homeland security private_sector

HOMELAND SECURITY ADVISORY COUNCIL

PRIVATE SECTOR INFORMATION SHARING TASK FORCE

ON

HOMELAND SECURITY INFORMATION SHARING

BETWEEN GOVERNMENT AND THE PRIVATE SECTOR

AUGUST 10, 2005

Introduction 1

Executive Summary 4

Discussion 9

Part One – Establishing New Information Sharing Requirements and Processes 9I. The Imperative for Creating a Formal and Objectively

Manageable Homeland Security Intelligence/InformationRequirements Process 9

II. Different Considerations for Threat Informationand Vulnerability Information 15

III. Diversity Within the Private Sector 17IV. Developing a Resilient and Integrated Network for

Information Sharing 18

Part Two – Required Changes to Laws, Rules & Policies 22I. Regarding Private Sector Representatives as Partners 22II. Liability Concerns 22III. Implementing the Critical Infrastructure Information Act 24IV. DHS’s Caution, Lack of Clarity Regarding Other Freedom

of Information Act Exemptions 26V. Federal Advisory Committee Act Issues 27VI. Lack of Coordination Within DHS and Between

DHS and Other Agencies 33VII.Requirement for Clearer Justification for Information 34VIIICompletion of SSI Rulemaking 34

Part Three – Partnering with the Media 37I. Findings 37

II. From “Media and First Response Program” to aSustained Partnership 38

III. Need for Regular Background Briefings 39IV. Role of Local Officials and Trusted Authorities 39V. Refining the Homeland Security Advisory System 40

Glossary of Acronyms 41Attachment A: Information Sharing Task Force/Subject Matter Experts 43 Attachment B: Public/Private Information Sharing Process 45Attachment C: Protecting Private Security-Related Information from

Disclosure by Government Agencies 49Attachment D: Categories of Security-Related Information Sought by

Government from Private Critical Infrastructure Entities 79

H O M E L A N D S E C U R I T Y A D V I S O R Y C O U N C I L

P R I V A T E S E C T O R I N F O R M A T I O N S H A R I N G T A S K F O R C E

Table of Contents

I.

II.

III.IV.

I.II.

III.IV.V.

I.II.

III.IV.

V.VI.

VII.VIII.

Origin of Report; Authorship. Because thePrivate Sector controls the great majority of theNation’s critical infrastructure, effective cooperationbetween the Federal Government – particularly theDepartment of Homeland Security – and thePrivate Sector is essential to protecting those assetsfrom terrorist attack. Nowhere is that cooperationmore vital than in the area of information sharing.And yet that cooperation has been hampered by avariety of legal and procedural obstacles. TheHomeland Security Advisory Council charged itsPrivate Sector Information Sharing Task Force onMarch 21 to understand the nature of those obsta-cles and to propose solutions to them. The TaskForce concluded that the best way to understandthese obstacles – which could be real or perceived –was to ask the Private Sector about them.Accordingly, the Task Force assigned several of itsmembers, led by Rick Stephens, to reach out tolawyers and others representing private sector criti-cal infrastructure companies and associations. Thisad hoc Group of Subject Matter Experts comprisesaeronautics, banking, chemicals, commercial avia-tion, electric power, refining, telecommunications,broadcasting, food products, and state and localgovernment. (See Attachment A for the roster ofthe Task Force and its Subject Matter Experts.)

Scope of Report. The Task Force concluded thatthe question of which legal obstacles impair infor-mation sharing could not be addressed in isolationfrom the channels by which information flowsfrom government entities to private ones and vice-versa. The Task Force’s report therefore evaluates,and makes recommendations regarding, therequirements and processes for information sharingbetween government and private entities.

It then discusses at length the legal and relatedobstacles that have impeded information flow inexisting channels and, unless effectively addressed,will continue to do so in the proposed architecture.Finally, the report addresses the role of the media inthis process.

In conducting this analysis, the Task Forcedefined “government” to include Federal, State andlocal entities. While the focus of this report isinformation sharing between government and pri-vate sector critical infrastructure entities, we alsorecognize that state and local governments operatesome critical infrastructure, and hence may findthemselves on the “private,” as well as the “govern-ment,” side of the equation.

The Task Force recognizes that some officeand/or agency names and responsibilities referredto in the report may change with pending 2SRimplementation.

Methodology of the Work. The Task Force deter-mined that its work encompassed four key issues:

• Information collection and sharing require-ments (up and down)

• Public/private information sharingprocess/flow

• Laws, rules, policies that affect public/privateinformation sharing

• Partnering with the communications mediaon an ongoing basis

The Task Force assigned members to lead workon each of these key issues and decided to defera fifth issue, training the private and public sec-tor on the collection, analysis, dissemination,and use of homeland security information.



1

Introduction“We will build a national environment that enables the sharing of essential homelandsecurity information. We must build a ‘system of systems’ that can provide the rightinformation to the right people at all times. Information will be shared ‘horizontally’across each level of government and ‘vertically’ among federal, state, and localgovernments, private industry, and citizens.”

— The President’s National Strategy for Homeland Security

The Task Force divided its work into two phases:• Phase I (Current State) -- Determining the

“as-is” environment of information sharingbetween government and the Private Sector.In this connection, Task Force members:

• Conducted numerous interviews ofFederal and Private Sector officials;

• Met and spoke with representatives fromDHS offices (e.g., Information Analysisand Infrastructure ProtectionDirectorate, Homeland SecurityOperations Center, NationalInfrastructure Coordination Center) andthe Private Sector; and

• Reviewed studies and reports (e.g.,GAO’s July 2004 report on informationsharing,1 the draft Interim NationalInfrastructure Protection Plan).

• Phase II (Future State/Recommendations) --Defining requirements, roles, and responsibili-ties of the Private Sector and DHS for effectiveinformation sharing. In this phase, the TaskForce:

• Expanded its membership to includeFederal, State, and local representativesand Subject Matter Experts from thePrivate Sector; and

• Received input from key stakeholdersthrough Task Force meetings and confer-ence calls.

Role of DHS Participants. Several representativesfrom DHS provided the Task Force with helpfulfactual information regarding DHS, its currentinformation sharing processes, and its views regard-ing particular legal issues. This assistance was vitalto our work, and we appreciate it. We emphasize,however, that these DHS representatives did notparticipate in the Task Force’s deliberations, andthat the analysis and recommendations presentedhere are entirely those of the Task Force’s non-Federal participants.

Categorization of Recommendations. This reportprovides concrete recommendations to address eachof the issues we identified. These recommenda-tions are classified by the type of change they callfor, in order to provide some perspective regardinghow easily and quickly they could be implemented:

• L (legislative): Changes to the U.S. Code.This would require Congressional action,and is thus the most difficult and time-consuming to accomplish.

• R (regulatory): Changes to the Code ofFederal Regulations. This would requireDHS or another agency to conduct rule-making. While rulemaking is within agiven agency’s control, it nonethelessrequires time and resources for compli-ance with the Administrative ProcedureAct and other requirements.

• M (mechanical): This refers to guidelines,policies or other explicit procedures thatdo not require rulemaking.

• A (attitudinal): These are changes in atti-tude or organizational culture, rather thanparticular agency processes. They canbest be effected by clear statements fromthe Secretary and other senior leaders.

Appreciation for DHS’s Work to Date. The TaskForce emphasizes that its recommendations, whilecritical at times of DHS processes, are not intend-ed to be critical of DHS personnel or theirmotives. DHS staff have worked extremely hard,in good faith and with the best of intentions, tostand up new processes in uncharted areas. Theyhave worked under intense time pressures, strin-gent budget and personnel limitations, and impa-tient public scrutiny. The report respects thatservice. But we would dishonor it if we were notcompletely frank regarding the legal and otherchallenges that confront information sharing. Forthe same reason, we have not compromised orhedged our recommendations for how thoseobstacles should be overcome.



2

1GOVERNMENT ACCOUNTABILITY OFFICE, “CRITICAL INFRASTRUCTURE PROTECTION: IMPROVING INFORMATION SHARING WITHCRITICAL INFRASTRUCTURE SECTORS,” GAO-04-780 (July 9, 2004).

Information Sharing with the Broader Public.The Task Force emphasizes that the purpose of thisreport is not to promote the greatest possible with-holding of private security-related informationfrom release by the government. The Task Forcerecognizes that DHS, like all Federal agencies,must effectuate long-standing principles of opengovernment. As discussed below, the Task Forcebelieves that the government overclassifies or oth-erwise restricts from disclosure information thatshould be provided to Private Sector entitieswhich own or operate critical infrastructure.Byextension, some government information that is“security-related” likely could safely be made pub-lic without jeopardizing the security of private sec-tor infrastructure – especially if it is summarizedor abstracted in a way that does not create unduerisks. On the other hand, while different peoplewill draw the line at different places, ultimately all(or virtually all) observers would agree that thereare circumstances in which security-related infor-mation provided by private entities to the govern-ment must be protected from unrestricted publicrelease. Further, the government needs to listencarefully to the Private Sector to understand thesensitivities that are at stake when the governmentis considering disclosing information about pri-vate entities. These issues are among those thatthe Task Force will consider further in the contextof “responsible information sharing,” a futurework item.

Coordination with Other Entities. Consistentwith its charter to address and provide recommen-dations on the spectrum of Homeland Securityissues, the Homeland Security Advisory Council(HSAC) has created a Critical Infrastructure TaskForce (CITF). The CITF is focused on the trans-formation and advancement of national criticalinfrastructure policy. This transformation isintended to go beyond protection to provide forthe resilience and continuity of operation of theNation’s critical infrastructure. The recommenda-tions of this Task Force and the CITF have beenclosely integrated. That integration must continue.



3

Because the Private Sector controls the greatmajority of the nation’s critical infrastructure, effec-tive cooperation between the Federal Government– particularly the Department of HomelandSecurity – and the Private Sector is essential to pro-tecting those assets from terrorist attack. Nowhereis that cooperation more vital than in the area ofinformation sharing. And yet that cooperation hasbeen hampered by a variety of legal and proceduralobstacles. The Homeland Security AdvisoryCouncil charged its Private Sector InformationSharing Task Force on March 21 to understand thenature of those obstacles and to propose solutionsto them.

The Task Force concluded that the best way tounderstand these obstacles – which could be realor perceived – was to ask the Private Sector aboutthem. Accordingly, the Task Force assigned sever-al of its members to reach out to numerous pri-vate sector critical infrastructures, as well as Stateand local government.

The Task Force during its deliberationsreached the following general findings:

1. Significant information sharing activitiesand work are underway in DHS and in thepublic and Private Sectors. But it is notclear that there is an aligned “architecture”or clear understanding of who has theresponsibility to create one. Such an archi-tecture should address:

• Organizational accountabilities andrelationships with other organizations

• Systems and information flow (process-es, information systems and data)

• Other Federal Agency informationresources, requirements and needs

2. Significant work is required to align rela-tionships between DHS and the PrivateSector.

3. Different considerations apply for sharingthreat information and vulnerability infor-mation.

4. The Task Force supports the State and LocalInformation Sharing Working Group’s prin-cipal finding: State, Local and TribalGovernments – and the Private Sector –require homeland security threat and indi-cations and warning (I&W) informationthat, to the maximum extent possible, isUNCLASSIFIED, timely, actionable/tai-lored and updated frequently.

5. Intelligence/information sharing betweenDHS and the Private Sector involves policy,process, and technology and the creationand maintenance of a trusted partnershipbetween all concerned.• A number of statutory, regulatory, policy

and attitudinal improvements are needed.• It will be difficult or impossible to make

significant progress on many other topicsuntil these obstacles can be overcome.

6. A stronger working relationship betweenDHS and the media will increase the likeli-hood that preparedness, threat and crisisinformation provided to a diverse public isaccurate, timely, actionable and in context.

• Provide a reassuring sense that govern-ment, business and civic leaders areworking well together.

• Improve service to the public in a crisis.• Refinements in the Homeland Security

Advisory System are needed.• A national community-based threat

and preparedness campaign.

Executive Summary



4

7. Relationships and interaction between thePrivate Sector and state and local agenciesare less problematic and, therefore, thefocus of the Task Force was on theDHS/Private Sector relationship.

The Task Force issued the following recom-mendations:2

1. DHS and the Private Sector should workin collaboration to develop a formal, andobjectively manageable, homeland securi-ty intelligence/information requirementsprocess.

• The process should place a premium on,and leverage, superior Private Sectorinformation resources, expertise in busi-ness continuity planning, and under-standing of the operations of infrastruc-ture sectors. (M/A)

• The process must recognize the diversityof the Private Sector. (A)

• DHS should partner with the PrivateSector in developing an integrated archi-tecture for information collection andsharing. The Task Force understandsthat this is how Homeland SecurityInformation Network (HSIN) is beingdeveloped and how HSIN-CI (CriticalInfrastructure) (with 40,000+ members)operates. The Task Force supports thatapproach. (M/A)

• The Private Sector and DHS need tointegrate and align their requirements forinformation collection and sharing. (M/A)

• Information Sharing & Analysis Centers(ISACs), Sector Coordinating Councils(SCCs) and other Private Sector organiza-tions and stakeholders must coordinatetheir efforts and define Private Sectorrequirements for DHS so that specificPrivate Sector entities can formally request,track and receive only that informationrequested. This will require doing a betterjob of articulating what types of informa-tion they want from government and withwhat frequency. (M/A)

• Information Sharing & Analysis Centers(ISACs), Sector Coordinating Councils

(SCCs) and other Private Sector organi-zations and stakeholders must coordinatetheir efforts and define Private Sectorrequirements for DHS so that specificPrivate Sector entities can formally request,track and receive only that informationrequested. This will require doing a betterjob of articulating what types of informa-tion they want from government and withwhat frequency. (M/A)

• The process should include a greater biastoward disseminating more informationin unclassified form. The solution shouldnot primarily be to investigate more peo-ple and issue more clearances. (M/A)

• Where information must be classified,• DHS and other agencies should

work harder to produce unclassifiedversions. (M/A)

• The President should continue toimplement on a timely basis the pro-visions of the Intelligence Reformlaw designed to expedite the clear-ance process. (M)

2. DHS should adopt a tiered approach toinfrastructure vulnerability informationsharing.

• Carefully consider the known andpotentially exploitable vulnerabilities ofdatabase technologies, and the conse-quences of compromise of a “nationalasset database” of vulnerabilities. (L/M)

• Maintain appropriate Federal informa-tion at the DHS level, State informa-tion at the State level, local informa-tion at the local level, and PrivateSector information at the Private Sectorlevel. (L/M)

• To enhance the security of vulnerabilityinformation, maintain public sectorinfrastructure information at the cityand municipal level and Private Sectorinformation with trusted thirdparty/non-governmental entities.(L/M)

• Establish an appropriate organization orprocess for cross-sector and governmentinformation exchange. (M)

2Highest priority recommendations are italicized.



