Advocates slam plan to restrict access to critical infrastructure data
Public interest advocates fear that private companies might use a program launched this week by the Homeland Security Department to conceal problems with the nation's critical infrastructure.
Through the Protected Critical Infrastructure Information (PCII) Program, private companies can voluntarily submit information on their infrastructure to the government. DHS will review the information to identify "critical infrastructure" that should be protected. Information submitted by industry will be exempt from public disclosure, including Freedom of Information Act requests, unless DHS determines it does not qualify as critical infrastructure.
"The PCII Program is designed to encourage private industry and others with knowledge about our critical infrastructure to share confidential, proprietary and business-sensitive information about this critical infrastructure with the government," DHS said in announcing the program. "By exempting this information from public disclosure, the [government] can assure private sector entities that their information will be protected from those who might use it for other purposes."
The program is part of the government's ongoing effort in the aftermath of the Sept. 11 terrorist attacks to identify and assess the nation's critical infrastructure, such as banking and financial institutions, energy and chemical sites, transportation, telecommunications and government facilities. A presidential directive issued in December 2003 requires DHS to complete a national plan for critical infrastructure and key resources protection by December 2004, and some in Congress and the private sector have criticized the department for moving too slowly.
The government estimates that 85 percent of all critical infrastructure is in the private sector.
Public interest advocates fear that the program might provide cover for private companies to hide their problems, such as pollution or security gaps.
"This may end up being an overreaction," said Tyson Slocum, research director for Public Citizen's critical mass energy and environment program. "In the name of security we are restricting lawful access to information that may in the end make us less secure."
Slocum's program provided input to government rules when the Federal Energy Regulatory Commission announced in 2002 that it would restrict public access to critical energy infrastructure information.
He agreed the government should identify and assess the nation's critical infrastructure, but said the program appears to give industry too much protection.
"It errs on the side of not allowing the public access to information and weighs too far on the side of allowing companies to not disclose information," Slocum said. "We've got to develop a better balance between the right of the people to know in a democracy and the right of a company to protect its proprietary information."
Analysts with the department's information analysis and infrastructure protection directorate will review reports submitted by the private sector. The information will be protected from public disclosure while it is under review.
If analysts determine the information does not qualify as protected critical infrastructure, then a private company can provide supporting information or withdraw the submittal up until a final determination is made; at that point the information either will be destroyed or maintained without the protections of the program, depending on the company's preference.
DHS has established a process for industry to submit information, including requirements that it meet the definition of critical infrastructure information specified under the 2002 Critical Infrastructure Information Act, and it is not submitted in lieu of meeting another federal requirement or regulation.