[Photos of victims Sgt. Robert "Brandon" Paudert, Officer Bill Evans,
and Joseph and Jerry R. Kane]

  • Officer Involved Shooting
  • Double Homicide – West Memphis, AR Police Department
  • West Memphis, Arkansas

The SAR program is important beyond international terrorism. What we clearly recognize is a growing and significant trend of domestic extremists and domestic terrorist suspects that are engaged in activities around the United States.

This is a case in point—these two officers were killed last year in West Memphis, Arkansas at the hands of Joseph and Jerry Kane who were practitioners of the Sovereign Citizen Movement. Their adherence to the Sovereign Citizen Movement and ideology drove them to commit the murders on these two police officers. These individuals are in our communities and they need to be identified when their ideology goes beyond just a belief system and moves into criminal activity that maybe ultimately leads them to some type of terrorist event or violent act against government officials.

The SARs program not only supports identification of potential terrorism with nexus to international terrorism, but domestic terrorism as well.

[Slide 26]
[TSA poster "Faces of Terrorism"]

At the end of the day, what we now know after ten years after 9/11 and a number of disrupted plots, we clearly see there is no clear profile and no reason to attempt to profile who might be the next terrorist. What you see before you are the faces of individuals who have been arrested or are ongoing terrorist operators in foreign countries who represent a wide array of race, creed, color and nationality.

The focus has to be on incidents and behaviors and not any one nationality, race, sex, or creed.

[Slide 27]
Tennessee Suspicious Activity Report (SAR)

[Image of SAR form]

Utilized state wide for the reporting of activities consistent with criminal activities or activities with a potential nexus to terrorism to the TFC.

LE SAR reporting is received via email, fax and Tennessee HSIN LE.

Citizens report via TOHS website and transmit via email to TFC.

National SAR Initiative (NSI)

The Tennessee Suspicious Activity Report was established back in 2007 when we opened our fusion center. We see approximately 400 to 500 of these reports each year that are all crimes reports we use to identify potential crime or terrorist activity in our state.

[Slide 28]
SAR Reporting Potential Threat Illumination of a Variety of Threats

[Image of Tennessee Fusion Center Advisory Bulletin]

  • International Terrorism
  • Domestic Terrorism
  • CI/KR
  • Gangs
  • Organized Crime
  • Other

We focus that attention on a variety of issues—not just terrorism. We develop products from that reporting as it has been vetted and laid against other types of reporting to help us understand what is going on in Tennessee and help to inform our leadership and our public safety and our law enforcement of what is taking place.

Here is an example of a product we developed based off the trend of laser illuminations that were taking place. You see a good deal of that around in public reporting and open source reporting. Tennessee saw a number of those reports. We captured and analyzed those reports, and evaluated them against the national reporting, and then provided a product out to our customers related to that.

That is one example of how we would use SARs to inform our partnership.

[Slide 29]
COC 4 Gather

  • TN Standing Information Needs Focused Working and Information Sharing Groups
  • TLOs – DT Working Group – Intel Working Group – THP Interdiction Plus - Safe Skies Team-Gang Intel Sharing groups
  • Tennessee Fusion technologies

We also focus attention on how we gather information around some standing information needs that we draw out of various partners throughout the state. That is information that they know they need on an ongoing basis to be able to develop their investigative strategies and their operational strategies, their resourcing strategies, etc.

We use that as a mechanism to be able to assist them in doing that.

[Slide 30]

  • Enable collection, analysis, production of actionable intelligence, directed dissemination and sharing of criminal and homeland security related intelligence… Supporting the Intelligence Cycle and Critical Operational Capabilities (COCs).
  • Grant funded
  • Phased Fusion System Development providing capabilities with each phase
    • Phase 1 – All Crimes Collection And Intrastate Share
    • Phase 2 – Intelligence Management and Analytics
    • Phase 3 – Geospatial Analytics
    • Phase 4 – Interstate Sharing
    • Phase 5 – Ongoing Enhancement and Enrichment

We gather information in a large part through the use of technologies we developed in Tennessee from DHS grant funding that came to Tennessee—that funding that we derived specifically for information sharing and intelligence. We have built some systems in our state that are housed within the fusion center and provide us with the means to collect information, particularly law enforcement information.

Law enforcement conducts investigations and completes reporting each and every day. What we’ve built in Tennessee is a system that captures that law enforcement reporting in a single repository and allows not only the analysts to evaluate the information, but also other law enforcement investigators from around the state have access to all the law enforcement data in a single repository.