5

3. DHS needs to be flexible and responsivein accommodating diversity within andamong Private Sector critical infrastruc-ture sectors.

• HSPD-7 calls for two functions: infor-mation sharing and sector coordination.

• Sector Coordinating Councils in everysector may not be able to perform allthe functions DHS desires. At a mini-mum, DHS must allow each sector todetermine the nature, functions, andrules of its council and its relationshipwith its ISAC and SSA (Sector SpecificAgency). (M/A)

4. DHS should continue to develop a net-work integrated information model forinformation flow.

• Significant work is required:• DHS should employ a “hub and spoke

model” for information flow, as used inHSIN and HSOC. (M)

• Information should flow from thePrivate Sector and other governmentsources to the DHS hub for analyses,and then be distributed back to thePrivate Sector on a targeted basis. (M)

• DHS needs Private Sector input andpresence at the hub. (M/A)

• As a national priority, build a resilient/sur-vivable Homeland Security OperationsCenter (HSOC) and Homeland SecurityInformation Network (HSIN). (M)

• In their current condition, bothare single points of DHS opera-tional failure – an unacceptablecircumstance.

• Leverage the unparalleled success of,and invest in expanding, HSIN-CI.(M)

• HSIN-CI is a trusted and provenmodel for effectively gathering andsharing information.

• Statewide intelligence/informationfusion centers should be integrated intonational information sharing efforts.(M/A)

• DHS should hold regular collaborativesessions (start monthly) with each PrivateSector coordinating organization (e.g.,SCCs, ISACs). (M)

• DHS should hold regular, detailed threatbriefings with each sector.

• Representatives of IA and IP should meetwith selected security and continuity ofoperations personnel of critical infrastruc-ture service providers. (M)

• These sessions should be held more oftenthan every six months, and should beheld separately for each sector. (M)

• They should involve more specific infor-mation than is currently presented inclassified sector briefings. (M)

• They should be oriented less toward presen-tation and more toward dialogue. (M/A)

5. DHS should promptly and decisivelyrevise its rules and policies for informa-tion sharing.

• Regard Private Sector critical infrastruc-ture facilities, companies and their asso-ciations as partners with legitimate inter-ests in policy formulation and implemen-tation – and as the only entities capableof implementing most policy in the sub-ject area. (A)

• Respond to Private Sector concerns aboutliability risks associated with sharingsecurity information with DHS• DHS should ensure that critical infra-

structure information is only used to pro-tect or ensure the operational resilience ofcritical infrastructure. (R)

• Critical Infrastructure Information Act(CIIA) regulations must be simple andbroadly agreed-upon before they will beused. (R)

• Educate potential submitters regardingthe protections afforded by all existinglaws and potential risks. (M)

• Fully implement the CriticalInfrastructure Information Act (CIIA):• Do not require all CIIA submissions

to be validated. (R)



6



7

• Declare that information submitted bySCCs and ISACs and maintained onHSIN by sector representatives will bedeemed CII. (R/M)

• Allow “class” CIIA determinations inadvance of submittal. (R/M)

• Allow “indirect” and electronic sub-mission under CIIA. (R/M)

• Roll out the CIIA program as quicklyas possible to all DHS entities, to othersector-specific agencies, and to stateswilling to execute memoranda of agree-ment (on behalf of themselves and localgovernments within the State). (M)

• Authorize all personnel of itsInformation Analysis & InfrastructureProtection Directorate who interact withcritical entities to be CIIA portals. (M)

• In consultation with DOJ and the Private Sector,adopt broad, Department-wide positions regardingthe applicability of the confidential business informa-tion and law enforcement sensitive exemptions underthe Freedom of Information Act (FOIA). (M)

• Resolve questions about how the FederalAdvisory Committee Act (FACA) applies toSCCs and ISACs.

• The ongoing Private Sector/Governmentoperating relationship is critical to aneffective homeland security operation andis hobbled by FACA issues.

• SCCs and ISACs are not covered by FACAbecause they are not “utilized” by theExecutive Branch and are primarily oper-ational, rather than advisory. (M)

• If challenged, DHS should use one ofthree possible authorities to exempt SCCsand ISACs from FACA. If this requiresamending the CIIA rules, DHS should doso promptly. (R/M)

• Given the above, under no circumstancesshould DHS employ FACA “workarounds” like treating SCCs as subgroupsof the National Infrastructure AdvisoryCouncil or seeking only the views of indi-vidual companies. (M)

• DHS offices and staff should identify coordi-nation needs with DHS, with other Federalagencies and with State and local governments,

and should undertake such coordination asearly as necessary, without waiting for affectedentities to initiate it. (M/A)

• DHS should determine if it needs particularinformation to do its job, or whether someother governmental or private entity is doingthat job adequately. DHS should not requestinformation because it can, or because itwould be “nice to know,” but only where it isnecessary to enable DHS entities to performessential functions. (M/A)

• The Sensitive Security Information (SSI) rule-making conducted by the DHS TransportationSecurity Administration (TSA) should encom-pass all modes of transportation. (R)

6. DHS should pro-actively invest in a bet-ter-informed and more engaged mediathrough specific targeted programs aimedat developing a stronger working relation-ship between the government, the mediaand the Private Sector in major incidents.(M/A).

• Upon completion of an assessment, thegovernment and local media should scaletheir existing National Academies ofScience media engagement program into asustained campaign in all UASI (UrbanAreas Security Initiative) media markets.

• Government officials at both the nation-al and local levels should conduct a sys-tematic program of background briefingsfor members of local media including,among other things, the NationalResponse Plan and National IncidentManagement System, potential threatand response scenarios, scientific informa-tion regarding biological, chemical andradiological materials, a glossary ofhomeland security and citizen protectiveactions, and other FAQs.

• Local elected officials and trusted author-ities (public and Private Sector) shouldbe trained on how to conduct press brief-ings during an incident in order to pro-vide (1) timely and actionable informa-tion and protective action recommenda-tions to the Private Sector and the publicand (2) contextual material needed tomaintain public order and confidence.



8

• DHS, local elected officials and nationaland local media should develop protocolsfor the timely confirmation or correctionof unconfirmed information or rumorsduring the course of an incident.

7. The Homeland Security Advisory Systemshould be refined to provide more specificguidance to the Private Sector and to the pub-lic, including changes in warning levels. (M).

• Warning levels should be adjustable on asector-specific, geographic or time-limitedbasis (or on another basis, as appropriate).

• Warning level changes should include aspecific advisory to the public regardingthe purpose for the change and the steps,if any, that the public is expected to takeas a result of such a change.

• DHS, State and local officials and thePrivate Sector should meet, confer anddevelop common understandings andexpectations regarding the readiness or pre-paredness levels associated with differentwarning levels.

• Any refinement of the Advisory Systemshould be accompanied by a clear, easy-to-understand public communicationsplan.

The Task Force identified the followingnext steps:

• The Task Force urges DHS to reach outto Private Sector entities that representcritical infrastructure (i.e., Sector

Coordinating Councils and InformationSharing & Analysis Centers) to establishjoint DHS/Private Sector teams to workon the highest priority recommendations.

• In consultation with these teams, DHSshould build an action plan, with mile-stones, to address all the recommenda-tions discussed below.

• Task Force members stand ready to supportthis effort.

• In the future, the Task Force will addressthe issue of training the private and publicsector on the collection, analysis, dissemi-nation, and use of homeland securityinformation.

• Additionally, the Task Force will review, anddetermine whether to develop recommenda-tions regarding, the following issues:• Creation of a domestic counterpart to

the Overseas Security Advisory Council.• Ensuring implementation of a formal

intelligence requirements process for thePrivate Sector, including both physicalmechanisms and educating stakeholders.

• Ensuring responsible information shar-ing, so as to satisfy legitimate publicright-to-know goals without creatingeven greater risks to the public throughthe release of information that couldassist terrorists.

• Supporting the State and LocalInformation Sharing Working Group’sinitiatives, particularly Private Sectorroles and responsibilities in state andlocal fusion centers.

I. The Imperative for Creating a Formal andObjectively Manageable Homeland SecurityIntelligence/Information Requirements Process

A huge amount of information currently flowsin both directions between private sector criticalinfrastructure entities and the FederalGovernment. Attachment B to this paper is anoutline of the most important of these flows. (Itdoes not include the great volume of informa-tion moving in each direction in the form ofpress releases, briefings, and general public affairscampaigns.) Much of the information describedin Attachment B is part of the process of legaland regulatory enforcement (but not the prom-ulgation of rules or regulations); much falls intothe definition of “critical infrastructure informa-tion.” Despite – or perhaps because of – thesheer volume of this information, it is not clearthat there is an aligned “architecture” for sharingit, nor a clear understanding of who has theresponsibility to create one.

Members of private sector critical infrastructurehave a wide variety of requirements regardinginformation that they want from governmentand information that they are willing to sharewith government. As a general rule, the PrivateSector wants information (both from govern-ment and other Private Sector sources):

∑ • to change business behavior whennecessary;

∑ • on things which would affect businesses;and

∑ • to respond/react/initiate resilience.

∑ A. Requirements regarding threat information

The Private Sector generally views infor-mation coming from DHS as primarily

∑ about threats, and information comingfrom the Private Sector as primarily aboutvulnerabilities.

Reflecting the wide-ranging differencesamong them, different industries and com-panies want varying levels of threat infor-mation. Many smaller companies wantonly specific, actionable information con-cerning immediate threats that affect themindividually. Some companies and indus-tries desire government assessments of secu-rity and business-continuity capabilities,but only when and as requested. Somewant information that is a bit more gener-al, but which nonetheless is refined bytime, region or sector, or focused on threattrend and technique analyses.

Some, however, want almost all informationavailable — the broad spectrum of threatand risk information.

These companies (or industries) view them-selves as fully able to decide whether it is rel-evant to them and how to respond. Whilerecognizing that the Private Sector is a sourceof and has a responsibility to provide infor-mation to the Government, until the govern-ment’s new information dissemination andsorting methods are refined, these companieswant DHS to spend more effort on theprocess of getting information out to thePrivate Sector, letting the Private Sector sortthrough applicability and share informationacross sectors or within regions. Even withthis group, however, there was a desire thatshared information be as specific, timely andactionable as possible, so that it assists thoseresponsible for adjusting their security andoperational continuity measures to respondaccordingly.

DiscussionPART ONE: ESTABLISHING NEW INFORMATION SHARING REQUIREMENTS AND PROCESSES



9

3This was the clear consensus of participants in a panel convened by the American Bar Association’s Section of AdministrativeLaw and Regulatory Practice on the new “information sharing environment.” Participants in the March 16, 2005 event wereWilliam Leonard, Information Security Oversight Office, National Archives & Records Administration; William Dawson, DeputyIntelligence Community CIO and Special Assistant for Information Sharing to the Director of Central Intelligence; Larry Halloran,Staff Director and Counsel of the House Government Reform Committee’s Subcommittee on National Security, Emerging Threatsand International Relations; and Mary DeRosa, Senior Fellow, Technology Program, Center for Strategic and InternationalStudies and a consulting expert to the Markle Foundation’s Task Force on National Security in the Information Age. Audioavailable at http://www.abanet.org/adminlaw/calendar.html.

The Private Sector also needs to be ableto get threat information from State andlocal sources, as well as from DHS. Toavoid confusion, especially during timesof crisis, this will require Federal-Statecooperation and coordination.

Too often threats and warnings seembased on sector rather than geography.

B. Requirements regarding criticality/vulnerability

The process of determining which infra-structure elements within a given sectorare “critical” or “vulnerable” needs to bebetter defined and made only with theinput of Private Sector expertise. WhileDHS has made progress in building itsorganizational and oversight capacityregarding the Private Sector, the fact isthat, by necessity, the Private Sector willalways understand its operations betterthan DHS (or other government agen-cies). As the government learned duringthe Y2K transition, empowerment of andtrust in the Private Sector’s superiorknowledge of its own infrastructure andinclusion of its expertise will produceoptimal decisions and objectively sustain-able results. Exclusion of that expertise,or dictation to those holding it, willassure the continuation of suboptimaldecisions, expenditures of resources, andeffects. For example, DHS’s NationalCommunications System (NCS) main-tains a database about network configura-tion entitled the “Network Design &Analysis Capability” (NDAC). The datacomes to DHS by purchase from compa-nies under nondisclosure agreements,from public sources such as the LocalExchange Routing Guide (LERG), andby voluntary submissions.

