Program shields anonymous flaw sleuths

The Department of Homeland Security asks companies to send it security tips about the nation's tech infrastructure, assuring them the information will be protected from the public.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
The U.S. Department of Homeland Security is asking companies to send it tips about flaws in the nation's technological infrastructure under a law that guarantees that the information will be protected from public disclosure.

Called the Protected Critical Infrastructure Information (PCII) Program, the initiative allows companies to report security vulnerabilities in their products that may affect the nation's security without revealing the flaws to the wider public and opening the companies up to liability.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

"The Department of Homeland Security recognizes the importance of receiving information from those with direct knowledge of the security of the critical infrastructure in order to help reduce the vulnerability of the critical infrastructure to acts of terrorism," the agency said in a statement. "The department also recognizes that to best encourage the industry to voluntarily submit information relating to the security of critical infrastructure, much of which is not customarily within the public domain, there must be assurance that such information will be utilized for securing the United States and will not be released to the general public."

The department on Wednesday announced that it will start accepting tips through the new program.

Technology industry groups previously have cited concerns about the potential negative consequences of giving proprietary or embarrassing information to the federal government, fearing it could be leaked to the press or obtained through requests filed under the Freedom of Information Act.

The creation of the PCII program follows the agency's establishment of a cyberalert system to send vulnerability notices, security tips and bulletins to information technology professionals and ordinary computer users. Both programs were discussed in the Bush administration's National Strategy to Secure Cyberspace, which was released in final form a year ago.

The Department of Homeland Security estimated that more than 85 percent of the nation's "critical infrastructure" is managed by the private sector.

To qualify for protected status, companies must follow submission guidelines. Any information given to the government under the program is protected until a final determination is made.