Defending Freedom with Information Management at the Joint Staff
The following excerpt is based on the book Tomorrow’s Jobs Today, available at fine booksellers from John Hunt Publishers.
Mark Patrick, CIP, leads the Joint Staff’s Information Management Team at the United States Department of Defense in Washington, D.C. He is a recognized thought leader in digital transformation, intelligent information, cybersecurity and knowledge management. He earned his bachelor’s in foreign affairs from the University of Virginia and his master’s from Tufts University Fletcher School of Law and Diplomacy. He shared his insights on information management in our new book Tomorrow’s Jobs Today.
Q: Mark, you’ve served your country as a sailor, helicopter flight instructor, and now as a national security executive. What initially piqued your interest in a career in government, and why did you ultimately gravitate toward leadership roles in its knowledge management divisions?
A: I am the son of a career Air Force officer who went on to a second career in municipal government following his military service. So, I am following in my father’s footsteps to a large degree. After attending the University of Virginia on a Naval Reserve Officer Training Corps (NROTC) scholarship, I enjoyed 21 years in the Navy, flying, doing various types of staff work, attending graduate school, living abroad and working with members of all the military services and with the interagency, allied military partners, and civilian members of allied ministries of defense.
While in the Navy, I served as the deputy to the civilian who led the Joint Staff’s Information Management Division, from 2000-2002, here at the Pentagon, the position I now hold. During that period, that civil servant retired, and I acted as the division chief for a period of months. I was part of the selection committee that hired his replacement. It was during those couple of years I was exposed to workflow, records management, business process, business intelligence, decision support, and a number of information and knowledge management practices. I developed a keen awareness of how important these were to the business of the Joint Staff, and any large organization in general, whether public or private sector. It was exciting to do these things for an organization with such significance for our Armed Forces and the nation as a whole. The Chairman of the Joint Chiefs of Staff is the principal military advisor to the Secretary of Defense and the President. The Joint Staff is his staff.
When I retired from the Navy in 2007, the civilian leadership position in the Joint Staff’s Information Management Division was vacant again, and I decided to apply for it. I was selected, and 12 years later, I’m still here. Like my father before me, government civil service seemed like a natural follow-up choice to my military career. Leadership in information and knowledge management in a national security environment felt like a continuation of what I did in the Navy, building on everything I’d learned, but also providing a continued path to grow in a field that I found fascinating. The only downside: no flying anymore. One year later, the iPhone came out, and our digital world seemed to speed up. The information world has continued to pique my interest as things have changed rapidly, so I’ve stuck with it.
By the way, flying crewed aircraft and conducting a complex military mission involving multiple ships, aircraft, and submarines is one big information and knowledge management exercise—with a little hand-eye coordination thrown in! There is a direct relationship to where I am now.
Q: You’re actively involved in groups like AIIM, the Association for Intelligent Information Management, and have sat on its Board of Directors. How does business and technology insight gleaned from private industry think tanks like AIIM influence information governance practitioners in the public sector?
A: Information is information. Data is data. A business process is a business process. It doesn’t matter whether it occurs in the public or private sector. The fact is that most private sector businesses are smaller and more nimble than large government bureaucracies. Because of this, changes in the business technology environment have occurred much more rapidly there than in the public sector. It seemed obvious to me that if I wanted to learn the best way forward for public sector information and knowledge practices, I needed to familiarize myself with the innovation happening in the private sector.
AIIM has been around since 1943. I found it soon after taking my civilian job via my local chapter, the National Capital Chapter. It was there I met a very experienced group of vendors, consultants, and other end users that had spent their entire careers in the information management space. They were able to teach me about the evolution of enterprise content management systems across businesses — the pharmaceutical industry, oil and gas, finance, etc. SharePoint was becoming a big deal, along with other systems and vendors. I shared with my AIIM colleagues what I was learning in my organization as well (nothing classified, of course!). As my personal and professional relationships with these AIIM members grew, I felt grateful and volunteered to serve on the chapter board. After some time, my peers encouraged me to apply for a director’s position on AIIM’s national board. I was nominated, selected, and began serving in 2014. Normally a three-year position, I continued as Treasurer, Vice-Chair, Chair, and now I’m in my sixth and final year of service as the Immediate Past Chair.
AIIM has been my network. I’ve worked closely with folks from Microsoft, Box, Nuxeo, Gartner, OpenText, Alfresco, state government CIOs, private consultants, to name a few. It has been invigorating and rewarding, and I’ve always found that what I learn from my AIIM colleagues has direct or indirect application in the public sector. People, process, technology, and information innovation is transferable.