Analysis of the data, however, shouldalways be reviewed by the company (usu-ally under the terms of the NDA) to avoidincorrect conclusions. In one instancewhere such review was not obtained, agovernment analyst’s assumption that atelecommunications cable crossed abridge (when in fact it was buried underthe stream crossed by the bridge) led himto erroneously conclude that destroyingthe bridge would destroy connectivity.

C. Requirements regarding unclassified andclassified information

The Private Sector, recognizing it has itsown “insider” security concerns, needsinformation — unclassified to the maxi-mum extent possible — that is action-able; i.e., enabling it to respond in thebest way based on local trusted relation-ships. As discussed below, Congress andthe Government Accountability Office(GAO) have emphasized the need forDHS and other agencies to issue moresecurity clearances to State, local and pri-vate individuals, and such clearances areclearly needed by many who do not havethem. But DHS should not proceed onthe basis that issuing more clearances willresolve this obstacle. There are simplytoo many people in the tens of thousandsof critical infrastructure entities for DHSto clear them all – and new people go towork for these businesses and govern-ments all the time. Equally problematic,for homeland security information toproduce the intended benefits, recipientsof it need to be able to relay its substanceto colleagues within their own organiza-tions and sectors, within interdependentsectors, and within State and local gov-ernments. It is not very helpful if clearedpeople cannot tell non-cleared people whatthey know.3



10

The primary solution to this obstacleneeds to be giving people unclassified,timely and actionable information toclear them all – and new people go towork for these businesses and govern-ments all the time.

In particular, the Private Sector feels thatgovernment should trust it and provideaccess to “Law Enforcement Sensitive” and“For Official Use Only” information.Those and similar restrictions some-timeslead law enforcement or other sector-spe-cific agencies to prevent Private Sectoraccess, even though many within the criti-cal infrastructure security organizationsunderstand how to handle sensitivedata.(Indeed, such companies are equally ifnot more concerned about this informa-tion being publicly released.) DHS shouldexplore the value of nondisclosure agree-ments as a means of limiting subsequentdissemination of information it providedto selected critical entities. Such agree-ments are mandatory when classified infor-mation is shared, and could be useful forsharing unclassified information as well.

The Task Force is not alone in its beliefthat DHS should share more informationwith the Private Sector. Congress hastwice acted since 9/11 to encouragegreater information sharing. Before dis-cussing the obstacles to such informationsharing, it is worth discussing these twoCongressional directives which, in the

Task Force’s view, have received insuffi-cient attention.

First, when Congress enacted theHomeland Security Act, it created the“Homeland Security Information SharingAct” (HSISA), a free-standing law intend-ed to promote the distribution of suchinformation, whether classified or unclas-sified, to the public and private ownersand operators of critical infrastructure.4

HSISA declares the sense of Congressthat Federal agencies should share, to themaximum extent practicable, informationthat:

• Relates to terrorist threats;• Relates to the ability to prevent or

disrupt terrorist activity;• Would improve the identification or

investigation of suspected terrorists; and• Would improve response to terrorist

attacks.5

Essentially, HSISA instructs the Presidentto develop homeland security informationsharing systems to promote the sharing ofboth classified and sensitive but unclassi-fied information.6

While the President has issued ExecutiveOrder 13311 delegating the relevantauthority to the Secretary of DHS,7 theTask Force is unaware that any furthersteps have been taken explicitly to imple-ment the law.

4While HSISA speaks of sharing such information with “State and local personnel,” that term is defined to include “employeesof private sector entities that affect critical infrastructure, cyber, economic or public health security, as designated by theFederal government in procedures developed pursuant to [HSISA].” 6 U.S.C. § 482(f )(3)(F).5Id. §§ 481(c), 482(f )(1).6These systems are to have the capability to limit distribution to specific subgroups of people based on geographic location,type of organization, position of recipient within an organization, and need to know. Id. § 482(b). They may also conditiondistribution on limitations on redistribution. Id. The procedures can include issuing additional security clearances for classi-fied information or entering into nondisclosure agreements for sensitive but unclassified information. Id. § 482(c). The lawclarifies that information distributed through these procedures remains under the control of the Federal Government and maynot be released under state open records laws. Id. § 482(e).768 Fed. Reg. 45149 (July 31, 2003). See esp. § 1(f ).



11

Second, the Intelligence Reform andTerrorism Prevention Act, passed inDecember 2004, requires the President toestablish an “information sharing envi-ronment” (ISE) within the FederalGovernment to facilitate sharing of infor-mation about terrorists, and the threatsthey may pose, “among all appropriateFederal, State, local, and tribal entities,and the Private Sector.”8 The ISE isintended to “promote a culture of infor-mation sharing.”9 Compliance with theISE is mandatory on Federal agencies thatpossess or use terrorism information.10

The law establishes a series of milestonesfor implementation of the ISE.11

The Task Force calls on the Administrationto implement HSISA and the IntelligenceReform law. In doing so, and in otherways, DHS should take clear steps toincrease the amount of homeland securityinformation that it shares with PrivateSector owners and operators of criticalinfrastructure. To do so, DHS will needto overcome the following legal obstacles.The discussion below identifies the TaskForce’s recommendations in these regards.

1. Sensitive But Unclassified Issues

Where information has not been classi-fied, the Task Force believes that DHShas been overly reluctant to share it withowner/operators of critical infrastructure.

In the two Congressional enactments justdiscussed (HSISA and the IntelligenceReform law), Congress emphasized theneed for the Federal Government to morebroadly disseminate unclassified information, aswell as classified information.Unfortunately, the culture of the classifiedworld still adversely influences handling ofunclassified information.12

• “Need to know” attitude. Much, if notmost, unclassified security informationis still restricted to those that the pos-sessor of the information determineshave a need to know, often not includ-ing the Private Sector. The problemwith this way of thinking is that thepossessor of information may notknow who else may find informationuseful or why.13

• Need for originator permission for broad-er dissemination. This constraint makesfurther dissemination of informationmuch more difficult. The Task Forcebelieves that voluntary private submit-ters of sensitive information to theFederal Government ought to be ableto condition or limit subsequent dis-semination of that information, sincethey bear the risk if information is mis-used. But information that the govern-ment originates should not be subjectto continuing originator control.

8Pub. L. No. 108-458, 6 U.S.C. § 485(b)(2) (emphasis added).9Id. § 485(d)(3). 10Id. § 485(i).11The ISE is to be run by a program manager designated by the President. Id. § 485(f ). (The President designated JohnRussack on April 15, 2005.) It is to be overseen by the “Information Sharing Council,” a new name for the “InformationSystems Council” established by the President last August to strengthen sharing of terrorism information. Id. § 485(a)(1), (g).The Program Manager was supposed to issue an initial report on establishment of the ISE by June 15, 2005, containingamong other things “a description of the technological, legal, and policy issues presented by the creation of the ISE, and theway in which these issues will be addressed.” By September 13, 2005, the President is due to “leverage all ongoing effortsconsistent with establishing the ISE” and issue guidelines for promoting information sharing. The guidelines must “ensurethat information is provided in its most shareable form, such as by using tearlines to separate out data from the sources andmethods by which the data are obtained”; and “reduc[e] incentives to information sharing, including over-classification ofinformation and unnecessary requirements for originator approval . . . and . . . providing affirmative incentives for informationsharing.” Id. § 485(d). By the end of 2006 and annually thereafter, the President must report on “the extent to which . . .information from owners and operators of critical infrastructure is incorporated in the ISE, and the extent to which individualsand entities outside the government are receiving information through the ISE.” Id. § 485(h)(2)(G).12This section of the report applies to all unclassified security-related information that warrants being safeguarded, regardlessof precise label used to describe it (i.e., “sensitive but unclassified,” “for official use only,” etc.).13See National Commission on Terrorist Attacks upon the United States, 9/11 COMMISSION REPORT 417 (2004).



12

• Bias against disclosure to privateowner/operators. Because classifiedinformation is rarely provided to mem-bers of the Private Sector, many per-sons within the government chargedwith managing unclassified informa-tion are reluctant to share it readilywith private personnel.

• Indiscriminate use of FOUO, SBUlabels. “For official use only” and “sen-sitive but unclassified” are labels thatprovide a basis for safeguarding infor-mation (i.e., managing it carefully).Many within government do notunderstand that these labels are not,however, a legal basis for withholdinginformation from private persons.14

These legacy issues continue to be a problem.For example, representatives of the naturalgas utility industry were given the initial listof DHS “protective security advisors,” butwere told that the list could not be dissemi-nated within the industry, nor shared withother interdependent sectors (e.g., the elec-tric utility industry).

The Intelligence Reform law15 and the 9/11Commission Report16 both urge greaterreliance on trusted information sharing net-works where, once individuals or organiza-tions are accredited members of the net-work, they are trusted to determine whoelse can see information. Part of this solu-tion may be broad acceptance of definitionsof FOUO and SBU that affirmatively urgessharing within such networks.

2. Classification Issues

A. Perception that too much information isclassified

There is a widely shared perception, by TaskForce members and others, that the currentclassification system results in too muchinformation being classified by the govern-ment. This perception is not new or exclu-sive to private businesses. For example, the9/11 Commission Report found that“[c]urrent security requirements nurtureoverclassification and excessive compart-mentalization of information among agen-cies.”17 The official in charge of classifica-tion policy across the Federal Governmenthas made the same point.18 Incentives tooverclassification were also highlighted inthe Intelligence Reform law.19

In large measure, the obstacle arises from thefact that, pre-9/11, terrorist threat informa-tion was generally classified and of interestto very few people outside the FederalGovernment. Now, however, that informa-tion is vitally necessary to representatives ofcritical private entities. They need thisinformation in order for their vulnerabilityassessments to be well-informed and theirsecurity measures targeted. They also needit for both these efforts to be an efficient useof resources, rather than a blunderbussapproach.

A second reason for this obstacle is that anumber of the individuals who originallywere detailed to the White House Office ofHomeland Security and who were involvedin the creation of DHS came from the mili-tary, law enforcement and intelligence com-munities. All of these communities areexperienced in adversary tactics and arehighly disciplined. Thus, they have beenheavily trained on national policies regard-ing classification and clearances, and areused to operating on a need-to-know basis.

14See James W. Conrad, Jr., “Protecting Private Security-Related Information from Disclosure by Government Agencies,” 57ADMIN. L. REV. — (Summer 2005) (in press) (Attachment C), at 17-18.15See 6 U.S.C. § 485(d)(3).16See 9/11 COMMISSION REPORT at 418.17Id. at 417.18J. William Leonard, Director, Information Security Oversight Office, National Archives & Records Administration, “InformationSharing and Protection: A Seamless Framework or Patchwork Quilt?” Remarks at the National Classification ManagementSociety’s Annual Training Seminar, Salt Lake City, Utah (June 13, 2003), available at http://www.fas.org/sgp/isoo/ncms061203.html.See also Markle Foundation, PROTECTING AMERICA’S FREEDOM IN THE INFORMATION AGE 14 (Oct. 2002).19See 6 U.S.C. § 485(d).



13

While the best at what they do, these com-munities do not have long traditions of reg-ulating or otherwise interacting with thePrivate Sector on a regular basis. Thosepractices and attitudes, while useful in theiroriginal applications, are not conducive toeffective information sharing with criticalPrivate Sector entities.

B. Disseminating unclassified summaries

Where information must be classified,DHS and other agencies should work hard-er to produce unclassified versions. Insome cases, information will continue toneed to be classified. In such cases, govern-ment staff should be trained to maximizethe amount of that information that can beshared in an unclassified manner, by “writ-ing for release,” producing abstracts ordigests, use of tear sheets that do not revealsources and methods, etc. Again, these arefundamentally attitudinal and culturalissues, but may need to be implemented vianew policies.

C. The slow clearance investigation and adjudi-cation process

Congress, the GAO and others have repeat-edly found that the Federal Government –especially outside DHS -- has been too slowin issuing security clearances to enable criti-cal infrastructure owners and operators tohave access to classified information. Thiswas a principal finding of the IntelligenceReform Act.20 The GAO came to the sameconclusion recently in its examination ofinformation sharing in the maritime securi-ty context, in which it concluded that“[t]he major barrier hindering informationsharing has been the lack of security clear-ances for nonfederal members of [area mar-itime security] committees or [interagencyoperational] centers.”21

To varying degrees, Task Force membersand their organizations have experiencedthis problem first hand.

Recommendations1. DHS and the Private Sector should work

in collaboration to develop a formal, andobjectively manageable, homeland securi-ty intelligence/information requirementsprocess.

• The process should place a premium on,and leverage, superior Private Sectorinformation resources, expertise in busi-ness continuity planning, and under-standing of critical infrastructure sectoroperation and resiliency. (M/A)

• The process must recognize the diversityof the Private Sector. (A)

• DHS should partner and collaboratewith the Private Sector in developing anintegrated architecture for informationcollection and sharing. The Task Forceunderstands that this is how HSIN isbeing developed and how HSIN-CI(with 40,000+ members) operates. TheTask Force supports that approach. (M/A)

• The Private Sector and DHS need to inte-grate and align their requirements forinformation collection and sharing. (M/A)

• Information Sharing & Analysis Centers(ISACs), Sector Coordinating Councils(SCCs) and other Private Sector organi-zations and stakeholders must coordinatetheir efforts and define Private Sectorrequirements for DHS, so specific PrivateSector entities can formally request, trackand receive only that informationrequested. This will require doing a bet-ter job of articulating what types ofinformation they want from governmentand with what frequency. (M/A)

• The process should include a greater biastoward disseminating more informationin unclassified form. The solution shouldnot primarily be to investigate more peo-ple and issue more clearances. (M/A)

20See 50 U.S.C. § 435b.21GAO, MARITIME SECURITY: NEW STRUCTURES HAVE IMPROVED INFORMATION SHARING, BUT SECURITY CLEARANCE PROCESS-ING REQUIRES FURTHER ATTENTION, “What GAO Found” (GAO-05-394) (April 2005).



