X

Uncle Sam: Share your system's secrets

The Department of Homeland Security says it can keep a secret. It's hoping to convince technology companies to hand over information about infrastructure vulnerabilities.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
See full bio
Declan McCullagh
2 min read
WASHINGTON--The Department of Homeland Security is hoping to convince technology and telecommunications companies that it's safe to share information about infrastructure vulnerabilities with the federal government.

This week, the new department published a set of proposed regulations designed to convince corporate America to hand over infrastructure information to the government, promising that it will be kept in the strictest confidence.

The proposal sweeps broadly, covering any data submitted to the government about any real or possible attack on "critical infrastructure or protected systems by physical or computer-based attack" or any programming errors, glitches or bugs that could endanger important services like the Internet, utilities or telephone networks.

Industry groups had worried for years about the potential negative consequences of handing over proprietary or embarrassing information to the federal government, fearing it could be leaked to the press or obtained through requests filed under the Freedom of Information Act (FOIA).

Their worries led to an amendment being added to the legislation enacted last year that created the department. It says that critical infrastructure information voluntarily submitted to federal agencies "shall be exempt from disclosure" through FOIA.

Open-government advocates protested the amendment, saying it was unnecessary because FOIA already said that sensitive information could not be disclosed.

David Sobel, general counsel of the Electronic Privacy Information Center, said at a congressional hearing last July that the department should not be completely immune to FOIA requests. "Any claimed private-sector reluctance to share important data with the government grows out of, at best, a misperception of current law," Sobel said. "Exemption proponents have not cited a single instance in which a federal agency has disclosed voluntarily submitted data against the express wishes of an industry submitter."

The proposed rules published on Tuesday are the result of the legislation. Comments may be sent to cii.regcomments@DHS.gov on or before June 16.

In charge of running the department's vulnerability collection and storage program will be an undersecretary of the information analysis infrastructure protection directorate, who will be chosen by Homeland Security Secretary Tom Ridge. That person will oversee a vulnerability database to be called the Critical Infrastructure Information Management System.

The directorate is allowed to disclose some information in the database to the public when publishing a general alert. "In issuing a warning, the (directorate) shall protect from disclosure the source of any voluntarily submitted (information) that forms the basis for the warning; and any information that is proprietary, business-sensitive, relates specifically to the submitting person or entity, or is otherwise not appropriately in the public domain," the proposal says.