DHS rule might get industry to open up

The Homeland Security Department issued a final rule earlier this month that should help shake loose information that DHS needs to protect the country’s critical infrastructure, although how fast that information will come is not yet clear.

DHS has confronted fears, particularly from industry groups, that sensitive and proprietary information companies provide might find its way into the hands of other organizations that could use it to embarrass or potentially harm them.

However, industry representatives said last week the final rule seems to answer their major complaints.

“I think companies will be pretty content,” said Jennifer Kerber, director for homeland security at the Information Technology Association of America’s Enterprise Solutions Division. “The presumption was that if information was properly submitted, that it would be protected, and I think the DHS has clarified that it will.”

DHS considers the information, which the private sector and state, local and tribal governments can submit voluntarily, vital to its ability to protect the country’s critical infrastructure, such as banking and financial institutions, telecommunications networks, and energy production and transmission facilities. Almost 85 percent of those are in private-sector hands.

The Critical Infrastructure Information Act of 2002, which was part of the legislation that established DHS, requires the department to set up procedures for safely receiving, storing and handling such information. DHS published an interim rule in February 2004.

All information that qualifies for DHS’ Protected Critical Infrastructure Information (PCII) program, which the department set up to fulfill the law, would be protected except in special circumstances and would not be available for other uses.

Earlier this year, the Government Accountability Office issued a report criticizing DHS’ efforts to assuage industry and government fears. The department had not defined its specific needs or determined how it would use information, according to the report.

That lack of specificity has made potential submitters reluctant to provide sensitive information, GAO found.

In addition, DHS had not yet used the information that companies had already submitted to issue any advisories, alerts or warnings, according to the report.

GAO cites other challenges, including DHS’ need to assure the private sector that it would protect the information and that only authorized users could access it. DHS would also have to demonstrate the benefits of sharing information.

The final rule contains at least one contentious subject that is still likely to rankle critics. Information admitted as part of the PCII program is exempt from Freedom of Information Act actions and from any state or local law requiring disclosure of records or information.

That provision has remained largely intact since the Homeland Security Act was introduced in 2002.

Sen. Patrick Leahy (D-Vt.), in comments on the 2004 interim rule, said this “creates an opportunity for big polluters or other offenders to hide mistakes from public view just by stamping the data ‘critical infrastructure information’ and submitting it” to DHS.

In particular, he said, the absence of any time limit on the verification of such information “effectively establishes the free pass for industry that so many of us feared would result from the Homeland Security Act.”

The rule also provides for substantial penalties for any government employee — including those in state and local government — who releases protected information.

It is still unclear whether the final rule will be sufficient to increase the flow of critical infrastructure information to the government. Industry has been cautious about the process, Kerber said, and this final rule may not set minds completely at ease.

“It’s an interesting question, and we’ll have to wait and see what happens as more people become aware” of the final rule, Kerber said. “I certainly don’t expect the floodgates to open tomorrow.”