Two-and-a-half years after its conception, the Protected Critical Infrastructure Information (PCII) Program has increased submissions tenfold to number in the thousands, giving the Department of Homeland Security (DHS) more leeway to shield critical facilities, says program manager Laura Kimberly.
PCII was created within DHS in 2002 to allow those with knowledge of critical infrastructure to voluntarily share their sensitive information and in return be guaranteed protection from public disclosure. The program is designed to give DHS quick access to information about 17 critical sectors including railroads, power generation, hospitals, farms, communications, and financial networks. DHS can use the data to scrutinize security risks and develop recovery measures.
Maryland was the first state to be accredited by the program. In California, the PCII program started by partnering with the city of Los Angeles to develop prevention and response management initiatives. Kimberly says DHS expects to roll the program out to the rest of the state later this year. New York is also on board via a partnership between its state homeland security office and DHS.
Arizona is in the process of completing accreditation requirements, which involve signing a series of memoranda of agreement (MOAs) regarding information confidentiality and training users via procedures manuals provided by DHS. States that apply can be approved in as little as a week if they are on the ball, Kimberly says. “There will be others—we are in discussions with other states,” she says.
The chief challenge of the program is getting willful submissions of information from the private sector. Despite a government pledge that all volunteered information will be withheld from public release under the Freedom of Information Act and state and local open records laws, and from use in civil litigation, corporate suspicions are not easily overcome.
“From our perspective, it’s really instituting a culture change within the private sector to build the confidence that the government can use their information in a way that is useful for the private sector,” says Kimberly. “They want to know what is in it for them.” The answer to that question is greater protection of their assets, she says.
To encourage more submissions, the program has made some accommodations for its volunteers. For one, Kimberly says information can now be sent online quickly and securely, as well as by fax.
The American Chemistry Council (ACC) was one of the early information volunteers, and it offers a good look at PCII’s potential effectiveness. James Conrad, the assistant general counsel at the ACC, says that during a recent DHS comprehensive review of a cluster of chemical facilities in New York, national homeland security officials “were able to procure information on the spot” thanks to PCII.
Without the program cooperation, the chemical facilities would have had to send the information initially to Washington, D.C., to be cleared for use by the federal authorities. “We worked with the state of New York and the PCII so the companies could give information to the feds, and have the feds then bring it to the state [during the review],” says Conrad.
The ACC official says PCII could be improved by streamlining the accreditation process that states are currently subjected to. But he credits DHS with making it easier to run the MOA gantlet, “coming up with workarounds and improvements against their initial complexities.” Conrad also notes the convenience of the electronic submission procedure.
Overall, Conrad doesn’t question the need for PCII as part of the national security package. “It’s essential. DHS can’t do its job without it, at least with respect to critical infrastructure protection,” he says. “If they are going to protect sectors—telcoms, food and agriculture, finance—they need their trust and cooperation.”