The US Department of Homeland Security has unveiled a
programme designed to persuade the private sector to share security
information with the government.
The Protected Critical Infrastructure Information (PCII)
programme will enable the private sector, which owns and operates
more than 85% of critical infrastructures in the US, to share
vulnerability and security data voluntarily with the government in
a way that protects sensitive or proprietary corporate data from
public disclosure.
Under provisions of the Critical Infrastructure Information Act
of 2002, information voluntarily submitted will be protected from
disclosure until and unless a determination is made by PCII
programme officials that the information does not meet the
requirements for PCII. If validated as PCII data, the information
will remain private.
Companies and members of the public wanting to submit
information to the DHS on the proposal may do so through the PCII
website.
Initially, the DHS will limit the sharing of PCII data to
analysts within the Information Analysis and Infrastructure
Protection directorate, according to a DHS statement on the
programme. That data will then be used to analyse the vulnerability
of critical infrastructure and protected systems, conduct risk and
vulnerability assessments, and assist with recovery efforts in the
event of a terrorist attack.
However, there are already specific requirements in place
governing what information can be submitted and whether or not the
government will accept it. For example, the data must meet the
definition of critical-infrastructure information as specified
under the 2002 law.
Accordingly, critical infrastructure includes the assets and
systems that, if disrupted, would threaten national security,
public health and safety, the economy and the nation's way of
life.
Companies must also be sure to identify data that is sensitive
or proprietary and specifically request that it be protected from
disclosure. Companies could face criminal penalties for submitting
false information or for attempting to use the programme to
circumvent a federal requirement or regulation.
The announcement of the PCII program comes on the heels of the
government's launch of the National Cyber Alert System last month,
an automated, online system designed to provide home users,
businesses and government agencies with timely warnings about new
threats as well as tips on how to best secure their computers.
Amit Yoran, the director of the DHS's National Cyber Security
Division, said that within a week of its launch, more than 250,000
users had signed up to receive the alerts, making it "the broadest
distribution mechanism for cybersecurity information in the
world".
Dan Verton writes for Computerworld