As I’ve attended AIIM’s annual conferences, there has always been a significant number of public sector attendees from across various levels of government. I’m clearly not the only one. Public sector practitioners mingling with their private sector counterparts creates mutual benefit. Like-minded end-users collaborate. Customer-client relationships are formed. Lessons learned and best practices are shared. Training is facilitated, and practitioners grow their skills and, consequently, their value to their organizations.
Q: The government is sometimes between a rock and a hard place in responding to Freedom of Information Act requests. What does the public need to understand about the burden these requests place on a bureaucracy?
A: I can speak from my experience with the Department of Defense information, especially here in the Washington, D.C., area. Most of our information includes mixed classified equities of multiple agencies, both sub-agencies within DOD—say Department of the Army, Defense Intelligence Agency, a particular combatant command like US Central Command, or US European Command for example; and information originated by non-DOD agencies like the Department of State or the Intelligence Community.
When a request to search for or review information comes into the OSD FOIA office, after they determine the request is legal, bona fide, etc., they then have to send it to all elements within the department that have equity to conduct reviews or searches. They may determine at that point that other non-DOD agencies need to review the information as well. Sometimes this isn’t discovered initially, but the DOD sub-agency will come back with the recommendation that the material also be reviewed by one or more other agencies. Once all of the reviews are in, the OSD FOIA Office has to combine them, adjudicate them for consistency, etc. and then send out the consolidated reply to the requester. This can take time.
Within the Joint Staff, when we are given a case by the OSD FOIA office, we have to determine which sub-element of the staff has equity in the information so that it can be staffed by the correct Original Classification Authority. The work eventually will get from a FOIA caseworker into the hands of an action officer who has subject matter expertise to conduct the review or the search. Sometimes cases can be quite large and require considerable time to complete, and these action officers are doing them as a collateral duty. They have a “day job” that they also must do.
Sometimes there is controversy over some classified equities that may have to be worked through. All FOIA cases also will be reviewed by legal counsel’s office. In CY 2018, my declassification branch completed over 1,600 cases involving either the FOIA or mandatory declassification reviews and security reviews that are subject to the Executive Order on Classified National Security Information (EO 13526). These types of reviews have different sponsor offices within the DOD. We track each request meticulously from receipt to return to the proper DOD office that interacts directly with the requester.
I take it as my duty as a civil servant to ensure that whatever should be released to the public is released—or rather that we recommend to the OSD FOIA Office that it be released. However, I also am determined that anything that is properly classified should be withheld, which is also in the best interest of our citizens and our young men and women in harm’s way.
This case workload across the federal government continues to grow year to year as more and more of our citizens have discovered how easy it is to initiate requests from their home computers. Note one does not have to be a US citizen to use the FOIA. Not surprisingly, our human resources to work these cases have not kept pace, although we have increased the efficiency of this work by using electronic workflow tools and tracking. There are even private organizations that have built a business around helping individuals file FOIA cases. It is a hallmark of our democracy that these processes exist, but they are not free and to mismanage our properly protected national security information by incomplete processes would not only be illegal, it could end in tragedy. The resources required to do this work are always in competition with resources needed to do all the other things agencies must do. They are limited.
All of this is to say that what may appear like foot-dragging is really a patriotic attempt to serve both the public and our men and women in uniform. Could processes be improved? Always. Are some FOIA offices more efficient than others? Certainly. However, I am proud of the thousands and thousands of cases my division’s declassification branch has worked over the last 12 years, and if FOIA requesters knew the details, I believe they would be most appreciative.
Q: Cybersecurity is an essential component of our national defense, and threats from foreign actors are becoming increasingly sophisticated. Yet federal, state, and local governments have limited resources to assist private entities investigating breaches and ransomware attacks. Where does a business’s responsibility to protect its own IT infrastructure end and the government’s role in defending it begin?
A: Fundamentally, it’s about risk mitigation and resource management for businesses, governments, and individuals alike. Like many issues that have only recently come to be as technology has evolved rapidly in recent years, resolution may only come through testing in the courts, legislation, etc. This will take time. I expect there will ultimately be public/private partnerships that must emerge. US Cyber Command is very new, having acquired combatant command status this past May.
The public’s awareness of these issues is mixed, and some of the risks will be assumed by citizens. The populace must learn to be responsible with their personal data. As awareness increases among the public, all levels of government, and within the private sector, and as the cybersecurity sector matures and grows, things should improve, but like our physical defense, our cyber defense will never be a 100 percent assured. The only way to ensure zero risk is to live in a cave and stay off the web. Not likely for most of us, and even for those who would choose such a lifestyle, they’d likely be picked up via satellite as they went about their off-the-grid foraging activities!