This is something that wasn’t in place prior to 2006 and 2007 when we started building the system. An investigator had to call around and make direct contact with other law enforcement agencies if he thought he was investigating a crime, or with suspects that may have a relationship to other cities in the state.

Certain crimes would go up to a national database, but not all crimes. Today they have a system in place that is funded by DHS grant dollars that allows investigators to pull law enforcement data out and allows our analysts to use for analysis as well.

[Slide 31]
Consolidated Records Management System (CRMS)

  • Collects TN law enforcement records-state wide
  • 540 + agencies
  • 46 Million + records
  • Provides TFC and local, state and federal law enforcement query of those records for analysis and criminal investigation
  • Development will capture 94% of LE records
  • DHS grant funded

Beyond that, I think I have completed the key points I wanted to bring to you. I encourage you if you haven’t had the chance to directly outreach to your state and major urban area fusion center. They are typically very willing to host you for a tour, to describe their operations, and to sit down with you and talk about what your information needs are and how you may be able to mutually support each other.

[Slide 32]
[Screen shot of TFC Announcements web page]

I would encourage you to take the time to do that. If you are interested in more information as to who your fusion center director is your jurisdiction, use my contact information and I will put you in touch with the right person.

[Slide 33]

Steve Hewitt
[email protected]

Amy Sebring: Thank you very much, Steve. That was very educational. Now, to proceed to our Q&A and audience comments.

[Audience Questions & Answers]

William R. Cumming: How are the Fusion Centers funded for their budgets and ops?

Steve Hewitt: That is somewhat different from state to state and city to city. In most cases, a fusion center is getting some grant dollars to fund their center. But it varies. That is a state leadership decision.

As the state leadership meets to decide how the money from DHS is going to be split up within the state, they make a decision as to how much of that funding comes to their state or major urban area fusion center. That is the portion of the funding they get. There are a few centers throughout the nation that are almost totally reliant on grant dollars, but most centers are seeing some state dollars that help or largely fund their center.

In Tennessee’s case, that is exactly how we are designed. All the personnel, the building and operation expenses are state funded. We have chosen to use the federal dollars provided for information sharing to build the technology that we are using. We are not reliant on the federal money to maintain our operations.

It really depends on the decision making priorities and leadership of that state. It varies from state to state. Most states get some degree of federal funding at some level. Most rely more heavily on city or state funding to conduct operations.

To expand on that just slightly, many of the operations that are in place today as fusion centers were previously some kind of state or major urban area law enforcement intelligence operation. Then based on recommendations of the guidelines, they expanded and grew into a wider operation that incorporated more representation, more partners and more comprehensive or wider scope of duties and responsibilities.

Amy Sebring: Are you hearing concerns about reduced funding in the future from your colleagues?

Steve Hewitt: Absolutely. It is a very consistent topic of conversation. There are efforts underway right now to try to identify how fusion centers can be sustained in the future from other funding sources other than just DHS grant dollars. In the end, we are talking about sustaining and maturing these operations as opposed to standing them up.

The general opinion is that the funding amounts are different going forward in what we need than what we needed to stand operations up.

Mike Duncan: 1. How active are you with CI-KR ISACs? (Information Sharing Analysis Centers) 2. How active are you with Area Infragard chapters?

Steve Hewitt: Great question. I’m a little foggy on the ISACs—you may have to draw that acronym out further. In Tennessee, we are focused on CIKR analysis, but not programmatic activities. Our front office, the Office of Homeland Security is responsible for the programmatic side of CIKR—the outreach that takes place to develop, in the past, things like BCBPs and the state program outlay.

The fusion center focuses on actual threat analysis. Depending on what the acronym stands for, the reason I probably don’t know about it is because we’re not engaged in it at all. Now, Infragard is another subject. We have in Tennessee specifically decided to use Infragard as the key outreach mechanism for fusion center outreach to the private sector with the exception of some specific critical infrastructure in the state that has some very unique law enforcement attributes about it.

The broader outreach is through the Infragard program. We participate each year in a variety of Infragard meetings where we provide updates on how the fusion center is developing, where we vet Infragard members into the HISN portal, the emergency services and critical infrastructure portal we have on HISN, and then we’ll do periodic conferences as well. We provide threat briefings as well programmatic topic discussion related to fusion center.

