US security arm makes bid for private sector data

The US Department of Homeland Security has unveiled a programme designed to persuade the private sector to share security...

The US Department of Homeland Security has unveiled a programme designed to persuade the private sector to share security information with the government.

The Protected Critical Infrastructure Information (PCII) programme will enable the private sector, which owns and operates more than 85% of critical infrastructures in the US, to share vulnerability and security data voluntarily with the government in a way that protects sensitive or proprietary corporate data from public disclosure.

Under provisions of the Critical Infrastructure Information Act of 2002, information voluntarily submitted will be protected from disclosure until and unless a determination is made by PCII programme officials that the information does not meet the requirements for PCII. If validated as PCII data, the information will remain private.

Companies and members of the public wanting to submit information to the DHS on the proposal may do so through the PCII website.

Initially, the DHS will limit the sharing of PCII data to analysts within the Information Analysis and Infrastructure Protection directorate, according to a DHS statement on the programme. That data will then be used to analyse the vulnerability of critical infrastructure and protected systems, conduct risk and vulnerability assessments, and assist with recovery efforts in the event of a terrorist attack.

However, there are already specific requirements in place governing what information can be submitted and whether or not the government will accept it. For example, the data must meet the definition of critical-infrastructure information as specified under the 2002 law.

Accordingly, critical infrastructure includes the assets and systems that, if disrupted, would threaten national security, public health and safety, the economy and the nation's way of life.

Companies must also be sure to identify data that is sensitive or proprietary and specifically request that it be protected from disclosure. Companies could face criminal penalties for submitting false information or for attempting to use the programme to circumvent a federal requirement or regulation.

The announcement of the PCII program comes on the heels of the government's launch of the National Cyber Alert System last month, an automated, online system designed to provide home users, businesses and government agencies with timely warnings about new threats as well as tips on how to best secure their computers.

Amit Yoran, the director of the DHS's National Cyber Security Division, said that within a week of its launch, more than 250,000 users had signed up to receive the alerts, making it "the broadest distribution mechanism for cybersecurity information in the world".

Dan Verton writes for Computerworld

Read more on IT risk management