A number of industry trade groups have concerns about foot dragging by the Department of Homeland Security (DHS) in the area of critical infrastructure information. The latest complaints involve an interim final rule issued in February that specifies what information submitted by industry to DHS will be beyond the reach of the Freedom of Information Act.
A financial services roundtable, BITS, is pressing DHS to expand its definition of critical infrastructure information. John Carlson, BITS senior director, said the critical infrastructure information definition wouldn't protect information such as a telecommunication company's switch location for a bank's high-speed Internet connection. The definition should be broadened, he said, to cover "component designs, architecture, business plans, external interfaces, communications facilities, etc."
DHS proposed parameters for protected critical infrastructure information include information about "actual, potential or threatened interference with, attack on, compromise of or incapacitation of critical infrastructure or protected systems by either physical or computer-based attacks or other similar conduct, including the misuse of or unauthorized access to all types of communications and data transmission systems" and the ability to withstand such attacks, "including security testing, risk evaluation, risk-management planning or risk audit."
The Homeland Security Act of 2002 requires DHS to develop procedures for the receipt, care and storage of critical infrastructure information voluntarily submitted to DHS. Initially, submissions will be received only by the Protected CII Program Office of the Information Analysis and Infrastructure Directorate (IAIP) of DHS, and shared within the department. Later, the information will be made available to other federal agencies and state and local governments.
Other industry groups had different concerns about the interim final rule. David N. Cook, vice president and general counsel of the North American Electric Reliability Council, said making the CII Program Office the sole access point for critical infrastructure information would discourage the private sector from continuing to provide information to the federal government directly and rapidly through such time-sensitive programs and offices as the National Infrastructure Coordination Center (NICC).
"Programs and offices such as IAW and NICC can effectively function only when they are provided information on a rapid, 'as-occurring' basis," he said. "They cannot afford to wait for the CII Program Office to receive information, make critical infrastructure information determinations, etc., and then transmit the information to them."
Carlson of BITS went beyond criticism of the interim rule on protection of BITS to question DHS's efforts on critical infrastructure information more broadly. "There hasn't been a lot of demonstrated progress, not just on protection of submitted information, but on how that information will be analyzed," he stated. "There has been a lot of talk, but not much action.