This week, the new department published a set of proposed regulations designed to convince corporate America to hand over infrastructure information to the government, promising that it will be kept in the strictest confidence.
The proposal sweeps broadly, covering any data submitted to the government about any real or possible attack on "critical infrastructure or protected systems by physical or computer-based attack" or any programming errors, glitches or bugs that could endanger important services like the Internet, utilities or telephone networks.
Industry groups had worried for years about the potential negative consequences of handing over proprietary or embarrassing information to the federal government, fearing it could be leaked to the press or obtained through requests filed under the Freedom of Information Act (FOIA).
Their worries led to an amendment being added to the legislation enacted last year that created the department. It says that critical infrastructure information voluntarily submitted to federal agencies "shall be exempt from disclosure" through FOIA.
Open-government advocates protested the amendment, saying it was unnecessary because FOIA already said that sensitive information could not be disclosed.
David Sobel, general counsel of the Electronic Privacy Information Center, said at a congressional hearing last July that the departmentimmune to FOIA requests. "Any claimed private-sector reluctance to share important data with the government grows out of, at best, a misperception of current law," Sobel said. "Exemption proponents have not cited a single instance in which a federal agency has disclosed voluntarily submitted data against the express wishes of an industry submitter."
The proposed rules published on Tuesday are the result of the legislation. Comments may be sent to cii.regcomments@DHS.gov on or before June 16.
In charge of running the department's vulnerability collection and storage program will be an undersecretary of the information analysis infrastructure protection directorate, who will be chosen by Homeland Security Secretary Tom Ridge. That person will oversee a vulnerability database to be called the Critical Infrastructure Information Management System.
The directorate is allowed to disclose some information in the database to the public when publishing a general alert. "In issuing a warning, the (directorate) shall protect from disclosure the source of any voluntarily submitted (information) that forms the basis for the warning; and any information that is proprietary, business-sensitive, relates specifically to the submitting person or entity, or is otherwise not appropriately in the public domain," the proposal says.