Industry and Nonprofits Divided In Support for Proposed CII Rule
by Guest Blogger, 9/7/2003
Comments submitted on the proposed Critical Infrastructure (CII) Rule by the Department of Homeland Security (DHS) indicate disagreement between public interest groups and the private sector. OMB Watch posted the docket online last week when DHS failed to make them publicly available. Submitters of the 64 substantive comments include government agencies, industry, trade associations, public interest groups, media, and individuals. Overall, government agencies and the private sector support the proposed CII rule. Public interest groups and the media, however, voiced major concerns with the rule. Government Government agencies generally expressed support for the rule, some voiced concerns that they believe need to be fixed. One area where agencies had differing points of views was the of the CII program. The Treasury Department supports the provisions that allow CII submissions to agencies other than DHS. In contrast, the Federal Reserve System believes that the extension to other agencies leads “to confusion both to the public concerning the purpose of such a submission and to the agency regarding the treatment of that information during the interim between submission and a determination by DHS.” The Texas Department of Transportation echoes some of industries desires on expanding what information can fall within the CII program. The department also calls for information required by regulations and current information held by agencies included as CII. Information sharing at the state and local level is supported by the government agencies, but that the program should tighten restrictions. The Port Authority of New York and New Jersey suggest information sharing should include contractors. It also believes that if information sharing does occur, submitters should be notified. The New York State Office of Cyber Security believes that there should be an appeal process for information rejected by the CII Program Manager as CII, more explicit consequences for unauthorized release of information, and improvements in the security of electronic submissions. Both the Federal Energy Regulatory Commission (FERC) and the Public Utilities Commission of Ohio raise the issue of conflicting agency rules. The agencies question how CII will conflict with FERC’s Critical Energy Infrastructure Information (CEII) rule, which established sharing restrictions on information submitted by the energy sector. FERC expresses satisfaction that CII does not appear to interfere with its CEII rule. The Public Utilities Commission of Ohio also seeks clarification on the definition of “voluntary” for submissions, as do many of the public interest groups. Industry and Trade Associations Industry and trade associations submitted the bulk of comments, indicating significant support for the proposed rule. Many companies called for stronger protections for CII, noting that without them there is a disincentive to submit information to the government. A number of industry submitters point out problems with the rule’s “good faith” determination. A sector 29.6 (f) of the proposed rule allows the Program Manger to disqualify the submission as CII if it is believed it was not submitted in “good faith.” The Program Manager is not required to notify the submitter that the information is not protected from disclosure. Many groups call for a detailed description of “good faith” and the criteria of what fits that standard. Others, such as the American Petroleum Institute and the North American Electrical Reliability Council, believe that DHS should delete that clause all together. Industry groups also emphasize security risks in the collection of CII information. The Aerospace Industries Association believes if DHS maintains one central depository, it could pose extreme security risks. The United Parcel Service states, “The Proposed Regulation…requires the private sector to assume an unnecessary heightened risk of loss or interception” of information and the rule “should require more secure means for the transmission of CII by the Department and any authorized parties that receive CII.” Industry remains skeptical that submitted information is secure. Security concerns also extend to the information sharing section of the rule. Many submitters feel that the proposed rule does not contain enough protections against information disclosure. Some companies see gaps in the rule that could allow state and local governments, public interest groups and the media to obtain information and disseminate it. Qwest, for example, argues for better protections at the state and local level. Others push for stronger penalties against whistleblowers. The issue of sharing information with foreign government generated criticism from several companies who suggest the provisions be deleted. Public Interest Organizations Public interest organizations express the strongest opposition to the proposed rule. Several issues arose repeatedly throughout the comments. The broad scope of the rule alarmed many. Organizations like the American Library Association believe that extending the scope of the rule to agencies outside of DHS is problematic, especially given the fact that the House struck down this same provision from the statute. Many organizations feel that the procedures for managing CII are unclear, especially how information will be handled under FOIA. Comments ask for added provisions such as CII review procedures each time a FOIA request is made and the partial release of non-CII material and/or redaction of CII information under FOIA. Many groups, such as the Society of Environmental Journalists, also see the need for outside validation of the Program Manger’s classification of information as CII and deadlines for when these determinations are made. Groups point out that several terms need to be defined or clarified. Terms highlighted were: voluntary, customarily in the public domain, and good faith. Whistleblower protections are also noted as needing clarification on protections under law. In contrast to industry’s concerns about sharing information with state and local groups, the public interest sector believes that more information needs to be accessible by these entities especially in the face of emergencies. The American Society of Newspaper Editors comments that too much control is given to submitters regarding how information is shared, therefore hampering the efforts of first responders. The concern over government’s inability to correct vulnerabilities is also apparent in comments. The comments submitted to DHS represent a number of viewpoints and will be helpful in evaluating changes in the final rule. The final rule should be published in the next few weeks, according to DHS.