February 19, 2004
(Computerworld)
WASHINGTON -- The U.S. Department of Homeland Security yesterday unveiled a program designed to facilitate one of the most pressing and controversial issues facing critical-infrastructure protection: Persuading the private sector to share security information with the government.
The Protected Critical Infrastructure Information (PCII) program will enable the private sector, which owns and operates more than 85% of the nation's critical infrastructures, to voluntarily share vulnerability and security data with the government in a way that protects sensitive or proprietary corporate data from public disclosure.
Under provisions of the Critical Infrastructure Information Act of 2002, information voluntarily submitted will be protected from disclosure until and unless a determination is made by PCII program officials that the information doesn't meet the requirements for PCII. If validated as PCII data, the information will remain private.
The rule establishing procedures for PCII was published this week in the Federal Register. Companies and members of the public that want to submit information to the DHS on the proposal may do so through the PCII Web site.
Initially, the DHS will limit the sharing of PCII data to analysts within the Information Analysis and Infrastructure Protection directorate, according to a DHS statement on the program. That data will then be used to analyze the vulnerability of critical infrastructure and protected systems, conduct risk and vulnerability assessments, and assist with recovery efforts in the event of a terrorist attack.
However, there are already specific requirements in place governing what information can be submitted and whether or not the government will accept it. For example, the data must meet the definition of critical-infrastructure information as specified under the 2002 law. Accordingly, critical infrastructure includes the assets and systems that, if disrupted, would threaten national security, public health and safety, the economy and the nation's way of life.
In addition, companies must be sure to identify data that is sensitive or proprietary and specifically request that it be protected from disclosure. Companies could face criminal penalties for submitting false information or for attempting to use the program to circumvent a federal requirement or regulation.
The announcement of the PCII program comes on the heels of the government's Jan. 28 launch of the National Cyber Alert System, an automated, online system designed to provide home users, businesses and government agencies with timely warnings about new threats as well as tips on how to best secure their computers.
Amit Yoran, the director of the DHS's National Cyber Security Division, said that within a week of its launch, more than 250,000 users had signed up to receive the alerts, making it "the broadest distribution mechanism for cybersecurity information in the world."