March 10, 2010
Thank you Chairman Grendell; distinguished Senators of this Committee.
My name is Mark Atkeson and I retired from the Ohio State Highway Patrol last June 30th after over 31 years of service. I was the major in charge of the Office of Technology and Communication Services. Part of my responsibilities was overseeing Ohio LEADS (the Law Enforcement Automated Data System.) As the Ohio Revised Code provides, I was the Chairman of the LEADS Steering Committee under Colonel Paul McClellan and Colonel Richard Collins.
Today, I was asked to speak about Ohio LEADS. LEADS serves as the electronic communication network for Ohio’s criminal justice communities. LEADS was created in 1967 and became operational in 1968. From its inception, LEADS has been administered by the superintendent of the Ohio State Highway Patrol. The staff assigned to LEADS are funded by a specific fund consisting of money received from fees collected by agencies that use LEADS. These funds are for specific LEADS purposes and also administered by the superintendent of the Ohio State Highway Patrol.
It’s important to understand the authorites granted by the Ohio Revised Code and Ohio Administrative Code. In order to shorten my presentation, I will not recite them. But a number of times, they reference the superintendent’s authority – not the director of Public Safety or his/her designee. Please refer to ORC 5503.10, 4501.18, and OAC 4501:2-10. There are at least eight references to the superintendent’s authority. None reference the director of public safety. The only reference to Public Safety is identifying it as department to which the Patrol is under.
Although LEADS is administered by the superintendent of the Ohio State Highway Patrol, a designee normally chairs the Steering Committee and acts on behalf of superintendent. That person wears two hats, as did I when I oversaw LEADS: As a commander in the Patrol, he/she is tasked with the responsibilities assigned as a sworn officer; as the LEADS chairperson, he/she is responsible for the viability and solvency of LEADS. The best interests of LEADS is paramount. If the two hats come into conflict, the LEADS hat takes precedence.
Per the FBI CJIS Security Policy, every state has a CSA (CJIS Systems Agency.) The Ohio State Highway Patrol is the CSA for the state of Ohio since it administers LEADS and oversees the state message switch. The CSO (CJIS Systems Officer) is that person within the CSA that assumes ultimate responsibility for managing the security of CJIS systems within his/her state. That person historically has been the sworn commander overseeing LEADS as designated by the superintendent of the Highway Patrol. I was charged with the ultimate responsibility for managing the security of CJIS systems within Ohio.
These roles are mandated to criminal justice agencies; the Ohio Department of Public Safety is not a criminal justic agency, and the FBI has continually stated it does not constitute such standing. The State Highway Patrol, Ohio Investigative Unit, and BMV Investigations are the only entities within Public Safety that are criminal justice agencies. Everything else is administrative. Even OCJS and Homeland Security are not.
In 2007, it appeared that new Public Safety officials wanted control over LEADS. Even though the ORC and OAC are clear, new legal counsel opined that since the superintendent reports to the director, the director ultimately oversees LEADS. It was continually stated that Public Safety was a criminal justice agency and therefore could administer LEADS. It was even stated that FBI had been contacted and it concurred. (This was disputed many times with conversations with FBI CJIS officials.) When challenged on these statements, they always backed down and never would say who in the FBI gave them the information.
Because they were restricted by the ORC, OAC, NCIC, and opposition by the LEADS Steering Committee, they began an incremental approach to gain control. I believe initially ODPS just wanted control of all IT and its people, but it transformed into something much bigger.
Shortly after coming into office, the director’s office wanted to stop the physical publication of the LEADS Newsletter. They wanted it put on-line to save printing costs. Initially, they did not want to listen to the number of agencies that would not be able to access the newsletter or the impact of this decision, but eventually they acquiesced and backed off. However, they inacted a printing policy that required ODPS approval. This approval extended to content of the newsletter at first, but was later rescinded after objections. To further show their authority, without telling LEADS, the first newsletter was printed in black and white. (There was a need for color in the newsletter because of the detail in some of the photographs and images.) This approval process delayed the dissemination of the newsletter by upwards of two weeks.
