The government is making it easier for owners of the nation’s critical infrastructure to share with it how their facilities are most vulnerable to terrorist attack. In return for submitting the vulnerability data, the government is providing guarantees that such information will be kept private, unreachable by competitors, journalists and activists.
By law any information submitted to the new $3.9 million project, dubbed the Protected Critical Infrastructure Information (PCII) program, will be exempt from all requests under the Freedom of Information Act, the law that provides for public disclosure of information maintained by government agencies or offices.
Critical infrastructure includes “the assets and systems that, if disrupted, would threaten our national security, public health and safety, economy and way of life,” according to a DHS statement explaining PCII.
Cooperation with the government by the private sector in the area of information-sharing, especially about potential vulnerabilities of the nation’s critical infrastructure, has been less than stellar, government officials acknowledge. Any information shared with the government had no automatic exemption from the Freedom of Information laws and business owners were afraid such information could be exploited by competitors or used by journalists and activists or even terrorists.
But passage of the Critical Infrastructure Information Act and creation of the PCII changed all that, said Bob Liscouski, assistant secretary for infrastructure in the Department of Homeland Security.
Owners of critical infrastructure “have been looking for better ways to protect their data, and this act provides that now,” Liscouski said Wednesday. The new program is “ensuring that we have clarity around what the vulnerabilities are and how we can best protect those vulnerabilities,” Liscouski said. Information provided by private companies allows DHS analysts access to “nuanced” information only the private sector has access to now, Liscouski said.
All carrot, no stick
Submission of information to the PCII is voluntary; there are no penalties for withholding information. The government has no plans to pressure the private sector to submit information, said Fred Herr, director of PCII.
Businesses, however, can’t use the PCII as a dumping ground for data, hoping to protect or hide information under the FOIA exemptions provided the PCII database, Herr said. Companies will be criminally liable for using the PCII to shield information that is mandated for disclosure by other government regulations, Herr said.
However, if a DHS employee discovers wrongdoing or criminal activity as a result of analyzing the PCII data, that employee is free to divulge such information under a special “whistle-blower” provision of the law that created PCII, Herr said.
Ultimately the information provided to PCII will be analyzed by DHS looking to see if the vulnerability assessments are robust and feasible, Liscouski said. And if DHS finds holes in a company’s security or vulnerability assessment then immediate steps will be taken to plug the hole.
“We clearly are going to take an urgent look at this information when we get it,” Liscouski said.
Eventually the information will be made available to other government agencies on a secure network, Herr said. DHS hopes to wade through security issues to allow state and local officials to have access to such data, too, Herr said. But in the short term, “things will be pretty low-tech,” Herr said, with information residing on individual desktop computers until the database is fully networked.
Won’t stop the processing
Before DHS was officially launched as the overarching domestic security agency for the country, critical infrastructure assessments and vulnerabilities were handled by the National Infrastructure Protection Center, which was run by the FBI. Under NIPC thousands of vulnerability assessments were done under the “key asset program.”
That “key asset program” data will not be rolled into PCII, according to Herr, nor will there be any attempt to retrofit that key asset data so it can be included in PCII.
The existence of the PCII doesn’t preclude the DHS from continuing to conduct its own critical infrastructure vulnerability assessments, Liscouski said. “But this program allows for a more targeted approach,” he said.
The PCII information can be leveraged by DHS; the more information submitted voluntarily, the less time and money DHS has to spend going out and collecting it on its own, Liscouski noted.