Secrets to keep
Because critical infrastructure office didn't get an expected data deluge,
The slow pace of submissions 'has allowed us to test and adjust our processes. Most of the submissions have come in formats we didn't anticipate, in ways we didn't expect.'
'Frederick W. Herr
it has had lots of time to get its systems in order
The private sector runs 85 percent of the nation's critical infrastructure, but concerns about competition and liability have made companies reluctant to let government in on their secrets.
To allay those concerns, Congress in 2002 exempted some information submitted to the Homeland Security Department from the Freedom of Information Act and prohibited its discovery in civil lawsuits.
Since the Protected Critical Infrastructure Information Office opened for business in February, however, only six items have been submitted under that protected status.
'Things have been moving at a slow pace so far,' program manager Frederick W. Herr said.No deluge
That is not necessarily bad news, Herr added. He had worried that the office would get hit with an industry data dump on the first day of business.
The slow pace 'has allowed us to test and adjust our processes,' he said. 'Most of the submissions have come in formats we didn't anticipate, in ways we didn't expect.'
The office expects to expand both avenues for submission and access to the protected information. But a host of technical, procedural and legal questions remain to be worked out.
'It has clearly proven to be a big job,' Herr said.
The program was controversial from the start. While the private sector called for FOIA exemptions to protect proprietary data from competitors, consumer advocates were predicting that unscrupulous companies would use the exemptions to try to avoid accountability.
The Critical Infrastructure Information Act, part of the legislation creating the Homeland Security Department, stipulated that exemptions apply only to information sent voluntarily for purposes of infrastructure protection and not available elsewhere.
The legislation removed the barriers to submitting information but did not specify how to handle it. That's the job the office is working on now.
Operating rules were published for public comment Feb. 20. The PCII office received about 30 submissions during the 90-day comment period that closed May 20 and will review them before rules are finalized.
In the meantime, protected submissions must be made directly to the office, and they must be in some physical form'that is, not electronic.
Herr said he hopes eventually to accept submissions at a Web site. 'We're not prepared to receive electronic submissions yet,' he said. 'The problem we're trying to deal with is what constitutes an acceptable electronic signature.'Management system needed
The office also needs a management system to store and track submitted information. It still is working out how to handle a variety of formats and media, which might include photos, graphics and video, as well as text.
'We're in the process of trying to define what it is going to look like,' he said.
One of the requirements will be commercial technology. 'We're not going to build our own,' Herr said. The office also will probably take advantage of the Defense Department's Secret IP Router Network and the Homeland Security Data Network for distributing protected information.
For the time being, the information is available only to DHS' Information Analysis and Infrastructure Protection Directorate.
'Dissemination at the moment is pretty low-tech,' Herr said. A list of available information is distributed, and analysts who want to review it receive a paper copy.
In the next phase, protected information will become available throughout DHS. Plans call for using SIPRnet, although the data will not be classified. DHS has access to the Defense network, but the PCII office is not yet connected.
'In the not too distant future, we will be able to do it by SIPRNet,' Herr said.
In the final phase, information will be available to approved users in other federal agencies and state and local governments, as well as some contractors. Because access will not require security clearance, it is unlikely users outside of DHS or DOD would go through SIPRNet, Herr said. Those users probably will have to access information over the Homeland Security Data Network.
Distributing data outside DHS will require programs to educate and accredit outside users. Federal employees are bound by provisions of the Critical Infrastructure Information Act, which sets criminal penalties for misuse of information. Contractors and state and local authorities are not subject to those penalties, however, and separate agreements would have to be made before protected information could be released.
'The accreditation program itself is a pretty big job,' Herr said.
He said he hopes that agreements can be struck with each state rather than directly with more than 3,000 local government entities. But that still leaves 50 states to negotiate with, and some large cities and counties might want direct access themselves.
'What will the hierarchy be? We haven't figured that out yet,' Herr said.