@Info.Policy: Protecting data about infrastructures could be too big a task

Robert Gellman

Sept. 11, 2001, sparked widespread re-examination of information disclosure policies. It isn't clear, however, that the response makes much sense to date.

The distinction between protecting critical infrastructure facilities and information about them has too often been glossed over. It's worth thinking about the consequences of additional protections for the broadly defined category of critical infrastructure information.

A fundamental problem is that many things qualify as critical infrastructure, including power plants, water and sewer systems, telephone networks, harbors, subways, chemical plants, bridges, computers, hospitals and pipelines. Don't overlook administrative functions such as issuance of driver's licenses and other identification documents.

Further, a considerable amount of basic infrastructure information is available to anyone who walks, drives, reads or surfs the Web. Do you remember how the FBI became a laughingstock last year for warning about travelers who carry almanacs? Did someone at the FBI open the World Almanac and discover a list of dams, bridges and tall buildings?

Nevertheless, let's suppose that we want real restrictions. How do we do it?

We begin by considering who has legitimate access to critical infrastructure information. We can start with outsiders: workers who built the facilities, truckers who move things between plants, police and firefighters, safety inspectors, meter readers and others. It's a big number, and we haven't yet counted the insiders. Should we include every bridge toll-taker?

Anyone who gets a job as a laborer in a chemical plant could theoretically leak critical information. Does that mean these workers will need a clearance of some sort? If so, then someone has to pay the cost. A midlevel clearance runs a few thousand dollars. The total cost to society could be tens of billions of dollars.

Another effect would be denial of work to individuals with something problematic on their records. How many construction workers, truck drivers or architects have convictions for drunk driving, have traveled to countries harboring terrorists, have bad credit or did something stupid in college? Not only could these people lose their jobs if investigated, but some could become permanently unemployable in their fields. We deny security clearances to people with felonies. Will we have the same policy for critical infrastructure information?

This has been a very short stroll down the garden path of comprehensive controls. The options are not easy, inexpensive or inconsequential. A half-baked system of controls is not likely to make much difference, but full controls would be intolerable.

Without question, some critical infrastructure information has always deserved and received protection for security or economic reasons. But some of it is essential to public debate. Hiding information is often a tactic of political appointees and bureaucrats who are lazy, scared or avoiding oversight.

At this late date, any agency still withdrawing information from public view on grounds of protecting critical infrastructure bears a heavy burden of showing that it doesn't fall into one of those categories.

The task of defining a comprehensive, coherent and workable system of critical infrastructure information controls is overwhelmingly difficult. It remains to be seen if there will be any takers.

Robert Gellman is a Washington privacy and information policy consultant. E-mail him at [email protected].


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/Shutterstock.com)

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.