Homeland Security seeks comment on information-sharing plan
The Homeland Security Department is seeking comment on proposed rules for sharing with the government confidential information on threats to the nation's critical infrastructure without risk of that information later being publicly disclosed.
The proposed rules, published in Tuesday's Federal Register, detail the procedures for submitting information to help the government protect physical or cyber infrastructures such as computer networks, financial systems, electric power grids or water sources. Comments are due by June 16.
An estimated 80 percent of the nation's critical infrastructure is controlled by the private sector, but the private sector has proven reluctant to share confidential information with the government because competitors could later see that information if disclosed via a Freedom of Information Act (FOIA) request. Under the law that created Homeland Security, such voluntary disclosures of information are to be exempt from FOIA.
The proposed rules would define critical infrastructure broadly as any system or asset, whether physical or virtual, "so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination thereof."
The proposal calls for the appointment of a program manager for critical infrastructure information who could appoint additional officers. Officers would oversee the storage and handling of the protected information and establish any additional measures needed to prevent unauthorized access to the information, which would encompass data on actual or potential attacks, the ability of systems to withstand such attacks, and any problems and repairs in the past.
Any person granted access to the information would be held responsible for safeguarding it. The rules would specify that during work hours, "reasonable" steps will be taken to minimize risk of unauthorized access. After working hours, protected information "shall be stored in a secure container, such as a locked desk or file cabinet, or in a facility where government or government-contract security is provided."
Homeland Security's directorate for information analysis and infrastructure protection could decide how to disclose information. It could be shared with state and local governments and federal contractors, but they might not be authorized to share it further. The directorate could issue alerts of potential attacks in ways that would protect the information.
Voluntarily submitted information would be reviewed to determine if it meets the requirement for the FOIA exemption. If not, it would be returned to the company with some explanation about why the FOIA exemption was denied, and the submitter would have a short time to answer any questions, after which an exemption could be granted.
Rejections of a FOIA exemption could be appealed, and the submitter of information that does not qualify for FOIA protection could decide whether to let the government keep the information.
Submissions would be stored in a database, and the companies would be sent unique tracking numbers when information is provided electronically through an Internet-based Homeland Security Department incident-reporting form.