Pondering private infrastructure data

Protected Critical Infrastructure Information Program Office

Even with new rules and laws, Homeland Security Department officials are still figuring out the best way to handle sensitive information that the private sector voluntarily submits to the government, according to a DHS official.

Congress created the Protected Critical Infrastructure Information Program Office under the Critical Infrastructure Information Act of 2002 in response to concerns that private sector information on vulnerabilities and attacks would be available to the public or competitors under the Freedom of Information Act. The office's job is to determine whether the information that private-sector organizations submit relates to the nation's critical infrastructure, such as financial services and telecommunications.

The first lesson that officials have learned is that the private sector doesn't willingly submit information because an infrastructure office now exists, said Frederick Herr, director of the office. So far, the program office has received only 19 submissions, which came in response to a request for specific information, Herr said. Officials rejected six of those submissions and still are reviewing one, said Herr, speaking July 29 at the GovSec conference in Washington, D.C.

Officials had to change the way they thought the office would operate because of existing relationships between the private sector and other parts of DHS and government. For example, the DHS Information Analysis and Infrastructure Protection Directorate's National Cyber Security Division includes a delegation of experts from the infrastructure program office. Information about cyber vulnerabilities and attacks can go directly to the people who need to analyze and disseminate that information, Herr said. The office has authorized employees in the physical security division within the directorate to validate information collected during the site visits they perform nationwide, he said.

Officials are still wrestling with the submission process. Because signatures are required, submissions to the program office must be mailed, even if they include electronic information, Herr said.

To simply information submission, officials are working with other parts of DHS to build an electronic submission process with electronic signatures.

"We're very close to being able to do that, and I think that will help improve utilization of the program," Herr said.

Because DHS, like many companies, has its own public key infrastructure — with the ability to use and accept digital certificates — that is an easy solution for those submissions. But many smaller entities and individuals do not have digital certificates, Herr said.

Officials are considering linking the e-signature to a sender's e-mail address that requires some form of authentication, such as AOL or Comcast, Herr said. Free e-mail accounts, such as Yahoo and Hotmail, which require no authentication to sign up, would not be allowed, he said.