Forwarded from: William Knowles <wk@private> http://www.fcw.com/fcw/articles/2004/0216/web-dhs-02-18-04.asp By Dibya Sarkar Feb. 18, 2004 The private sector can voluntarily submit critical infrastructure information to the Homeland Security Department with a new program designed to protect such information. Starting Feb. 20, the Protected Critical Infrastructure Information (PCII) program will collect sensitive data about physical and cyber infrastructure according to regulations that will be posted online Feb. 19 and published in the Federal Register the following day. Public comment on the regulations could last up to 90 days. Robert Liscouski, DHS' assistant secretary for infrastructure protection, said by partnering with the private sector and making the program voluntary, the federal government can find vulnerabilities and nuances that the private sector knows best. "The partnership's important to us because the government can't afford to buy the expertise that we need to understand those vulnerabilities at the nuance level if they have access to it," he said. Fred Herr, PCII's program manager, said the private sector isn't required to submit anything to the federal government under the program. But DHS officials cited the public good as a reason why companies and nongovernment organizations might share such information voluntarily. The information will be kept confidential, because any data that passes all program requirements will be exempt from the Freedom of Information Act and cannot be accessed by third parties or state and local governments for civil litigation, officials said. However, if companies provided false statements or submitted information they knew to be wrong, they would be subject to federal felony statutes. Information submitted will be available initially to DHS' Information Analysis and Infrastructure Protection Directorate, where the PCII program office resides. DHS officials plan to eventually share that data with other authorized personnel in federal, state and local agencies. Officials did not describe how or when other agencies and governments could access the data, although it probably would be accessed through existing secure networks, officials said. Officials said that data given to DHS must meet a number of requirements: * The submitting entity must ask for protection. * The submitter must certify that the material is voluntarily provided. * The submitter must certify that it's not submitted in lieu of meeting a federal requirement or regulation. * The submitter must certify that it meets the definition of critical infrastructure information specified under the Critical Infrastructure Information Act of 2002. "If it meets all those requirements we then will label it protected infrastructure information, PCII," Herr said. "If it doesn't meet those requirements, we'll go back to the submitting entity and ask them for additional justification - whatever is lacking." Neither information gathered previously under the National Infrastructure Protection Center nor information already available to the public would be covered by the act's protections, officials said. But data collected through established Information Security Analysis Centers could be submitted to the PCII program office for protection. It shouldn't take long to vet information after it has been submitted, Herr said. His office has about 12 staff members and 20 or so contractors with a budget of about $3.9 million. However, officials said issues that will probably come up include: * How the private sector would pay to protect vulnerabilities if one is detected through the program. * How to get information to state and local governments if an immediate danger is detected. * If some information will hide existing health and safety problems. Officials and experts have estimated that 85 percent of the nation's critical infrastructure is owned by the private sector. The voluntary program doesn't preclude the federal government from conducting assessments on its own, Liscouski said. *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ---------------------------------------------------------------- C4I.org - Computer Security, & Intelligence - http://www.c4i.org ================================================================ Help C4I.org with a donation: http://www.c4i.org/contribute.html *==============================================================* - ISN is currently hosted by Attrition.org To unsubscribe email majordomo@private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Feb 19 2004 - 06:17:59 PST