The Department of Homeland Security has quieted some but not all the concerns that have kept many U.S. companies from voluntarily submitting critical infrastructure information (CII) to the agency.
The DHS badly needs private sector input in order to increase the utility of its National Asset Database (NADB), the registry of nearly 80,000 facilities and assets in the U.S. which could be targeted by terrorists.
The DHS issued a final rule on Sept. 1 on how it plans to protect CII it validates as protected CII (PCII). Four days later, Robert Stephan, assistant secretary for infrastructure protection, briefed representatives of select companies at an invitation-only meeting at the U.S. Chamber of Commerce. Andrew Howell, vice president of homeland security for the chamber, said the final rule corrects many of the problems his members had with the interim rule, which was published in February 2004.
He added that the DHS now faces the imperatives of educating the business community about the new rules, educating local and state enforcement agencies who will be receiving the information and will have to protect it, and coming up with a means of protecting the CII companies transfer to the DHS at the time of an emergency, information which hadn't previously been offered.
The DHS is well aware of the educational imperatives. A top official within the Preparedness Directorate, who asked not to be identified, said the infrastructure office, which has responsibility for the NADB, will now go out and "proselytize."
The NADB sorely lacks private sector input. Last June, DHS Inspector General Richard Skinner issued a report which said the NADB contains too many questionable assets and is "not an accurate representation of the nation's CI/KR [critical infrastructure/key resources]." He also said the data on each asset, up until now submitted by state and local governments, was insufficient to "support the management and resource allocation decision-making envisioned by the National Infrastructure Protection Plan."
A major NADB shortcoming, Skinner said, is the result of the "reluctance of the private sector to share proprietary information due to privacy concerns." The DHS final rule is meant to address these concerns, voiced by financial service, chemical, natural resources and telecommunications industry trade groups.
Spokesmen for some industries, particularly those who have already been providing CII to the DHS, praised the final rule. Jamie Conrad Jr., assistant general counsel at the American Chemistry Council (ACC), said a number of the changes in the final rule satisfied his group. Chemical companies have been exchanging information with DHS as part of the agency's Comprehensive Review program, where DHS field officials visit chemical and petroleum facilities and other locations.
The final rule reverses the stance in the interim rule on indirect submissions of CII, submitted through other federal agencies or to DHS officials outside the PCII program office, which is home to the NADB. The rule also clarifies that if submitted CII is not validated by DHS as protected, the agency will return or destroy the information, as the submitter requests. The ACC's Conrad said the final rule assuages his concerns on those issues.
It is not clear, though, whether industries such as telecommunications and financial services, which have stayed away from the NADB, will now start freely submitting data. For example, the U.S. Telecom Association had complained that the provisions of the interim rule were "so vague that it is impossible to discern exactly how DHS will safeguard information."