14

• Where information must be classified,• DHS and other agencies should

work harder to produce unclassi-fied versions. (M/A)

• The President should continue toimplement on a timely basis theprovisions of the IntelligenceReform law designed to expeditethe clearance process. (M)

II. Different Considerations for ThreatInformation and Vulnerability Information

A. Vulnerability Information Is UniquelySensitive

The Private Sector makes a key distinctionbetween threat and indications and warning(I&W) information and vulnerability infor-mation. The former, absent sources andmethods, is more important and should beless problematic to share. As a philosophicalmatter, Government has a clearConstitutional duty to “provide for the com-mon defense” and, implicitly, to warn citizensabout and protect them from hostile forces,both foreign and domestic.

As to the latter, while the HomelandSecurity Act sets out broad mandates forDHS’s Information Analysis &Infrastructure Protection Directorate (IAIP)(or its 2SR successor), it is clear that themost effective manner of complying withthose mandates has not yet been developed,and unclear that IAIP must or can performall aspects of this task itself.

The government continues to ask industryto provide a vast array of information, up toand including all possible information con-cerning its critical facilities. Attachment Dis a summary list of desired information, butinterested readers should review any of sev-eral official DHS ‘requirements’ documents,

all of which are tens of pages long and seekenormous amounts of information.22 (Thesedocuments are not attached because they arelabeled “For Official Use Only.”) Manywithin the Private Sector, however, are reluc-tant to comply with such requests, for thefollowing reasons:

• It is still uncertain on what basis suchinformation can or will be kept confi-dential, and few companies are willingto risk the legal, business, or other con-sequences from an inappropriate dis-closure. See Part Two, § II below.

• Neither DHS nor any other agencycould properly store, much less evenbegin to analyze, the vast amount ofinformation it would receive if it goteverything it is seeking.

• The data being requested changes toooften and too quickly for DHS (or anyother agency) to create a stable, usefuldatabase.

• DHS already knows, or should know,where to get specific, detailed industryinformation when it is truly needed,but does not (or does not appear to) doso, do so consistently, or appropriatelyshare such information it may receivewith relevant offices within DHS.

In general, the risks of sharing such infor-mation seem to outweigh the benefits.Risks identified by members of the PrivateSector include:

• Vulnerability information provided tothe government might be used againstcompanies in other contexts. Forexample, the government might decidenot to contract with a company that itdetermines is too vulnerable in somerespect.

• Companies are not confident that gov-ernment will help industry fix anyproblems that are found.

22E.g., “Terrorist Threats to the U.S. Homeland – Reporting Guide for Critical Infrastructure and Key Resource Owners andOperators,” forwarded under a January 24, 2005 memorandum from Under Secretary Frank Libutti; “PriorityIntelligence/Information Requirements, January 2005-July 2005,” forwarded under a January 7, 2005 memorandum fromAssistant Secretary Patrick Hughes.



15

• Knowledge of vulnerabilities could leadto inappropriate government interfer-ence with business operations. Forexample, some vulnerabilities do notwarrant remediation under any reason-able cost/benefit analysis of the proba-bility they will be exploited, the conse-quences if they were, and the cost ofremediation.

• Although some vulnerabilities mayneed Federal involvement, most areregional or local and need, at most,only state or local government involve-ment. Even there, state sunshine/open-ness laws create disincentives for thePrivate Sector to share information, andfor government-owned entities to assessor review their own vulnerabilities.

B. National Asset Database vs. Other Meansof Storing Vulnerability Data

As the portions of the emerging NIPP andthe Sector Specific Plans (SSPs) dealing withvulnerability assessment are being rewritten,the respective roles and responsibilities of thePrivate Sector and IAIP (and of specific com-ponents within IAIP and elsewhere in DHS)need to be carefully re-evaluated to deploypublic and private resources most efficientlyand economically — and to avoid creatinggreater risks. The Task Force is particularlyconcerned about the wisdom and feasibility ofcreating and maintaining a “national assetdatabase” of critical infrastructure assets andkey resources:

• Exploitable vulnerabilities in cheaplyproduced, foreign-written software andthe level of attack sophistication growdaily. Databases of all varieties are com-promised continually. National asset andvulnerability databases will become thenumber one target of terrorists and hos-tile nations (either to access or disable).While one can understand Congress’intent in directing the creation of suchdatabases, it obviously did so with theassumption that such databases couldbe completely secure and thus notbecome principal instruments of theNation’s destruction.

This is not a sound assumption.Accordingly, a growing number of deci-sion makers within the Private Sectorsimply do not want to assist in the cre-ation of what could become a “targetlist” featuring them.

• How can the currency of such a largedatabase possibly be maintained, giventhe number of facilities covered and thefact that their vulnerabilities changeover time as the facilities and their oper-ations change?

• Is the creation of this massive data baseseen as an end in itself? Such a databaseis not useful to the Private Sector, mem-bers of which as a matter of sound busi-ness practice constantly conduct theirown risk analyses as part of operationalcontinuity programs.

The Task Force recognizes that the statutoryresponsibilities of the Under Secretary forInformation Analysis and InfrastructureProtection include “carry[ing] out compre-hensive assessments of the vulnerabilities ofthe key resources and critical infrastructuresof the United States [and] integrat[ing] rele-vant information, analyses and vulnerabilityassessments (whether . . . provided or pro-duced by the Department or others) inorder to identify priorities for protectiveand support measures by the Department .. . and other entities.”23 On the other hand,however, it is unclear that the most effectivemanner of complying with those mandateshas yet been developed, or indeed that IAIPmust or can perform all aspects of this taskitself. At a minimum, the Task Forcebelieves that the bolded language quotedabove signals Congress’ intent that DHSallow this work to be carried out by thosecritical entities where they have the capabil-ity and willingness to do so.

Understanding that DHS is, in part,responding to Congressional directives,the Task Force suggests (a) a review of thegovernment’s Y2K transition informationsharing success and (b) a legislative effortto relieve DHS of some of the vulnerabili-ty data-gathering and maintenancerequirements imposed on it by theHomeland Security Act.

236 U.S.C. § 121(d)(2), (3).



16

Paragraph 25 of Homeland SecurityPresidential Directive/HSPD-7 mandates thatDHS and other Sector-Specific Agencies(SSAs) “collaborate with appropriate PrivateSector entities and continue to encourage thedevelopment of information sharing andanalysis mechanisms.” In addition, that para-graph provides that sector coordination mech-anisms should “ a) identify, prioritize andcoordinate the protection of critical infrastruc-ture and key resources; and b) facilitate shar-ing of information about physical and cyberthreats, vulnerabilities, incidents, potentialprotective measures, and best practices.” It isthus understandable that, in drafting theNIPP, DHS would attempt to combine thesefunctions (and more) in a symmetrical array of“Sector Coordinating Councils” (SCCs), eachpaired with a “Government CoordinatingCouncil.” A recent presentation by theDirector of IAIP’s Infrastructure CoordinationDivision (ICD) listed the following roles forSCCs:

• serving as a “single forum into sector forentire range of HS issues,

• institutionalizing the sector’s coordina-tion of policy development, sector widestrategy and planning,

• program promulgation and implemen-tation,

• monitoring of progress,• provision of best practices and guide-

lines,• requirements for information sharing,

research and development,• point of cross sector coordination.”

It is not clear that a single entity will (orshould) be able to perform all these functions— which go beyond the role prescribed inHSPD-7 — for a critical sector in an effec-tive, efficient, and expeditious manner. Thescope outlined by ICD includes a broad arrayof policy, operational, strategic and tacticalfunctions, many of which can only be per-formed by those who own and operate specif-ic Private Sector infrastructure elements. Asdiscussed in Part Three, moreover, there aresignificant benefits to limiting SCCs (andISACs) to primarily operational issues.

Recommendations2. DHS should adopt a tiered approach to

infrastructure vulnerability informationsharing.

• Carefully consider the known andexploitable vulnerabilities of databasetechnologies, and the consequences ofcompromise of a “national asset data-base” of vulnerabilities. (L/M)

• Maintain appropriate Federal informa-tion at the DHS level, state informa-tion at the state level, local informationat the local level, and Private Sectorinformation at the Private Sector level.(L/M)

• To enhance the security of vulnerabilityinformation, maintain public sectorinfrastructure information at the cityand municipal level and Private Sectorinformation with trusted thirdparty/non-governmental entities.(L/M)

• DHS devote a substantial effort toestablishing an appropriate organiza-tion or process for cross-sector andgovernment information exchange. (M)

III. Diversity Within the Private Sector

The Private Sector is not monolithic. Thereare significant differences both across andwithin sectors. In addition, there are oftencrucial differences between roles and capabili-ties of trade associations and those ofowner/operators. DHS must respect thesedifferences as it develops a process for sectorcoordination.

The Task Force understands that, from gov-ernment’s point of view, given competingdemands and limited resources, “one stopshopping” for information exchanges with thePrivate Sector is a desirable goal. However, asDHS rewrites the National InfrastructureProtection Plan, it must carefully reconsiderhow feasible or desirable such a goal is in lightof the divergent evolution of SectorCoordinating Councils, Information Sharing& Analysis Centers and similar bodies.



17



18

companies. In general, there are manymore companies than trade associations.Indeed, information technology is sopervasive in our economy that the sectoris still debating criteria for inclusion(e.g., whether the majority of a compa-ny’s income comes from producing ITcomponents — hardware, software, orservices — the extent in which IT isused in a company). The sector is alsoconsidering membership in the contextof funding. The IT/ISAC requiresfunding to operate and, as such, mem-bership is limited to those who con-tribute (with some exceptions).However, many feel that the IT SCCshould be more broadly based and free.

This diversity highlights the need for DHS toprovide flexibility for the different sectors.

Recommendations3. DHS needs to be flexible and responsive

in accommodating diversity within andamong Private Sector critical infrastruc-ture sectors.

• HSPD-7 calls for two functions: infor-mation sharing and sector coordination.

• Sector Coordinating Councils in everysector may not be able to perform allthe functions DHS desires. At a mini-mum, DHS must allow each sector todetermine the nature, functions, andrules of its council and its relationshipwith its ISAC and SSA. (M/A)

IV. Developing a Resilient and IntegratedNetwork for Information Sharing

A. Range of Views Regarding Need

The Private Sector has varying desires regardingthe best communication mechanisms for receiv-ing threat information.

• Some feel the need for a new communica-tion mechanism similar to the StateDepartment’s OSAC. They feel that thenew Homeland Security InformationNetwork—Critical Infrastructure (HSIN-CI) will be able to serve that function(especially to the extent that it can operateacross sectors within regions, similar tohow some InfraGard chapters and AreaMaritime Security Committees function atthe local level).

Different sectors have organized themselves ina variety of ways to accomplish the informa-tion sharing and coordination functionsdescribed in HSPD-7:

• The Food and Agriculture SCC, forexample, includes two representativesand one alternate from each of sevensub-councils, and has a six-page state-ment of governing principles and proce-dural rules. Its decisions must be byconsensus of representatives of all sub-councils, rather than by a majority of allmembers. Most of the members aretrade associations.

• The Financial Services SCC was foundedby the Treasury Department, while theFinancial Services ISAC predates it andwas founded by the banking and financeindustry itself. The majority of theFinancial Services SCC members are tradeassociations; the majority of the FinancialServices ISAC members are individualbanks and financial institutions.

• The IT and CommunicationInfrastructure (formerly telecommunica-tions) Sectors are still in the process offorming and have just formed theirSCCs, although each sector already hasits own ISAC and dedicated DHS com-ponent (NCSD and NCS, respectively).

These last two sectors offer some interestingcontrasts.

• The Communications Infrastructuresector, with a relatively small number ofcompanies and four associations (wireline carriers, wireless carriers, equipmentmanufacturers, and now internet serviceproviders) has a long history of coopera-tion and National Security/EmergencyPreparedness (NS/EP) coordinationunder the NSTAC and the NCS in theDefense Department. TheCommunications Infrastructure SCCmakes it very clear that it will addresspolicy matters only, that operationalmatters will be handled by theCommunications Infrastructure ISAC,and that while they will coordinate,they will remain separate.

• The IT sector includes hardware andsoftware manufacturers, internet serviceproviders, network providers,telecomm companies, cable companies,data security companies, and service



19

& local governments (especially law enforcementand emergency response). The path of leastresistance in such cases would be for DHS towork with those other governmental units ratherthan initiating a new relationship directly withthe business. For any new relationships, DHSwould need to show why that relationship wasnot redundant, why it added value to the businessand why it was equally trustworthy.

C. Importance of Trust and Personal Relationships

Several groups examining the question of infor-mation sharing have emphasized how much theprocess relies on trusted personal relationships. Inmany cases these arise from people having previ-ously worked together, or for the same organiza-tion (e.g., the Coast Guard). In other cases, theysimply have to grow out of an extended period ofassociation. By and large, members of PrivateSector critical entities already have these relation-ships with State and local governments, and, to alesser extent, with their sector-specific agencies. Byand large, they do not have them with DHS orits contractors, except in those cases where aPrivate Sector individual worked with a DHSemployee in some prior capacity, or both workedfor the same organization. DHS simply has notbeen around long enough in stable form for trust-ed relationships to have developed in a greatmany cases. That problem has been exacerbatedby frequent reorganizations within DHS andhigh turnover or transfer of DHS staff.