The government will have to balance the resources spent to mitigate cyber risk with the resources required for all the other required tasks it must perform. Companies and individuals will have to do the same. Engagement and collaboration between these three groups will be continuously necessary.
Q: Following the 9/11 terrorist acts, the U.S. took steps to ensure its security agencies were better equipped to share information and communicate. Besides leveraging technology to support interoperability, what have we done from a training perspective to promote better control over the handling of, and compliance with, confidential records and official systems?
A: I can only answer this question from my local perspective. In short, a combination of training, automation, managed access to systems, and physical spaces are required. On the Joint Staff, training in the proper handling of classified or sensitive material is conducted during on-boarding for action officers. Refresher training is an annual requirement. As knowledge workers across the federal government create classified unstructured data, a human still must understand his/her agency’s classified equities and know how to mark or tag electronic documents accordingly.
Automation can assist with minimizing human error, but there will always be a training requirement to ensure that documents and data are properly managed by the originator and anyone who handles information across the enterprise. If artificial intelligence and machine learning are used, a human will still be required to “teach” or configure the machine so it can detect sensitive information and prompt appropriate action.
If spillages occur, processes must be in place to mitigate associated risks, assess and respond to damage, and revise procedures to prevent future similar occurrences. Security clearance vetting processes are in place at the point of hire to try and prevent nefarious mishandling. Throughout a federal employee’s time of service, continuous monitoring and/or periodic reviews of the individual’s fitness for a security clearance are conducted.
With the rise of “need to share” over “need to know,” the concomitant greater risk must be mitigated via system access controls, proper marking, and training. It will always be a balancing act when sensitive information must get to those who need it at “the speed of relevance.”
Q: With deep fakes, AI inherent bias, and misinformation campaigns capable of drastically impacting the way citizens process information, what role if any does government have in combatting the disruptive social impacts they may have on the citizenry?
A: I believe government has a role, but the specifics are complicated. There is some amount of “it depends” here. If another state or non-state actor is attempting to impact public opinion to affect a US election, this becomes a matter of national security at the federal level. State and municipal elections could be viewed differently. “Disruptive social impact” is somewhat vague, and I’d say government involvement should be considered on a case-by-case basis. Sowing the digital seeds of general social discord with the intent to create chaos, dysfunction, or further polarizing our society becomes tricky. It will need to be further analyzed, considered in the context of privacy laws, espionage laws, first amendment rights, and others. Legal precedents will need to be established in our courts, and perhaps legislation or national policies are required.
There are a number of novel legal issues at play with which government at all levels will need to contend. The digital commons, like international waters or space, can be leveraged for good or bad. International organizations may need to get involved, and the same sovereignty issues will come into play when those organizations address other issues. Coalitions of the willing have their limits. Governments at all levels can educate and work with their communities to raise awareness of the risks and mitigation strategies that should be considered.
Q: What’s the best advice you can suggest for a person considering a role in knowledge management and seeing the military as an avenue towards that ultimate goal?
A: Entering the military for knowledge management or any specialty requires research first. All branches of the Armed Forces and the civil service are doing knowledge management in some capacity. But each of these services has its own culture and subcultures with which one should become familiarized before enlisting or pursuing an officer’s commissioning program. Read military web sites, review USA Jobs, follow media in the knowledge and information management fields.
I believe that knowledge management, information and records management, information technology, cybersecurity, and data management are all different parts of the same information and data portfolio. More and more, collaboration among professionals that have these subspecialties will be paramount. You do none of these in a vacuum. In the end, this evolving workforce is serving the mission of the organization. What the organization’s leadership needs is the just-in-time data and information to make decisions or achieve situational awareness.
I have often described these overlapping fields of expertise as analogous to instruments in an orchestra. Each instrument is needed, but the instrumentalists must not only master their individual skill, they must understand their fellow musicians and be able to play in such a way as to create harmonious, beautiful music. There should be a conductor who knows how to put them all together with the wave of a baton—and likely lots of practice. Without this synergy, the only thing produced will be a cacophony of tuning noise.
The military is only one way to get there, but folks must count the cost of military service. It’s not for everyone. Note that both military members and federal civilians take similar oaths of office “to support and defend the constitution of the United States against all enemies, foreign and domestic.” If that oath resonates, military service appeals. and one has a keen interest in information, data, and knowledge management, I’d say full speed ahead!
“Public sector practitioners mingling with their private sector counterparts creates mutual benefit. Like-minded end-users collaborate. Customer-client relationships are formed. Lessons learned and best practices are shared.”Mark Patrick