[ISN] Critical infrastructure data sought

From: InfoSec News (isn@private)
Date: Thu Feb 19 2004 - 02:17:58 PST

  • Next message: InfoSec News: "[ISN] Microsoft cracks down on source code traders"

    Forwarded from: William Knowles <wk@private>
    
    http://www.fcw.com/fcw/articles/2004/0216/web-dhs-02-18-04.asp
    
    By Dibya Sarkar 
    Feb. 18, 2004 
    
    The private sector can voluntarily submit critical infrastructure
    information to the Homeland Security Department with a new program
    designed to protect such information.
    
    Starting Feb. 20, the Protected Critical Infrastructure Information
    (PCII) program will collect sensitive data about physical and cyber
    infrastructure according to regulations that will be posted online
    Feb. 19 and published in the Federal Register the following day.  
    Public comment on the regulations could last up to 90 days.
    
    Robert Liscouski, DHS' assistant secretary for infrastructure
    protection, said by partnering with the private sector and making the
    program voluntary, the federal government can find vulnerabilities and
    nuances that the private sector knows best.
    
    "The partnership's important to us because the government can't afford
    to buy the expertise that we need to understand those vulnerabilities
    at the nuance level if they have access to it," he said.
    
    Fred Herr, PCII's program manager, said the private sector isn't
    required to submit anything to the federal government under the
    program. But DHS officials cited the public good as a reason why
    companies and nongovernment organizations might share such information
    voluntarily. The information will be kept confidential, because any
    data that passes all program requirements will be exempt from the
    Freedom of Information Act and cannot be accessed by third parties or
    state and local governments for civil litigation, officials said.
    
    However, if companies provided false statements or submitted
    information they knew to be wrong, they would be subject to federal
    felony statutes.
    
    Information submitted will be available initially to DHS' Information
    Analysis and Infrastructure Protection Directorate, where the PCII
    program office resides. DHS officials plan to eventually share that
    data with other authorized personnel in federal, state and local
    agencies. Officials did not describe how or when other agencies and
    governments could access the data, although it probably would be
    accessed through existing secure networks, officials said.
    
    Officials said that data given to DHS must meet a number of
    requirements:
    
    * The submitting entity must ask for protection.
    
    * The submitter must certify that the material is voluntarily
      provided.
    
    * The submitter must certify that it's not submitted in lieu of
      meeting a federal requirement or regulation.
    
    * The submitter must certify that it meets the definition of critical
      infrastructure information specified under the Critical
      Infrastructure Information Act of 2002.
    
    "If it meets all those requirements we then will label it protected
    infrastructure information, PCII," Herr said. "If it doesn't meet
    those requirements, we'll go back to the submitting entity and ask
    them for additional justification - whatever is lacking."
    
    Neither information gathered previously under the National
    Infrastructure Protection Center nor information already available to
    the public would be covered by the act's protections, officials said.  
    But data collected through established Information Security Analysis
    Centers could be submitted to the PCII program office for protection.
    
    It shouldn't take long to vet information after it has been submitted,
    Herr said. His office has about 12 staff members and 20 or so
    contractors with a budget of about $3.9 million.
    
    However, officials said issues that will probably come up include:
    
    * How the private sector would pay to protect vulnerabilities if one
      is detected through the program.
    
    * How to get information to state and local governments if an
      immediate danger is detected.
    
    * If some information will hide existing health and safety problems.
    
    Officials and experts have estimated that 85 percent of the nation's
    critical infrastructure is owned by the private sector. The voluntary
    program doesn't preclude the federal government from conducting
    assessments on its own, Liscouski said.
    
    
     
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ----------------------------------------------------------------
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    ================================================================
    Help C4I.org with a donation: http://www.c4i.org/contribute.html
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Feb 19 2004 - 06:17:59 PST