In a growing number of cases (e.g., the DHSsector specialist for the chemical sector), theprivate and public personnel involved haveworked long and closely enough together thatthese sorts of trust relationships have beenestablished. Time and stability should pro-duce additional such relationships.

However, and despite the foregoing, many inthe Private Sector feel there is too muchreliance on preexisting personal relationshipsrather than on the creation of effective mech-anisms (i.e., that there is often more willing-ness to rely on existing trusted personal rela-tionships, rather than attempting to buildtrust in some new, untested communicationmechanism). Whatever the case, it is clearthat any new model for information sharingwill need to address the trust issue (as HSIN-CI has done), and not simply assume thatpeople will use a new and untested systembecause the Federal Government created it.

• Others appear to be better at commu-nicating with DHS, and believe they getsufficient information through existingmechanisms, whether formal or informal.Private Sector representatives who arealready comfortable with existing mecha-nisms are concerned that new mechanismscould lead to new turf battles. Similarly,most feel that sharing with State and localconstituencies seems to work well, andwhere it works there is felt to be no needfor new mechanisms.

Whether or not they felt new procedures are nec-essary, most Private Sector representatives believethat existing communication mechanisms aredefective to some degree, or at least inconsistent.Many feel that IAIP has not sufficiently focusedon the interoperability/interdependence of criticalinfrastructure elements, and instead has becometoo organized by sector “stovepipes.” Informationmust flow in the most effective and efficient man-ner. How that task is accomplished is ultimatelyDHS’ job, but the current organization isduplicative and confusing. In the telecommuni-cations sector, for example, the Network Design& Analysis Capability is maintained by theNational Communications System, but under thecurrent interim Sector Specific Plan for thetelecommunications sector, it is unclear whetherthat data will also be maintained by IAIP’sProtective Services Division or put in theNational Asset Database.

B. Satisfaction with Existing ArrangementsOutside DHS

Many critical infrastructure sectors currently com-municate among themselves about security issuesthrough means to which the Federal Governmenthas limited access (e.g., via ISACs). The existenceof such capability creates reluctance within thosesectors to move to a Federally-operated or over-seen system (e.g., the Homeland SecurityInformation Network). It also means that sys-tems like HSIN are redundant to that extent. IfDHS hopes to encourage entities within thesesectors to switch to a Federally-sponsored or oper-ated system, it will need to explain why its systemwill serve the sector’s needs better and why theprospect of Federal access does not create a lessattractive proposition.

Businesses with many critical infrastructure sec-tors already have trusted relationships with othersector-specific agencies, FBI field offices, and State

D. General Design Considerations

The Task Force identified several other con-siderations relevant to design of a new modelfor information flow:

• As explained above, DHS needs toinclude the Private Sector in the “intel-ligence cycle” – especially the require-ments definition process – in order tobetter enable government to collectinformation for analysis and timely dis-semination that will permit it to pro-vide tailored, actionable answers toindustry’s questions.

• A means must also be created to allowgreater State, local and tribal involve-ment in filtering or analyzing data. It issimply too massive a job for, andbeyond the capabilities of, the FederalGovernment alone.

• As the amount of information goes up,the need for specialized communicationmechanisms increases.

• New mechanisms may be more appro-priate for future increases in threat levelif suicide bombing, etc., moves into theU.S.

• DHS needs to regularize processes andstrive for high level consistency inprocesses, while maintaining flexibilityin quantity and type of information.

• There needs to be a free flow in bothdirections, and among all constituen-cies, regardless of the source of data, orwho undertook the analysis.

• There is a crucial time element at play ininformation exchanges involving boththreat, indications and warning data andvulnerability data. This element spansthe spectrum between near real timetransmittal of threats from governmentat all levels and the Private Sector to

deliberative policy advice or regulatorycomments from the Private Sector whichcan take weeks or months to prepare, dis-cuss and finalize. A comprehensivemodel or vehicle for transmission of alltypes of information would need toencompass this range of data and opera-tional need.

Clearly there is much that the Private Sectorshould do as well to improve the process, and tohelp forge a meaningful two-way partnership.

E. The Need for Regular, Interactive ThreatDiscussions

DHS and critical sectors must develop a mean-ingful process to have real time, detailed discus-sions about threats. Currently, IP conducts a sin-gle classified threat briefing semiannually for thecombined electrical, energy and chemical sectors.Such briefings are somewhat instructive and arevery much appreciated. However, every sixmonths is too infrequent, and lumping three sec-tors into one briefing results in long sessionsmuch of which is not relevant to two-thirds ofattendees. Most problematic, the presentationsstill are frustratingly hypothetical, illustrative andgeneral.

We believe that IAIP’s Information AnalysisDivision would be willing to conduct a dialogueand share certain more detailed threat informationwith selected individuals in the security depart-ments of critical infrastructure companies, but amutually satisfactory vehicle for doing so must bedeveloped. The Infrastructure ProtectionDivision, as the primary interface with membersof critical sectors, should arrange such interactions(e.g., a question and answer session and discussionin some detail of the ability of terrorists to disruptthe generation and/or transmission of electricpower in the Southeastern United States).These sessions should be held more often thanevery six months, and should be held separatelyfor each sector.



20

Recommendations4. DHS should continue to develop a net-

work integrated information model forinformation flow.

• Significant work required:• DHS should employ a “hub and spoke

model” for information flows, as usedin HIN and HSOC. (M).

• Information should flow from thePrivate Sector and other governmentsources to the DHS hub for analyses,and then be distributed back to thePrivate Sector on a targeted basis. (M)

• DHS needs Private Sector input andpresence at the hub. (M/A)

• As a national priority, build a resilient/surviv-able Homeland Security Operations Center(HSOC) and Homeland Security InformationNetwork (HSIN). (M)

• In their current condition, both are singlepoints of DHS operational failure – anunacceptable circumstance.

• Leverage the unparalleled success of, andinvest in expanding, HSIN-CriticalInfrastructure (CI). (M)

• HSIN-CI is a trusted and provenmodel for effectively gathering andsharing information.

• Statewide intelligence/information fusioncenters should be integrated into nationalinformation sharing efforts. (M/A)

• DHS should hold regular collaborative ses-sions (start monthly) with each Private Sectorcoordinating organization (e.g., SCCs,ISACs). (M)

• DHS should hold regular, detailed threatbriefings with each sector.

• Representatives of IA and IP should meetwith selected individuals in the securitydepartments of critical infrastructurecompanies. (M)

• The sessions should be held more often thanevery six months, and should be held sepa-rately for each sector. (M)

• They should involve more specific infor-mation than is currently presented in clas-sified sector briefings. (M)

• They should be oriented less toward pres-entation and more toward dialogue.(M/A)



21

The second part of this report analyzes the legaland related issues that the Task Force identifiedas impeding better information sharingbetween government and critical infrastructureentities. In many cases, it will be difficult orimpossible to make significant progress on thepreceding recommendations until these obsta-cles can be overcome.

I. Regarding Private Sector Representatives asPartners

As noted earlier, many within DHS comefrom intelligence, military, or law enforce-ment backgrounds where they have had littleregular, official contact with the PrivateSector. By contrast, most other sector-specificagencies engage continually with PrivateSector and other non-governmental stake-holders through rulemaking, permitting andother interactive processes. Because of theirbackground, these DHS personnel often arenot accustomed to viewing critical infrastruc-ture owners and operators as real partners orcustomers. This has effects at two levels:

• At the level of policy implementation. Asan example, on occasion DHS staff hasnot provided advance notice to corpo-rate headquarters of a planned visit to acorporate facility. This has causeddelay, as the facility awaits directionfrom headquarters, and may haveengendered resentment or distrust.

• At the level of policy formulation. DHSstaff may not consult with companies(or their trade associations) in the devel-opment of a policy that affects them. Asa result, the policy is likely to be lesseffective and potentially even counter-productive. This point is particularlysignificant, because a small amount ofup-front consultation may avert a greatdeal of delay and confusion later.

The lack of Private Sector involvement at bothlevels plays a large and ongoing role in all theother legal issues discussed in this part of thereport. Building trust by recognizing PrivateSector representatives as partners, and consult-ing with them early on and throughout thepolicy formulation process, would allow thoseentities to point out problems and concernsand to suggest workable solutions.Conversely, leaving them out of the processmeans that DHS may have to reverse courseor undo earlier decisions, as it has had to do inthe creation of the National InfrastructureProtection Plan. DHS’s Office of PrivateSector Liaison has been very helpful at undo-ing these kinds of problems, but an effectivestrategy of partnership to prevent them mustbe a Department-wide effort.

II. Liability Concerns

More than anything else, the issue that mostaffects private entities’ willingness to share sen-sitive information with the FederalGovernment is the concern that this informa-tion will somehow be used against them insome subsequent governmental enforcementcase or private civil action.

• Enforcement. Companies fear that infor-mation provided to DHS may some-how, whether advertently or inadvertent-ly, be obtained by some other govern-mental agency that may use the infor-mation for enforcement of other, non-security-related laws or rules. EPA andOSHA are most commonly mentionedin this connection, but any Federalagency that has oversight over any criti-cal sector (Treasury, FCC, DOE) ispotentially a source of concern, as areforeign, State and local governments. Itwas not generally clear to the Task Forcehow information of the sort sought byDHS might indicate noncompliancewith some other laws or rules, but thisfear is quite widespread, strong, and pos-sibly growing.

PART TWO: REQUIRED CHANGES TO LAWS, RULES & POLICIES



22

• Litigation. Companies similarly fearthat information provided to DHS maycome into the hands of private litigants– whether injured parties or sharehold-ers -- who might use it against the com-pany in the event that a terrorist attackdoes occur (or in other circumstances).Companies are concerned that vulnera-bility assessments or security plans maybe used to show knowledge of a risk andlack of due care in response to it. Ofcourse, the conduct of a vulnerabilityassessment, and implementation of secu-rity measures, can also be probative ofdue care, whereas the failure to takeeither step may show lack of the same.Nonetheless, many businesses feel thatthe likelihood of such informationbecoming available to and being used byadverse litigants is increased by sharing itwith the government.

To some degree, these anxieties appear to bebased on misunderstanding of existing law andprocedure, and will be reduced when peopleunderstand how those laws and procedures actu-ally work.

On the other hand, these fears cannot be com-pletely assuaged by anything DHS does, for tworeasons:

• Legal uncertainty. Part of companies’concern is the inherent uncertainty thatattaches to any legal rule – one neverknows for sure how a court will inter-pret it. This is particularly true withmany legal authorities in the homelandsecurity field, which are new and untest-ed in court.

• “Falling through the cracks”. People arealso afraid that, even if applicable laws,rules and policies on their face wouldnot allow information to be released toanother agency or a potential litigant,mistakes may occur that have this result.These concerns grow when DHS is able

to share information with foreign, Stateor local governments, since the questionvery logically then includes the adequacyof those entities’ information securityand protection capabilities.

These anxieties are heightened by the fact thatbills are regularly introduced to weaken existingprotections (e.g., OPEN Government Act,Restore FOIA Act), even in the face of knownthreats of enemy exploitation of publicly avail-able information and growing vulnerabilities ofinformation systems and networks.

As a general matter, DHS should always consid-er, address as necessary, and explain to potentialsubmitters of information how it has addressed,the prospect of disclosure by any potentialmeans. These include:

∑ • FOIA requests from public to DHS,∑ • access by other Federal agencies (and for

what purposes),∑ • FOIA requests to those other agencies,∑ • access by foreign, State and local govern-

ments (and for what purposes),∑ • FOIA-like requests to those other

governments,∑ • civil discovery against any of the foregoing,∑ • criminal investigations (Federal or State).

In particular, the Critical InfrastructureInformation Act (CIIA) provides that informa-tion submitted pursuant to it may be used byFederal employees, and State and local govern-ment agencies, only “for the purpose of protect-ing critical infrastructure or protected systems,or in furtherance of an investigation or the pros-ecution of a criminal act.”24 While that last pro-viso will concern some, this language should pre-vent a Federal agency using this information topursue a civil enforcement action based on otherlaws. DHS should (a) maximize the opportuni-ties for information to be submitted pursuant tothat act, (b) should ensure that other agenciesand governments afforded access to this informa-tion abide by this restriction, and (c) publicizethe restriction and DHS’s commitment to honoringand enforcing it.

24Id. § 133(a)(1)(D), (E).



23



24

It would also be helpful if DHS would publiclycommit to following CIIA submitters’ instruc-tions regarding limitations on use and dissemi-nation of information. DHS should not bydefault incorporate submitted information intomajor databases accessible to anyone withinDHS.

III. Implementing the Critical InfrastructureInformation Act

The Critical Infrastructure Information Act isa powerful law that offers unparalleled protec-tions to private information submitters. Inessence, it allows private owners and operatorsof critical infrastructure, or organizations rep-resenting them, to voluntarily submit informa-tion to DHS regarding threats, vulnerabilitiesand protective measures (critical infrastructureinformation, or CII), with assurances that theinformation will be protected from public dis-closure. To promote integrated protection ofcritical assets, the law allows DHS to share thisinformation with State and local governmentsfor such purposes without fear that these othergovernments might have to disclose it. Toprotect this information, the law:

∑ • Effectively codifies the Critical Massdecision nationwide,25

∑ • Preempts state open records laws,26

∑ • Blocks use by the government of protectedinformation in civil litigation, and27

∑ • Creates criminal penalties for Federalemployees who knowingly disclose pro-tected information.28

Besides classification, no other federal programoffers such protections. Yet the law is not widelyunderstood, and is regarded suspiciously by some

25Critical Mass holds that where information is voluntarily supplied to an agency, the only question the agency need ask, indeciding whether the information is protected as confidential business information under FOIA, is whether the information is“of a kind that would customarily not be released to the public by the person from whom it was obtained.” Critical MassEnergy Project v. NRC, 975 F.2d 871, 879 (D.C. Cir. 1992)(en banc). Critical Mass is only binding in the D.C. Circuit, whereasthe CIIA applies nationwide.

