Sharing of "Protected Information" Launched 

By

Robert Green

Senior Editor

Five months after it opened for business, the new executive-level office for collecting and protecting sensitive information regarding possible security gaps in private sector facilities and systems had passed along 20 different submissions of vulnerability information to the Homeland Security department.

The submissions represent the first block of private-public information sharing accomplished under the Critical Infrastructure Information Act of 2002, said Frederick W. Herr, who leads the new Protected Critical Infrastructure Information Office. The implementation of the Act was delayed about a year pending changes in the federal FOIA rules, activated in February.

“Based on the discussions I’ve had with the private sector, I believe they are now comfortable that the Act and the [FOIA] regulation does provide protection for information they share with the government,” Herr told the July GovSec conference in Washington. The PCII office’s role in the sharing process is to designate FOIA-exempt submissions made under the Act as “protected information”

While Herr provided no details about the companies or organizations that made the first PCII submissions, Homeland Security Strategies learned that at least one prominent IT organization is among the first to participate in the program.

Herr told the conference that the PCII office has already learned it might need to be more aggressive about its role as a conduit between industry and DHS.

“What we’ve learned in the past five months is that our program can only be effective if the information that DHS wants is communicated to the private sector,” he said. “So, we can’t sit in our offices and wait for the private sector to submit information to us. We need to communicate to them what we want.”

Likewise, he said, PCII can’t merely wait for the private sector to submit information but must engage them. Many industries already have bilateral sharing systems with stakeholder agencies, and those interactions must be protected (while being leveraged) too, Herr said.

Herr said his office has already identified a need to operate electronically and implement such technologies as digital signature to ease and expedite the information sharing process, and make sure interactions can occur real-time when necessary.

The PCII office has already started interacting with the DHS National Cyber Security Division “so that cyber incident reports can be submitted directly to the NCSD under a prior approval process…without the information having to stop first in my office. Then, NCSD, under a delegation from our office, would complete the validation process.”

Herr said PCII is also working with the physical security interests in the DHS Information Analysis and Infrastructure Protection directorate “so that during their site assessment visits [at plants and utilities] the information provided can be given PCII protection directly and immediately, so that we can expedite the validation process.”

Officials also have noted that all PCII-tagged vulnerability information will remain FOIA-exempt whenever DHS must share it with another agency.

The need for industry to provide feds with vulnerability information was identified by Congress in the aftermath of the 9/11 attacks, when parts of the predominantly private-owned transportation system was turned into a terrorist platform. It is conventionally said that 85 percent of the entire critical infrastructure in the US is owned or managed by private sector interests who might not otherwise be subject to government-level security mandates.

In response to the call for more information sharing, many operators of critical infrastructures like transportation, power and water utilities, financing, telecommunications, and others required that Washington make sure third parties could not subsequently gain access to their information via Freedom of Information Act requests.

Robert Green can be reached at RobertGreen@PubSector.net.