Amy Sebring: I believe ISACs are "Information Sharing and Analysis Centers." They are essentially working groups that aligned along which type of infrastructure it is.

Steve Hewitt: I can’t say that Tennessee is involved in that but I wouldn’t be surprised that other fusion centers around the country may be. It also depends on how robust an effort is going on in that state on that particular group. I’d love to hear more about it and get introduced to it, but I’m not sure that it is going on in Tennessee at this point.

Mike Daniska: There are 72 DHS recognized Fusion Centers. Do you think additional Fusion Centers will be recognized going forward, or will DHS hold at this level (potentially due to funding constraints)?

Steve Hewitt: I think it would be hard for me to speculate on what DHS will do in the future where that is concerned. But I will say there has been a lot of discussion about the number of fusion centers that are currently in place and whether all those centers have activities within them that are supported in furtherance of the national security priorities.

What I think you’ll see in the future is decisions that are made about supporting fusion centers based upon the value for the buck. Congress is looking at fusion centers and they are making decisions about going forward in the future about how to support and sustain fusion centers. I think it is reasonable to expect that they are going to look at what centers are doing and make some decisions on whether or not they are delivering on the kinds of results and activities that were anticipated to be delivered on by fusion centers in support of a national security effort.

So I think it is incumbent upon fusion center directors to take and make every effort to build those COCs into their operations in a way that they deliver on that responsibility to support national security. Inevitably, this continues to be tied to sustaining dollars because each and every fusion center has a responsibility to serve their customers at home first and foremost.

There are demands placed on fusion centers out of their key agencies and out of the agencies they are supporting that have to be delivered on. At the same time there is the reasonable expectation that we support the national security strategies. The sustaining dollars are key to enabling a fusion center to maintain a level of operation to do both.

It is a "chicken or the egg" proposition. They have to deliver on the national security program side of the house in order to maintain Congress’s trust and faith that the money investment makes sense. At the same time, they have to respond to the expectations of their leadership and the state-based customers as well to maintain their buy in and their support of the program.

It is a very tight rope that we have to walk, and we definitely need Congress’s support to continue to fund it because we have made so much progress and have done so well with the funding we have had to date to expand and build this network. It is like any other effort of this size that you can embark on.

It is going to take time, continued effort, continued training and education, continued maturing to go from a basic agency intelligence operation to a comprehensive full-service fusion center. That is going to require continued funding and continued support from Congress. It requires acceptance and an embracing of the national security priority mission as well by the state and local fusion centers that demonstrate that they ‘own’ their responsibility for that mission and live up to those expectations.

Amy Sebring: Have fusion centers representatives actually testified on the Hill?

Steve Hewitt: Yes, we have. There was recent testimony by the Director of the Northern California Intelligence Center, Ron Brooks, and he sat before the Senate Homeland Security Intelligence committee. That is available on their website. You can look at his testimony.

There are a number of us that are heading to D.C. next week to do a education panel for members of Congress to talk what we are doing, success stories of what we are doing and making our case for why that sustained dollar is so important—to keep the process moving forward.

Joe Sukaskas: With the private sector owning and operating about 85% of the nation's critical infrastructure, how has the Tennessee fusion center incorporated private sector input, and how does Tennessee provide input to the private sector?

Frank Harper: How robust is your outreach to private sector businesses to bring that 85% of critical infrastructure into the intelligence loop?

Steve Hewitt: To start with, early on we had some really key critical infrastructure sites and private sector locations in Tennessee that we made early outreach to—Tennessee Valley Authority, FedEx, Wackenhut folks who are responsible for security around Oak Ridge National Lab and Y12—and a few others that we knew were sort of where we needed to focus immediate attention to because of their role and responsibility both in the nation and the state.

Many of those have unique law enforcement elements associated with them which made information sharing a lot simpler because they were sworn law enforcement to begin with. The hurdles were not there in terms of getting the information to them, sharing the information, and providing them access to systems and so forth.

When you talk about information sharing with the private sector, it continues to be a work in progress—no question about it. I think that is true across the nation. You are dealing with information that a fusion center doesn’t own—they are receiving it from federal partners or other owners of the information, analyzing that and developing intelligence products. The information comes to them with specific caveats in terms to how they can handle it.

Then you have to work with the owners of the information to get the authority to disseminate that information to the private sector. DHS and the FBI have come a long way in terms of building intelligence products that are intended to be shared with the private sector. That has been some real progress I saw in 2010 and early 2011 whereas we are able to provide some specific products that are specifically caveated as being able to be shared with the private sector.