266 U.S.C.§ 133(a)(1)(E).27Id. § 133(a)(1)(C).28Id. § 133(f ).29Id. § 133(e)(1).3069 Fed. Reg. 8074 (Feb. 20, 2004).

for various reasons. One of these reasons is thatthe statute has not yet been tested in court.DHS obviously cannot do anything about thatnow. DHS can, however, do something abouthow the statute has been implemented, which isnot as Congress intended – a point noted in aMay 25 letter to Secretary Chertoff from TomDavis, Chair of the House Committee onGovernment Reform. Three problems havedogged the CIIA’s implementation: it has beenslow, it has not been well-coordinated, and it hasembodied narrow legal interpretations.

1. Slow pace of implementation

The process of implementing the CIIA hasbeen frustratingly slow. The statute merelyrequired DHS to issue “procedures” within 90days of enactment, or by February 23, 2003.Nor did the statute condition its effectivenessupon issuance of those procedures. DHSinstead chose to proceed through notice andcomment rulemaking, a process that took overa year. An “interim” rule was not publisheduntil February 2004. DHS sought commentsat that time on an eventual final rule.

The rule described a phased rollout:∑ • Phase I: information would be shared only

within IAIP∑ • Phase II: information would be shared else-

where within DHS∑ • Phase III: information would be shared

with other Federal agencies and, pursuantto memoranda of agreement, with State andlocal governments

The rules provided initially for submission onlyon paper or other tangible media, but prom-ised eventually to allow electronic submission.

2. Poor coordination within DHS

The slow pace of CIIA implementation hasbeen compounded by a consistent lack of coor-dination among the various components ofDHS. At least initially, these components didnot understand the relationship of the CIIAand other information protection regimes. Forexample, the preambles to the CIIA rule andthe sensitive security information (SSI) rulesissued by TSA and DOT both made erroneousstatements about the other rules.34

Implementation of the CIIA has not been well-coordinated even within IAIP. There is as yetno intake capability for CII among the threemajor programs within IAIP’s ProtectiveSecurity Division: its Protective SecurityAdvisors, its Buffer Zone Protection Plan(BZPP), or its RAMCAP program. It wouldbe quicker and administratively simpler forfacilities who want to do so to submit informa-tion in the field, directly to their PSAs or tovisiting PSD staff administering the BZPP orRAMCAP programs. Instead, they still have tosubmit paper copies to IAIP’s central “PCIIProgram Office,” and then all concerned mustwait for that office to validate and forward it tothe intended recipients.

3. Narrow legal interpretations

The third difficulty with implementation of theCIIA has been a series of conservative legaldecisions by DHS:

∑ • No indirect submissions. Most frustrating tocritical infrastructure sectors whose sectorspecific agencies are not DHS, the CIIArule does not allow “indirect” submissionvia agencies besides DHS. So, for example,financial institutions cannot submit CII tothe Treasury Department, but must instead

Almost 18 months later, DHS has apparentlymade little progress. (DHS claims to be con-strained in describing the full state of currentimplementation due to the pendency of a finalrule, a position the Task Force does not under-stand.) It is unclear to what extent DHS hasallowed sharing of CII beyond IAIP but withinDHS. There is no evidence, however, thatDHS has rolled the program out to otherFederal agencies. This been a problem for sec-tors whose sector specific agency is not DHS(e.g., electricity, whose sector specific agency isDOE).

Nor is there any evidence that DHS has rolledthe program out to State or local governments,even though DHS has had a model MOA sinceFebruary 2004.31 This has led to problems inseveral States. For example, the New YorkState Office of Homeland Security has beentrying to establish a mechanism whereby it canget access to vulnerability information to besubmitted by facilities to DHS under DHS’sRisk Analysis and Management for CriticalAsset Protection (RAMCAP) program,32 butdoes not yet have an approved MOA with IAIPeven though it submitted the paperwork sixmonths ago. Similarly, critical infrastructurebusinesses in California have been seekingenactment of a state counterpart to the CIIA sothat they can confidently share security infor-mation with that State’s Office of HomelandSecurity, since the State has apparently beenunable to conclude an MOA with DHS.Maryland’s Emergency Management Agencyshares the same frustration.

Finally, DHS appears still not to be acceptingCII electronically, even though the ISAC andHSIN mechanisms it has promoted with criti-cal sectors for sharing of threat and incidentdata are all electronic systems.33

31It is an appendix to the DHS PCII PROCEDURES MANUAL (Feb. 17, 2004).32RAMCAP stands for “Risk Analysis and Management for Critical Asset Protection.”33The one exception to this statement is that DHS provides PCII protection for information that the telecommunications indus-try has been submitting electronically for years to the National Communications System.

34The CIIA preamble stated that SSI, unlike CII, “ordinarily will not be voluntarily submitted,” see 69 Fed. Reg. 8076, which isincorrect, since much information is submitted voluntarily to the Coast Guard as SSI by facilities regulated under theMaritime Transportation Security Act either directly or indirectly (because they are located in regulated ports). Similarly, thepreamble to the SSI rules asserted that the CIIA “generally prohibits disclosure of properly designated CII outside the FederalGovernment,” see 69 Fed. Reg. 28069, which is also wrong since, as noted above, the CIIA explicitly anticipates CII beingprovided to state and local governments.



25

35U.S.C § 552(b)(4).36These include “vulnerability assessments . . . directed, created, held, funded, or approved by the DOT [or] DHS, or that willbe provided to DOT or DHS in support of a Federal security program,” 49 C.F.R. §§ 15.5(b)(5), 1520.5(b)(5), and “any informa-tion held by the Federal government concerning threats against transportation or transportation systems and sources andmethods used to gather or develop threat information, including threats against cyber infrastructure,” id. §§ 15.5(b)(7),1520.5(b)(7).375 U.S.C § 552(b)(7)(F).38See Attachment C at 11-16.39See 6 U.S.C. § 122(c) (stating that the Secretary of Homeland Security “shall be deemed to be a Federal law enforcement . . . official”).

∑ send it to DHS, which is then supposed tosend it to Treasury (except that such intera-gency sharing is not yet occurring to theTask Force’s knowledge).

∑ • “PCII.” The CIIA rule invented the con-cept of “protected critical infrastructureinformation” or “PCII” – a phrase not inthe statute. This concept only confusesthings, in the Task Force’s view, becausenow there can be “critical infrastructureinformation" that is not protected by theCIIA. (It would be simpler to concludethat information not meeting the definitionof CII is not CII.)

∑ • Validation of all CII claims. The CIIA rulerequires DHS to review and “validate” allsubmitted CII. This approach is in contrastto the way Federal agencies have imple-mented the closely analogous FOIA exclu-sion for “trade secrets and commercial orfinancial information [that is] privileged orconfidential” – a.k.a. “confidential businessinformation” or CBI.35 Under that practice,agencies simply note a CBI claim and treatthe information accordingly, but do notevaluate the merits of the claim unless anduntil someone submits a FOIA request forthat information. Validating every CIIclaim up front could become an administra-tive problem if the program ever gets busy.

∑ • No “class validations.” The CIIA rules donot provide for (although they do notexclude) the notion that particular cate-gories of information could be deemed, inadvance of submission, to be CII. This ispeculiar, because the TSA/DOT rulesregarding “sensitive security information”establish several ‘categorical inclusions’ – ifinformation falls into one of these cate-gories, it is automatically SSI.36 The conceptof class determinations regarding the appli-cability of FOIA exclusions (e.g., CBI) isalso well-established at agencies like EPA.

The last issue is particularly problematic forSector Coordinating Councils (SCCs), ISACsand similar bodies that represent critical infra-structure sectors. DHS has thus far beenunwilling to determine up-front that all orsome of the information supplied by such enti-ties to DHS is CII. This refusal is frustratingbecause protecting such sharing is exactly whatthe CIIA was intended to facilitate. (SeveralTask Force members were closely involved inCongressional consideration of the CIIA andits predecessor bills over the course of severalyears.) There is no evidence that DHS hasconsidered what proportion of SCC communi-cations to DHS would qualify as CII, orwhether their charters could be amended toclarify when their communications to DHSwould be considered CII.

∑IV. DHS’s Caution, Lack of Clarity

Regarding Other Freedom of InformationAct Exemptions

Outside the CIIA, DHS has also not takenclear, firm positions on applicability of otherFOIA exemptions to information that privatecritical infrastructure entities might submit toDHS. Most prominent among these are the(b)(4) exemption for CBI and the (b)(7)exemption for law enforcement informationthe release of which “could reasonably beexpected to endanger the life or physical safetyof any individual.”37 Both of these exemptionswould seem to be broadly applicable to securityinformation submitted by private entities andpotentially strongly defensible.38 For example,the (b)(7) exemption could be sweepinglyapplied if all of DHS were a “law enforcement”agency, which is a reasonable interpretation ofan obscure provision of the Homeland SecurityAct.39 Notably, when the FBI ran the NationalInfrastructure Protection Center (NIPC), ittook the position that information submittedto it via ISACs would be protected from



26



27

release by both of these exemptions. The TaskForce is not aware of any statement by DHSregarding how ISAC data is protected fromrelease now that the NIPC has become theNational Infrastructure Coordination Centerand is housed within IAIP.

DHS has not reached out to the Private Sector— or the public — for comment on these veryimportant questions. Rather, its decisionprocess is opaque and apparently closely-held.Moreover, the positions that DHS componentsor staff do communicate on these issues seemto be ad hoc and uncoordinated. This lack ofclarity regarding what need not be disclosedappears to have led to unfortunate disclosuresof private information that need not have beendisclosed. All the foregoing undermines theconfidence of the Private Sector in DHS’s judg-ment and its willingness and ability to addressand resolve issues regarding nondisclosureunder FOIA. These questions are not simpleones, but they are too important not to answer.

DHS, in consultation with the Department ofJustice, should adopt broad, Department-widepositions regarding applicability of (b)(4) and(b)(7)(F) exclusions (at least). DHS (andDOJ) should state their intent to assert thesepositions aggressively so as to effectuate thepurposes of the Homeland Security Act. DHSshould train and test its personnel on theseinterpretations.

V. Federal Advisory Committee Act Issues

Virtually all critical sector interaction with DHSis slowed down and complicated by DHS staffconcerns about compliance with the FederalAdvisory Committee Act (FACA). FACArequires that “advisory committees . . . establishedor utilized” by a Federal agency must meet inopen session, after prior notice in the FederalRegister, and must make associated written mate-rials public unless a FOIA exemption (other thanthe deliberative privilege exemption) applies.40

Like FOIA, FACA serves important and long-standing open government goals, and should notbe evaded. On the other hand, neither should itimpede vital communication between DHS andcritical sectors of information that should not bemade public. This is particularly problematic inthe case of Sector Coordinating Councils, but thesame problem arises with ISACs or any other sec-tor-representative group with which DHS wantsto consult or otherwise exchange information.

As discussed below, DHS has ample reason totake the position that SCCs, ISACs and similarbodies are exempt from FACA. Alternatively,or additionally, it has at least three means forexempting them from FACA. DHS shouldnot, however, adopt FACA “work arounds” thattreat these entities as subgroups of advisorycommittees, or that regard members of theseentities as independent actors. These points areexplained below.

1. Non-Federal critical infrastructure coordina-tion entities are not advisory councils

There are at least two reasons why non-Federalcritical infrastructure coordination entities arenot advisory councils within the meaning ofFACA – they are not “utilized” by DHS orother Federal agencies, and their activities are“primarily operational.” Each is discussedbelow.

a. SCCs and ISACs are not “utilized” by thegovernment

A group including Private Sector representativesis an “advisory committee” subject to FACAonly if it is “established or utilized” by a Federalagency.41 SCCs, ISACs and similar bodies havebeen established by private entities, and so arenot subject to FACA on that basis. But neithershould they be subject to it on the theory thatthey are “utilized” by DHS or other sectorspecific agencies. The leading Supreme Courtdecision on this issue recognized that theExecutive Branch “utilizes . . . in one commonsense of the term” an American Bar Associationcommittee for evaluating potential Federaljudges.42 However, the Court concluded that

405 U.S.C. App. 2, §§ 3(2), 10.41Id. § 3(2)(C).42Public Citizen v. U.S. Dept. of Justice, 491 U.S. 440, 452 (1989).



28

Congress intended this term only to reach enti-ties that are “utilized . . . in the same manner asa Government-formed advisory committee,”and are “the offspring of some organizationcreated or permeated by the FederalGovernment.”43 The Court noted three factorsas particularly relevant in this determination:whether an entity was forme privately, ratherthan at the government's prompting, whether itreceives Federal funds, and whether it is“amenable to . . . strict management by agencyofficials” along the lines imposed by an earlierExecutive Order regarding advisory committees.44

Interpreting this decision, the D.C. Circuit hasfocused on the last of those three factors, declar-ing that “utilized . . . is a stringent standard,denoting something along the lines of actualmanagement or control of the advisory commit-tee,” and only “encompass[ing] a group soclosely tied to an agency as to be amenable tostrict management by agency officials.”45 Evenwhere government officials sit on a body andhence influence it, the D.C. Circuit noted,“influence is not control.”46 District courtsemploying this demanding standard have regu-larly and recently found FACA inapplicable to awide variety of private groups.47

SCCs and ISACs generally have been formedprivately; indeed, many ISACs predate DHS.Most do not receive any Federal funding. Butmost important, neither DHS nor other sectorspecific agencies strictly manage or control theseprivate critical infrastructure sector entities.While the specific facts of each group differ,these bodies determine their own memberships,set their own agendas, and decide what recom-mendations or other information they will orwill not provide the Federal Government.Indeed, many of these bodies are spiritedlyindependent of DHS, to DHS’s frustration insome cases. The Task Force is not aware of anySCC, ISAC or similar group that is controlledby DHS or any other Federal agency.