Posting the newsletter on-line had merit, but the timing of this dictatorial approach was not right. Two years later after giving agencies appropriate notice, exploring options for those agencies that couldn’t receive the newletter on-line, and dealing with auditing concerns, it went on-line.
The director’s office dictated the ODPS logo would appear on the newsletter. They disregarded the fact this was not a DPS publication, but an Ohio LEADS publication. The Highway Patrol logo never appeared on this publication, only Ohio LEADS. This did not sit well with Steering Committee members nor did this newly experienced ODPS interference. Please check with any member of the Steering Committee to find out their opinions. (Refer to comments and minutes of June 6, 2007 LEADS Steering Committee meeting.) As a side note, Colonel Collins was a new superintendent. He attemped to work with the director’s office on a number of issues, including LEADS, but he was continually disregarded.
The CIO’s office was directed to find a way to combine both DPS and OSHP IT sections. The problem was that LEADS was the basis for and the backbone of the DPS network. And as such, OSHP maintained control of the network, much to the dismay of the director’s office. ODPS IT constantly kept OSHP commanders and LEADS supervisors in the dark about what DPS IT was doing, whether it was security issues, changing the email system, or many other DPS IT initiatives that affected LEADS. I will add that some proposed changes were positive but the air of secrecy and lack of involvement from LEADS personnel continually created problems.
Not that I need to defend ODPS IT, but to its defense it was obvious it was operating under the strict controls of the director’s office and Legal. I can’t remember the number of times I heard that the direcor’s office, Legal, or Administration had to be contacted before a decision could be made or action taken.
Although ODPS IT privately commended my staff for solving DPS problems, it continually reported to the director’s office that OSHP and LEADS were uncooperative, being obstructionists, and undercutting DPS. But just the opposite was true. Every time ODPS IT was challenged on the negative reports to the director’s office, the conversations were admitted to, but the true facts were never re-presented to the director’s office. (This was determined through my follow up conversations with ODPS administrators.)
The individual who used to be the ISO (Information Security Officer) for LEADS, became the ODPS information security administrator of ODPS IT in 2007. Even though he knew the security protocols of LEADS, he continually tried to use his authority to influence and control LEADS. Again not to defend him, but it seemed apparent he had been given strict direction from above. He and his position was used as a leverage with the director’s office to further their attempt to takeover control of the network. (Certain ODPS IT officials were advised that if any IT changes were made that affected LEADS without the approval of the CSO, criminal charges would be likely. Although this seemed to keep them at bay for a while, it could be seen that they were working behind the scenes with the director’s office and Legal on ways to take control of the network.)
In late 2007, Ohio had the opportunity to participate in NISP (Nlets Interstate Sharing of Photos.) This was a pilot project that allowed Ohio to share drivers license photos with other states. We recently had programmed a way for troopers to get Ohio photos in their cars dispite the MARCS limitations that seemed to have made this impossible to do. There was no cost to Ohio nor was there any impact to LEADS or BMV systems. Registrar Mike Rankin approved and supported this initiative, but it was continually delayed by the CIO’s office even though no work was required by ODPS IT staff. After months of roadblocks, but persistence from Mike Rankin and me, NISP was operational for Ohio law enforcement.
In 2008, ODPS began a complete overhaul of all IT and network policies (i.e., access to facilities, remote access, computer passwords, virtual private networks (VPSs) network boundary protection, reporting/tracking of equipment, incidents of data security issues, IT chains of command, network security, etc.) I did get the chance to review them and state any objections, and LEADS had objections to parts of all of them. Many of these objections were stated before the policies were drafted, but they still found their way into the drafts. Only until I refused to sign off on the changes did some of our objections get resolved. Where resolved, the policies were finalized. Where not resolved, they sat in a draft and pending mode until I retired. I don’t know the status of those pending policies now.
This was a main focus of ODPS: change as many policies as possible and centralize authority and decision-making to a select few individuals to which they held ultimate control. Not only was this done with IT issues, but almost all important policies. I know you are aware of some of them.