We have to be very cautious in terms of how we share information because of that responsibility of trust that we have to handle information that is not ours originally, but originates from someone else in a manner that they tell us to handle it. We have also engaged those private sector partners in some direct face-to-face time.

I have spent time with FedEx and TVA and others where we have either had them in the fusion center and given them a briefing on what we’re doing and provided them ways to link in connectivity to us. We have conducted some threat assessments on their behalf based on information that came into the fusion center.

We have relied also, as I said before, on outreach through the Infragard program because the FBI has a very nice platform that is Infragard that allows us to periodically step in and re-engage and re-familiarize the actual private sector participants about fusion center operations in Tennessee. I know that similar things are happening around the country so we are not unique in Tennessee in that regard.

Moving down to the other question: How robust is your outreach to private sector? Our critical infrastructure program manager for the state has a key responsibility in the ongoing outreach effort. That program in the front office was involved early on in developing specific products for the private sector—guide books that focused on suspicious activity reporting and best practices for private sector interaction with the law enforcement community.

There have been a number of conferences in our state that were specifically designed to conduct outreach to the private sector, or that we participated in for the private sector as well. There is a little bit of the delineation in Tennessee between who owns the responsibility for outreach, which is our front office, and who supports the outreach, which is our fusion center. We support the outreach but we don’t necessarily have the direct first responsibility.

In the next year, we are going to be working with our DHS partner on a new program that is going to be focused on some concentrated sector outreach based upon things like current threat reporting and particularly soft target locations around our state, not because of a specific threat, but more of a general threat that we see based off of what we see overseas and the kind of attacks that occurred overseas that may migrate itself into the United States, or based on disrupted plots that have occurred throughout the country or the types of sites or structures that were identified.

We are going to focus some very specific outreach in Tennessee in the next year on those—inviting them to the fusion center for tours and building connectivity with their security elements for that critical infrastructure or key resources, and building that connectivity around the SAR program. Around the "see something say something" program and a sharing relationship with the fusion center as opposed to a more programmatic perspective of our front office that they take in building the critical infrastructure program in Tennessee.

Amy Sebring: To what extent is the fusion center involved in your own exercises or multi-agency exercises?

Steve Hewitt: We participate in exercises. We are not the lead on developing exercises, but rather we plug in. On average we are invited to two or three exercises per year. Back in 2007 we conducted one of DHS’s national level exercises specifically around information sharing and the development of intelligence.

We never shy away from an opportunity to join in an exercise, but we are not the lead on developing those. Candidly, we are doing so much day to day operational support that is replicating exercise environments, that I don’t actually lead internal exercises but about once a year because the pace and workload is such that we can’t sustain shutting down operations for an exercise.

When we are asked to participate we will break out one or two persons who will serve as the node for the fusion center in that exercise and who can respond and answer questions. In fact we are going to be doing a table-top in Nashville later this month. We will never turn one down—we will always make our personnel available because we believe it is important, but we are not the lead in developing them.

Amy Sebring: The reason I brought that up is that if folks out there around the country need exercise participants, they might want to think about possibly inviting a fusion center.

Steve Hewitt: I think that is a great idea because there is no better way to truly get to understand that way your fusion center operates and what their capabilities are than to engage them in an exercise, particularly if you have the time and the intent to provide intel injects into the exercise and let the fusion center work the inject and work with the FBI etc.

It is a great way to better understand your fusion center, as well as taking the time to visit the center, get a tour, sit down with the director or deputy director and talk about how to mature the connectivity between your emergency management operations and the fusion center.


Amy Sebring: Now it is time to wrap for today. On behalf of Avagene and myself and all our participants today, thank you very much Steve. We appreciate your taking the time to be with us and educate us on this topic. We wish you continued success with your efforts in the future and in Washington next week.

Before you go, PLEASE take a moment to do the rating/review! Note: We are asking you to rate the relevance of the information, and this will assist us in our future programming. Please check out the information on CEU’s we are now offering if you have not done so.

Due to the Thanksgiving holiday, our next program will take place Wednesday, November 30th. Please watch for our announcement and plan to be with us then.

Until next time, thanks to everyone for participating today. We want to take this opportunity to wish everyone a Happy Thanksgiving, and good luck with the EAS Nationwide test this afternoon in 1 hour at 2PM EST! We are adjourned.