In conclusion, the D.C. Circuit has observedthat “the government has a good deal of controlover whether a group constitutes a FACA advi-sory committee .... [I]t is a rare case when acourt holds that a particular group is a FACAadvisory committee over the objection of theexecutive branch."48 The Task Force emphaticallybelieves that this is not one of those rare cases.

b. SCCs’ and ISACs’ functions are “primarilyoperational”

43Id. at 463-64 (quoting H.R. Rep. No. 91-1731, at 9-10 (1970)).44Id. at 457-58.45Washington Legal Foundation v. U.S. Sentencing Comm’n, 17 F.3d 1446, 1450-51 (D.C. Cir. 1994) (internal citations andquotations omitted).

46Id. at 1451.47See, e.g., Washington Toxics Coalition v. EPA, 357 F. Supp. 2d 1266, 1273-74 (W.D. Wash. 2004) (task force composed ofrepresentatives of pesticide manufacturers not covered by FACA, even though EPA consulted with it on test methods fordeveloping data and used data compiled by it to determine whether pesticides may be registered); Physicians Committee forResponsible Medicine v. Horinko, 285 F. Supp. 2d 430, 445-46 (S.D.N.Y. 2003) (trade association and environmental groupcollaborating with EPA to design high production volume chemical testing program not subject to FACA; no evidence thatEPA “was the driving force behind . . . meetings or that it exerted any control over who attended and what was discussed”);American Soc. of Dermatology v. Shalala, 962 F. Supp. 141, 147 (D.D.C. 1996) (although HHS sent an observer to each meet-ing of one American Medical Association group and had a panel position on the other, the AMA groups were run by the AMA,which appointed their members, provided staff, set the agenda, recorded the minutes, and maintained records), aff'd mem.116 F.3d 941 (D.C. Cir. 1997); Huron Env’tl Activist League v. EPA, 917 F. Supp. 34, 40 (D.D.C. 1996) (even though EPA deter-mined the schedule for a group’s meetings and made other logistical arrangements for them, provided the meeting rooms,and spent public funds to retain a consultant to attend and assist with the meetings, “[n]othing in this case suggests thatthe working group is subject to actual management or control by the EPA, or that the industry representatives are so closelytied to the executive branch of the government as to render it a functionary thereof”).

48Association of Am. Physicians & Surgeons, Inc. v. Clinton, 997 F.2d 898, 914 (D.C.Cir.1993).



29

∑ • “consult[ing] with [IAIP] to ensure appro-priate exchanges of information, includinglaw enforcement-related information, relat-ing to threats of terrorism against the UnitedStates”;56

∑ • providing “additional information . . . relat-ing to threats of terrorism”; and57

∑ • “coordinat[ing] with elements of the intelli-gence community and with Federal, Stateand local law enforcement agencies . . . asappropriate.”58

The operational partnership spelled out in theAct has been implemented by the President viaHomeland Security Presidential Directive/HSPD-7. That document instructs the Secretaryof DHS to “coordinate protection activities for[listed] critical infrastructure sectors.”59 HSPD-7also requires DHS and other sector specific agen-cies generally to “collaborate with appropriatePrivate Sector entities . . . .”60 In particular, itrequires them to “continue to encourage thedevelopment of information sharing and analysismechanisms,” and “to continue to support sectorcoordinating mechanisms,” whose functions itspecifies as “(a) to identify, prioritize, and coordi-nate the protection of critical infrastructure andkey resources; and (b) to facilitate sharing ofinformation about physical and cyber threats,vulnerabilities, incidents, potential protectivemeasures, and best practices.”61

The General Services Administration’s rulesimplementing FACA provide that entitieswhose functions are “primarily operational”rather than “advisory” are exempt from FACA.49

The rules define “operational functions” as“those specifically provided by law, such as mak-ing or implementing Government decisions orpolicy.”50 The Homeland Security Act (HSA orthe Act) specifies a long list of functions for theUnder Secretary of Information Analysis andInfrastructure Protection (IAIP), and that listrepeatedly establishes roles for “Private Sectorentities” – as opposed to “the public” -- to play.Under the Act, these entities have distinct rolesin:

∑ • providing “intelligence . . . and other infor-mation” for analysis;51

∑ • taking “protective and support measures”52; ∑ • “in cooperation with” IAIP,

“recommend[ing] measures necessary to pro-tect the key resources and critical infrastruc-ture of the United States”;53

∑ • receiving “warning information, and adviceabout appropriate protective measures andcountermeasures,” as part of the HomelandSecurity Advisory System;54

∑ • receiving “information analyzed by theDepartment . . . in order to assist in thedeterrence, prevention, preemption of, orresponse to, terrorist attacks against theUnited States”;55

4941 C.F.R. § 102-3.40(k).50Id.51See 6 U.S.C. § 121(d)(1).52Id. § 121(d)(3).53Id. § 121(d)(6).54Id. § 121(d)(7)(B).55Id. § 121(d)(9).56Id. § 121(d)(11).57Id. § 121(d)(13).58Id. § 121(d)(17).59Homeland Security Presidential Directive/HSPD-7, § 15 (Dec. 17, 2003).60Id. § 25.61Id.

Disclosing this sort of information would defeatthe purpose of those communications by givingour nation’s enemies information they could useto most effectively attack a particular infrastruc-ture and cause cascading consequences acrossmultiple infrastructures.

In coordination with the FACA CommitteeManagement Secretariat, managed by GSA,DHS should officially determine that SCCs,ISACs and similar bodies exercising functionsunder the HSA provisions referenced above arenot advisory committees under FACA.

Alternatively, or in addition, DHS should also actto exempt SCCs, ISACs and similar bodies fromFACA. It could do so in any of three ways, listedbelow in rough order of preference from the TaskForce’s perspective.

2. “Communications of critical infrastructureinformation.”

Subtitle II of the HSA has two subtitles. SubtitleA, just discussed, describes the functions of theIAIP Directorate and the roles of the PrivateSector in those functions. Subtitle B is the CIIA– demonstrating the important linkage betweenthe roles of critical sectors and the CIIA as ameans of effectuating those roles. The CIIAincludes a FACA exemption intended to enable“information sharing and analysis organizations”(not necessarily “ISACs”) to share “critical infra-structure information” with DHS.65 This exemp-tion was enacted precisely to enable the coordina-tion purposes of Subtitle A. Moreover, theexemption is analogous in function to a compa-rable FACA exemption in the MaritimeTransportation Security Act, currently being usedby the Coast Guard to allow it to interact confi-dentially with Area (i.e., port) Maritime SecurityCommittees.66

62See 41 C.F.R. § 102-3.25. 63Washington Toxics Coalition v. EPA, 357 F. Supp. at 1274.64Cf. 5 U.S.C. App. 2, § 5(b)(2) (requiring advisory committees to be “fairly balanced in terms of the points of viewrepresented and the functions to be performed by the advisory committee”).

65See 6 U.S.C. § 133(b)(“No communication of critical infrastructure information to [DHS] made pursuant to [the CIIA] shall beconsidered to be an action subject to the requirements of [FACA].”).

6646 U.S.C. § 70112(g)(1)(B)). This exemption references those committees, rather than referring to the type of informationbeing communicated, as the CIIA FACA exemption does. This difference is not significant, however. The MTSA references theprecise entities to which it applies because the MTSA also created those entities. By contrast, when the CIIA was enacted(in 2002, as part of the Homeland Security Act), it was unclear – as it remains today -- exactly what entities would be serv-ing as representatives of critical infrastructure sectors. The CIIA exemption permits the diversity of approaches sought by thevarious sectors by focusing on type of information being communicated, rather than on name of the entity doing it.

Based on the foregoing, DHS has ample basis to,and should, take the position that SCCs, ISACsand similar bodies are primarily operational innature. The Homeland Security Act and HSPD-7 have clearly established a range of functionsthat private critical infrastructure sectors areintended to serve, in cooperation with DHS andother agencies. These functions are not primarilyabout providing DHS or the President withbroad “advice or recommendations on issues orpolicies” – to quote the FACA regulations.62 Asdiscussed above, some of these bodies may alsoserve broader policy functions, but that functionshould be seen as secondary to fulfilling theirstatutory roles. Moreover, as one court has justnoted, “[a]s long as a committee is not a Federaladvisory committee under the legal standarddelineated [by the Supreme Court], the Courtdoes not find anything in the statute to indicatethat Federal agencies may not consult with suchcommittees regarding policy issues without sub-jecting those committees to FACA regulations.”63

SCCs and ISACs are certainly not intended to bestakeholder bodies in the way that advisory com-mittees are generally understood to be, and thetouchstone for their constitution is representa-tiveness or inclusion, not “balance.”64

Fundamentally, the challenge of ensuring theresilient/reliable operation of critical infrastruc-ture is unique, as it requires close communicationand coordination between critical private sectorentities and the Federal agencies charged withregulating them. Those communications, more-over, must remain non-public in order for thosefunctions to be served. As specified in statute,these communications are to involve intelligenceand law enforcement information, and are toserve warning, preventive and protective func-tions.



30

The statutory definition of “CII” is quite broad,and encompasses the topics covered in HSASubtitle A and HSPD-7, and of greatest impor-tance to critical sectors and DHS.67 Therefore,DHS can and should rely on the CIIA’s exemp-tion to free SCCs and ISACs from FACA provi-sions. This approach has the virtue of simultane-ously solving both of the problems created byFACA: open meetings and public disclosure ofdocuments.

The Task Force understands that some withinDHS are concerned that its “PCII” rules andprocedures now make it administratively compli-cated to rely on this exemption. In response, theTask Force notes first that the exemption is writ-ten in terms of “communications” of CII ratherthan “submissions,” a word used elsewhere inthat section of the Act, suggesting that Congressintended the FACA exemption to operate asbroadly as possible and not to be constrained bywhatever procedures DHS developed to imple-ment that section.68 The Task Force also notesthat the section only called for “procedures,” notregulations, and that Congress may not haveintended the complex submission and validationprocess established by current rules.69 Finally, theTask Force contends that, if this is a problem, theright solution is to go back and amend those rules.

67The full definition is “information not customarily in the public domain and related to the security of critical infrastructure orprotected systems--

(A) actual, potential, or threatened interference with, attack on, compromise of, or incapacitation of critical infrastructure orprotected systems by either physical or computer-based attack or other similar conduct (including the misuse of or unau-thorized access to all types of communications and data transmission systems) that violates Federal, State, or local law,harms interstate commerce of the United States, or threatens public health or safety;(B) the ability of any critical infrastructure or protected system to resist such interference, compromise, or incapacitation,including any planned or past assessment, projection, or estimate of the vulnerability of critical infrastructure or a protect-ed system, including security testing, risk evaluation thereto, risk management planning, or risk audit; or(C) any planned or past operational problem or solution regarding critical infrastructure or protected systems, includingrepair, recovery, reconstruction, insurance, or continuity, to the extent it is related to such interference, compromise, orincapacitation.”

6 U.S.C. § 131(3). “Protected system--(A) means any service, physical or computer-based system, process, or procedure that directly or indirectly affects theviability of a facility of critical infrastructure; and(B) includes any physical or computer-based system, including a computer, computer system, computer or communicationsnetwork, or any component hardware or element thereof, software program, processing instructions, or information ordata in transmission or storage therein, irrespective of the medium of transmission or storage.”

Id. § 131(6).68Compare id. § 133(a) (information “submitted”) with § 133(b) (“communication” of information).69See id. § 133(e)(1).706 U.S.C. § 451(a). The Secretary must publish a notice in the Federal Register announcing the establishment of thecommittee and identifying its purpose and membership. Id.

71See 5 U.S.C. App. 2, § 14(a)(1).726 U.S.C. § 451(b).

3. Generic FACA Exemption

Section 871 of the Homeland Security Act pro-vides simply and generically that the Secretary ofDHS may establish and use the services of advi-sory committees, and may exempt such commit-tees from FACA.70 Consistent with the defaultrule established by FACA,71 such committeesexpire by law after two years, but the Secretarymay extend their existence in additional two-yearincrements indefinitely.72 This approach wouldhave the advantage that it would not be based onthe substance of the communications involved.The Task Force understands that this exemptionauthority has never been exercised, apparentlydue to some sort of understanding betweenCongress and the Administration, struck at thetime the law was enacted, that it would only beused in extraordinary cases, if at all. The TaskForce believes any such understanding should berenegotiated or abrogated and that DHS shoulduse the discretion it has under this provision totake such actions as it reasonably deems necessaryand appropriate to protect and ensure theresilient operation of the Nation’s critical infra-structure and key resources.



31

antitrust violations), be noticed in theFederal Register and be transcribedverbatim.78 Implementation of plans andagreements must be rigorously overseen byDOJ and the FTC, with documents madepublic unless certain FOIA exemptionsapply.79 The DPA approach may be the leastpreferable option for this reason.

5. DHS should not devise “work arounds”

Instead of determining that FACA does not applyto critical sector organizations under HSPD-7, oravailing itself of any of the three exemptionoptions discussed above, DHS is instead pursuingtwo other, ill-advised approaches.