Expenditures which used to be approved by the superintendent (sometimes after recommendations from the Steering Committee) now had to have the director’s approval. Waiting for this approval created delays in all purchasing, not to mention superceding the statutory authority of the superintendent. The largest delay pertained to the upgrade of LEADS. Funds had been put aside to pay for this needed upgrade, but the director stopped it from proceding. ODPS IT continually threw up roadblocks as well. The upgrade that should have occurred in 2007 still has not been completed…compromising the whole LEADS system. The director and his staff were told this numerous times. It must be remembered the funds for LEADS are from local agencies’ fees – not state monies in the traditional sense. I understand that the failure to upgrade LEADS as originally planned is now creating issues with ODPS IT.
In an attempt to allow Public Safety complete control of the Public Safety network, LEADS offered (at its expense) to separate or isolate the two networks. Although the director agreed to this (and stated such at the September 2007 LEADS Steering Committee meeting) and approved the expenditures in 2008, the project kept being delayed by ODPS IT and the director’s office. Part of the isolation project involved a back-up site at the new Lancaster Post. Although approved as part of the construction project, this too was delayed, compromising the completion of the Lancaster Post. Alternative plans had to be put into place to complete the post. The LEADS back up site is still delayed.
In 2009, without the involvement or consultation with LEADS, ODPS IT contracted with SEARCH, The National Consortium for Justice Information and Statistics, to prepare a report to evaluate the department’s organizational structure of IT services. Although DPS denies this, the underlying purpose was to provide backup documentation to support consolidation of ODPS and OSHP IT sections. Apparently, this report recommends such action, and ODPS is acting on it. A by-product of this is to control LEADS.
I have to say that we were always fine with consolidation of functions – where that could be done. And over the years, many consolidations were done. I prided myself on initiating efficiencies anywhere I could throughout my career. The accountability of public funds was always foremost in my decisions. When it came to LEADS, efficiencies were certainly important, but not at the expense of the integrity of the system.
In order for ODPS to administer LEADS, it has to be considered a criminal justice agency. It clearly is not. ODPS must finally realize the ORC, OAC, and the FBI Security Policy must be changed to allow this to happen, so currently Public Safety Legal is attempting to push LEADS to outsource the LEADS criminal justice message switch to ODPS IT. Although LEADS could outsource this function, it must be in LEADS’ best interest and should be initiated by LEADS.
ODPS has begun work on a Service Level Agreement, which is a document that spells out each parties’ responsibilities as well as requirements for providing services. I understand this is a somewhat one-sided document. Again, any service level agreement should be initiated by LEADS in cooperation with the service level provider for the benefit of LEADS and its customers. Even if this comes to pass, LEADS and the CSO still maintains management control and auditing authority over ODPS IT as it pertains to LEADS. But ODPS will not accept such oversight.
If this option does not work, the other option ODPS is considering is alligning LEADS under OHLEG. OHLEG is the Ohio Law Enforcement Gateway which is administered by the Attorney General. These two systems are vital for law enforcement, but they serve different purposes (expand upon.) There are a number of problems with this as well. One of the reasons OHLEG doesn’t provide access to LEADS now is/was the inability to meet CJIS Security Policy standards.
I understand that ODPS Legal is also working with the AG’s office to orchestrate an MOU to consolidate information for first responders which includes access to LEADS. Although consolidation of information is a good thing, the security of LEADS and its message switch must be considered. Access to LEADS without appropriate LEADS oversight should not be allowed.
OAC 4501:2-10-06 (I): System users must strictly adhere to the standards, procedures, formats, and criteria contained in the NCIC operating manual and the LEADS security policy. We always placed the utmost importance on strict adherence. When violations occur, sanctions or more severe actions are taken. I was responsible for ensuring adherence to these rules set forth by NCIC and LEADS. Probably the most well-known example of this was the Samuel Joseph Wurselbacher case, or as most of you know him, Joe the Plumber. A number of persons accessed his information, some legitimately and others not so. Once brought to our attention, an immediate audit was done, and all inquiries were investigated immediately. None of the violations were treated lightly nor was politics allowed to enter into any decision-making. However, the release of information regarding the inquiries had to be disseminated through ODPS Legal per ODPS’ new release of information policy.
I now see on the ODPS website under ODPS/Administration Information Technology that Ohio LEADS is listed as an ODPS function. It is not listed under the Ohio State Highway Patrol except as an old organizational chart that looks like it was missed during deletions. Even a Google search lists ODPS/Administration as the overseer of LEADS. Like the Patrol, Administration is one of the divisions of Public Safety, but it is not a criminal justice agency nor does it have statutory authority to administer LEADS.
From the Web Site: About Us: …Our Chief Information Officer manages the IT Office and reports to the Executive Director of Administration. Some of our systems include:
•
Clerk of Courts
•Deputy Registrar Systems
•Law Enforcement Automated Data System (LEADS) Provides easy access to criminal history information files, vehicle registration information, driver license information, wanted and missing person information, court-ordered protection orders, and other information to law enforcement agencies throughout Ohio. It is directly linked to the National Crime Information Center, and it serves information to law enforcement through either desktop computers or mobile data terminals in cars.
•OPLATES
Not only is this a false representation, and if true a violation of the FBI CJIS Security Policy, but demonstrates the intent of ODPS to take over LEADS. This website falsely represents LEADS as a Public Safety entity and misleads all those who access the site.
I had the privilege to sit on several national boards and committees. To be fair, the director’s office did not stand in the way of my participation. This was appreciated since my participation gave Ohio a voice in national decisions that were being made.
In closing, LEADS should remain independent of any political control. It has worked well for 42 years absent any political interference. The Steering Committee is made up of representatives from all areas of the criminal justice system. This ensures the neutrality and impartial administration of the system. It is clear the ORC and OAC grant the authority over LEADS to the superindendent of the Highway Patrol, not anyone in Public Safety. That responsibility has always been handled with great respect and concern for doing what is in the best interests of the criminal justice community. I took great pride in being associated with LEADS and the relationships we had with local law enforcement and criminal justice agencies. I have confidence that if you asked any member of the Steering Committee, he would share the same sentiment. LEADS is there for the entire criminal justice community, not something to be leveraged by those who seek control.
Thank you. I will be happy to answer any questions you may have.
Supporting Legal References
Please reference the below listed ORC and OAC citations as well as attached IOCs and other documents. Unfortunately, these are the only documents I retained.
ORC 4501.18 Law enforcement automated data system fund.
There is hereby created in the state treasury the law enforcement automated data system fund, consisting of money from fees collected by the state highway patrol pursuant to section 5503.10 of the Revised Code, and such other amounts as may be credited to the fund. The fund shall be administered by the superintendent of the state highway patrol and shall be used solely for purposes authorized by section 5503.10 of the Revised Code. All investment earnings of the fund shall be credited to the fund.
ORC 5503.10 Law enforcement automated data system.
There is hereby created in the department of public safety, division of state highway patrol, a program for administering and operating a law enforcement automated data system, to be known as LEADS, providing computerized data and communications to the various criminal justice agencies of the state. The program shall be administered by the superintendent of the state highway patrol, who may employ such persons as are necessary to carry out the purposes of this section. The superintendent shall adopt rules under Chapter 119. of the Revised Code establishing fees and guidelines for the operation of and participation in the LEADS program. These rules shall include criteria for granting and restricting access to information maintained in LEADS.
The superintendent shall appoint a steering committee to advise him in the operation of the law enforcement automated data system, comprised of persons who are representative of the criminal justice agencies in Ohio that use the system. The superintendent or his designee shall be chairman of the committee.
OAC 4501:2-10-01(G) “Criminal justice agency” means:
(1) Courts; and
(2) A governmental or non-governmental agency or any subunit thereof which performs the administration of criminal justice pursuant to a statute or executive order, and which allocates a substantial part (more than fifty percent) of its annual budget to the administration of criminal justice.
The definition of “administration of criminal justice” is defined as: the detection, apprehension, detention, pretrial release, post-trial release, prosecution, adjudication, correctional supervision, or rehabilitation of accused persons or criminal offenders. It also includes criminal identification activities; the collection, storage, and dissemination of criminal history record information; and criminal justice employment.
OAC 4501:2-10-01 (Q) “Law enforcement automated data system (LEADS)” means the statewide computerized network which provides computerized data and communications for criminal justice agencies within the state of Ohio. LEADS is administered by the Ohio state highway patrol superintendent. LEADS does not include data and files separately collected and maintained by intrastate regional systems or other individual user systems.
OAC 4501:2-10-01 (U) “Management control” means having the authority to set and enforce:
(1) Priorities;
(2) Standards for the selection, supervision, and termination of personnel; and
(3) Policy governing the operation of computer circuits and telecommunications terminals used to access the LEADS.
OAC 4501:2-10-02 Leads steering committee.
(A) The LEADS steering committee is established to provide advice to the superintendent of the Ohio state highway patrol concerning the governing of LEADS. The committee is composed of nine members who shall represent the following organizations:
(1) Ohio state highway patrol;
(2) Buckeye state sheriff’s association;
(3) Ohio association of chiefs of police;
(4) Bureau of criminal identification and investigation;
(5) Intrastate regional systems;
(6) Police department representing smaller police departments;
(7) Municipal police department representing larger police departments;
(8) County sheriff’s office representing metropolitan area sheriff’s offices; and
(9) The chief justice of the Ohio supreme court or his/her designee representing courts.
(B) The LEADS steering committee’s duties include providing recommendations for rules, reviewing violations of these rules to ensure equal and just sanctions have been invoked; recommending enhancements to the system; recommending user fees and other duties as assigned by the superintendent. Any person substituting for an appointed LEADS steering committee member will have the authority to contribute and enter into discussion regarding issue(s) before the committee; however, he/she will not have authority to vote on any issue before the committee.
(C) LEADS operators, supervisors and/or agency administrators shall cooperate with any efforts of the LEADS steering committee, the superintendent of the highway patrol or persons authorized to act in their name, in actions/directives/orders, administrative reviews or other efforts to improve the system.
OAC 4501:2-10-06 (I): System users must strictly adhere to the standards, procedures, formats, and criteria contained in the NCIC operating manual and the LEADS security policy.
OAC 4501:2-10-06 (K): The LEADS operating manual, NCIC manuals, LEADS newsletters, BCI&I CCH training manual, LEADS security policy, LEADS lesson plans, LEADS hardware/software, or other materials necessary to the proper functioning of a terminal shall be maintained in an up-to-date condition readily accessible to those persons charged with terminal operation or control. All LEADS owned hardware and software, LEADS security policy, CJIS security policy and BCI&I CCH training manuals are not for use, or for possession, or release outside the terminal agency except as otherwise provided in these rules, or as specifically authorized by the superintendent.
OAC 4501:2-10-06 (L): Due to the sensitivity of the information maintained on the LEADS/NCIC/NLETS systems and to comply with NCIC/CJIS security policy it is important steps are taken to safeguard these networks from improper access. LEADS access is not permitted on any system or device which can also access the internet without prior notification to, and approval of, the steering committee chairperson. Prior to any terminal or device which accesses LEADS being capable of internet access, the agency shall provide to the steering committee chairperson documentation of the agency’s method of providing for the security of LEADS. This documentation will be reviewed and written approval shall be issued prior to any device at the agency being capable of accessing both LEADS and the internet. This restriction also applies to networks which have terminals accessing LEADS and others accessing the internet.
Per the CJIS Security Policy: the CSA is responsible for establishing and administering an IT security program throughout the CSA’s user community, to include local levels. The CSO assumes ultimate responsibility for managing the security of CJIS systems with his/her state. The CSO is therefore responsible to set, maintain, and enforce:
•Standards for the selection, supervision, and separation of personnel who have CJIS systems.
•Policy governing the operation of computers, access devices, circuits, hubs, routers, firewalls, and other components that comprise and support a telecommunications network and related CJIS systems used to process, store, or transmit criminal justice information, guaranteeing the priority, integrity, and availability of service needed by the criminal justice community.
•Responsibility for the management of security control shall remain with the criminal justice agency.
•Responsibility for the management control of network security shall remain with the criminal justice agency.