The Interim National Infrastructure ProtectionPlan (NIPP) envisions the dozen or so SCCscommunicating with a “NIPP LeadershipCouncil” made up of various Federal entities.DHS’s current FACA “work around” is proposinga “Sector Partnership Model” under which theNIPP Leadership Council would become a FACAadvisory committee, and the SCCs would betreated as subgroups of that committee. Thiswould allow SCC meetings to be exempted fromFACA on the basis of judicial decisions holdingthat, while advisory committees must complywith FACA, subgroups of advisory committees donot need to do so.80 DHS’s InfrastructureProtection Division has requested the NationalInfrastructure Advisory Council (NIAC) – a bodywhose Designated Federal Officer is a DHSEmployee — to evaluate an interim approachunder which the NIAC would serve as this FACAbody, and the various SCCs would be “studygroups” of the NIAC. This is a bad idea for sev-eral reasons:

4. Defense Production Act

The third way to provide SCCs and similar enti-ties with a FACA exemption is through theDefense Production Act of 1950 (DPA). TheDPA was enacted to enable the FederalGovernment and industry representatives tojointly develop preparedness programs to assurethe availability of capacity and supply ofresources and products critical to national defenseat levels beyond those required by civiliandemand.73 The DPA creates a process wherebymembers of an industry sector and designatedgovernment officials may establish a “voluntaryagreement,” which can then be implemented bya “plan of action.”74 The DPA further providesthat activities conducted under a voluntary agree-ment or plan of action are exempt from FACAwhen conducted in compliance with the DPA, itsimplementing rules, and the provisions of theagreement or plan.75 The CIIA provides that thePresident or the Secretary of DHS may designatea component of DHS as a “critical infrastructureprotection program,”76 and that the Presidentmay delegate to that program the authority toenter, along with representatives of the PrivateSector, into a voluntary agreement or plan ofaction, as those terms are defined under theDPA.77

The DPA establishes elaborate proceduralrequirements for the establishment of theseagreements and plans, as well as for meetingsassociated with carrying them out. Theserequirements are highly burdensome. Forexample, the meetings to establish a volun-tary agreement must be attended by repre-sentatives of the Department of Justice andthe Federal Trade Commission (to avoid

7350 U.S.C. App. § 2158(c)(1).74Id. § 2158(b)(2).75Id. § 2158(n).766 U.S.C. § 132. Section 29.4(a) of the CIIA rules designates the IAIP Directorate as responsible for directing and administering the “critical infrastructure protection program.” See 6 C.F.R. § 29.4(a); see also 68 Fed. Reg. 18524 (April 15,2003).

776 U.S.C. § 133(h). The President delegated his powers under DPA to the Secretary of DHS in Section 24 of Executive Order13286 (Feb. 28, 2003).

7850 U.S.C. App. § 2158(e).79Id. § 2158(h).80See, e.g., National Anti-Hunger Coalition v. Executive Committee of President's Private Sector Survey on Cost Control, 711F.2d 1071 (D.C. Cir. 1983).



32

generally shown a disappointing lack of coordina-tion within itself and with other agencies. Insome cases it appears to be due to simple over-sights attributable to doing too much with toolittle, or not fully establishing or understandingpriorities. In many other cases, however, the NotInvented Here Syndrome and claiming and pro-tecting turf seems like the most likely explana-tion. These problems happen at all levels.

∑ • Within DHS: Companies represented bygroup members, in various sectors, have allreported cases where a DHS contractorshowed up, without any prior notice to theplant or its corporate headquarters, to validatetheir National Asset Database data. TheScience & Technology Directorate typicallyinitiates research projects on matters that arethe purview of other directorates without anyprior consultation. A good example is a grantto the National Academy of Sciences to prior-itize research needs for the chemical sector,initiated without any consultation withchemical sector specialists at IAIP (or the sec-tor itself ).

∑ • Between DHS & other Federal agencies:Critical sector groups experienced great diffi-culty getting DHS and FBI to collaborateon defining terrorist threat reporting triggers,and agreeing on who to call and in whatorder. The FBI held three national work-shops on the triggers issue, in which DHSparticipated only after much effort. Whilethe FBI staff working on the workshopswere distilling their results, all concernedwere stunned by the release of the “TerroristThreat Reporting Guide” under the signa-tures of the FBI Director and the UnderSecretary for IAIP. Staff of both agenciesand the sector are still working to reconcilethese efforts.

∑ • As explained above, SCCs and ISACs are intend-ed by HSPD-7 to be operational bodies, servingto facilitate two-way communication betweentheir respective sectors and DHS.

∑ • SCCs and ISACs were never intended tointerface with the NIAC. These entities mustbe able to have real-time or very fast turn-around communications with DHS. Havingto communicate through the NIAC frustratesthat considerably.

∑ • Most problematic, running SCC and ISACcommunications through the NIAC meansthat these communications would, as a gener-al rule, have to be made public at the NIACsessions. To prevent release of sensitive infor-mation, therefore, these communicationswould have to be scrubbed before they offi-cially reached DHS. Such an arrangementwould substantially defeat the purpose ofSCCs and ISACs.81

DHS’s second FACA “work around” is to ask thevarious constituent companies or associationsmaking up an SCC or other critical sector bodyto respond to DHS documents or questions indi-vidually, on their own behalves, rather than pro-viding the consensus views of the sector. Whilethis approach may indeed avoid the applicationof FACA,82 it fundamentally defeats the purposeof HSPD-7 and the sector bodies it calls for,which is precisely to ensure that DHS can obtain(to the extent it exists) the views of a sector, notjust the views of individual sector members.There is little point (or efficiency, from DHS’sperspective), to creating sector bodies if DHS isgoing to studiously avoid using these bodies tocultivate and communicate a sector position.

VI. Lack of Coordination Within DHS andBetween DHS and Other Agencies

Beyond implementation of the CIIA, DHS has

81The head of the agency being advised by a FACA committee can close meetings and limit release of documents when a FOIAexemption would apply. See 5 U.S.C. App. 2, § 10(b), (d). As noted earlier, DHS has not yet taken definitive positions onwhen these exemptions would apply in the critical infrastructure context.

82GSA’s FACA regulations provide that FACA does not apply when an agency expressly does not seek the consensus views of agroup. See 41 C.F.R. § 102-3.40(e).



33

∑ • Whether the simple existence of IAIP, andthe PCII program in particular, is the basisfor these requests or expectations. That is,have staff adopted the view that, becauseIAIP has the statutory responsibility to assessvulnerabilities and security measures, there-fore it should simply ask for any and allinformation on these topics from all criticalsectors, without regard to the criticality ofthis information and DHS’s ability to under-stand and assess it?

∑ • Whether existing mechanisms for gatheringinformation, especially via State and localentities, are adequate? Wherever possible,DHS should obtain that information fromother entities that have collected it, not askthe original source to supply it again.

∑ • Given the success of the Y2K Transitioninformation sharing construct, whether DHSitself needs particular information, or can itrely on (a) other sector specific agencies or (b)the sector itself to supply either the informa-tion itself or a less sensitive version of theinformation.

VIII. Completion of SSI Rulemaking

The TSA/DOT rules regarding sensitive securityinformation (SSI)83 are proving to be very usefulin the aviation and maritime contexts. Some ofthese SSI rules apply to all transportation modes(including land modes), but others do not, report-edly due to bureaucratic issues involving OMB.This is a serious shortcoming, as it means thatsome sensitive information regarding the securityof land transportation is not being adequatelyprotected from public release. It has been over ayear since these rules were substantially revised,and these agencies should act quickly to expandthe SSI rules to reach all transportation modes.

∑ • Between DHS and State/local governments:As noted earlier, several states have com-plained about their inabilities to executeMOAs allowing them to receive CII.

Private critical sector entities spend much of theirtime introducing DHS to itself, and bringingabout coordination that should have happenedearlier. As a result, this coordination usually takesplace under great time pressures or after the fact.This lack of coordination inspires further lack ofconfidence on the part of the Private Sector.Again, the Office of Private Sector Liaison hasbeen helpful in this regard, but should not have tofix problems that could have been averted.

VII. Requirement for Clearer Justification forInformation

Frequently critical infrastructure entities receivemultiple requests from different DHS offices forthe same or similar information. The justifica-tion for these requests is not always clearly stated,and in some cases does not always sound plausi-ble to the Private Sector. Repeated requests forinformation, especially where the need for theinformation is unclear, raise concerns about howthat information will be used and how well it willbe safeguarded. In this connection, the TaskForce urges DHS to seriously consider the follow-ing questions:

∑ • What specifically does DHS intend to dowith information besides hold and share it?

∑ • Beyond implementation of the StaffordAct, will the information be used todevelop Federal response plans to miti-gate existing vulnerabilities or to pro-vide assets to remediate the conse-quences of infrastructure failures?

∑ • Whether in fact information that DHS reallyneeds is being shared, and whether the mereexistence of the PCII Program Office is cre-ating a misleading expectation that moreinformation could or should be shared.

84Id. §§ 15.13(c), 1520.13(c).



34

• Allow “class” CIIA determina-tions in advance of submittal.(R/M)

• Allow “indirect” and electronicsubmission under CIIA. (R/M))

• Roll out the CIIA program asquickly as possible to all DHSentities, to other sector-specificagencies, and to states willing toexecute memoranda of agreement(on behalf of themselves andlocal governments within thestate). (M)

• Authorize all personnel of itsInformation Analysis &Infrastructure ProtectionDirectorate who interact withcritical entities to be CIIA por-tals. (M)

• In consultation with DOJ and thePrivate Sector, adopt broad, Department-wide positions regarding the applicabilityof the confidential business informationand law enforcement sensitive exemptionsunder the Freedom of Information Act(FOIA). (M)

• Resolve questions about how the FederalAdvisory Committee Act (FACA) appliesto SCCs and ISACs.

• The ongoing PrivateSector/Government operatingrelationship is critical to an effec-tive homeland security operationand is hobbled by FACA issues.

• SCCs and ISACs are not coveredby FACA because they are not“utilized” by the ExecutiveBranch and are primarily opera-tional, rather than advisory. (M)

• If challenged, DHS should useone of three possible authoritiesto exempt SCCs and ISACs fromFACA. If this requires amend-ing the CIIA rules, DHS shoulddo so promptly. (R/M)

The only really controversial aspect of the SSI rulesis their marking requirements, which are highlyburdensome (they require a lengthy footer forevery page).84 TSA and DOT have indicated thatthey may relax this requirement in a forthcomingrulemaking. They should do so when they revisethe rules to encompass land modes. It would besufficient for the rules to require printing a warn-ing legend once on the document, and then justrequire a simple “Sensitive Security Information”header or footer on subsequent pages.

Recommendations5. DHS should promptly and decisively

revise its rules and policies for informa-tion sharing.

• Regard Private Sector critical infrastruc-ture facilities, companies and their asso-ciations as partners with legitimate inter-ests in policy formulation and implemen-tation — and as the only entities capableof implementing most policy in the sub-ject area. (A)

• Respond to Private Sector concerns aboutliability risks associated with sharingsecurity information with DHS• DHS should ensure that critical infra-

structure information is only used toprotect or ensure the operationalresilience of critical infrastructure. (R)

• Critical Infrastructure InformationAct (CIIA) regulations must besimple and broadly agreed-uponbefore they will be used. (R)

• Educate potential submittersregarding the protections afford-ed by all existing laws andpotential risks. (M)

• Fully implement the CriticalInfrastructure Information Act (CIIA):

• Do not require all CIIA submis-sions to be validated. (R)

• Declare that information submit-ted by SCCs and ISACs andmaintained on HSIN by sectorrepresentatives will be deemedCII. (R/M)

84Id. §§ 15.13(c), 1520.13(c).



35



36

• Given the above, under no cir-cumstances should DHS employFACA “work arounds” like treat-ing SCCs as subgroups of theNational Infrastructure AdvisoryCouncil or seeking only the viewsof individual companies. (M)

• DHS offices and staff should identifycoordination needs with DHS, withother federal agencies and with stateand local governments, and shouldundertake such coordination as early asnecessary, without waiting for affectedentities to initiate it. (M/A)

• DHS should determine if it needs par-ticular information to do its job, orwhether some other governmental orprivate entity is doing that job adequate-ly. DHS should not request informationbecause it can, or because it would be“nice to know,” but only where it is nec-essary to enable DHS entities to performessential functions. (M/A)

• The Sensitive Security Information(SSI) rulemaking conducted by theDHS Transportation SecurityAdministration (TSA) should encom-pass all modes of transportation. (R)



37

I. Findings

It is vital to the health and safety of theAmerican public that it receive timely, accu-rate and actionable information during timesof crisis. Erroneous information, false rumorsor exaggerated reports of the geographic, eco-nomic and human impact of an incident riskloss of life and serious adverse economic,social and national security consequences.

The government and the media, while not“partners” in the normal sense of that term,each have a responsibility during a crisis foraddressing this public interest and can, consis-tent with their independent roles in our con-stitutional system, work together to serve thepublic.

It is critical to our national interest that thegovernment and the media clearly understandtheir respective responsibilities, roles andoperational relationships in a crisis so thateach can execute its responsibilities to thepublic with full knowledge of how the otherwill behave.

The media is regarded by the public, thePrivate Sector and most elements of the pub-lic sector as their primary source of informa-tion in a crisis – and should be regarded bythe government as a reliable participant indisseminating timely, accurate and actionableinformation. Information can be as critical asfood and water to potential victims in a crisis,and the media play a central role in thehomeland security information system.

There is too little exchange of crisis informationbetween the government and the media beforean incident takes place:

• Public officials tend to regard the mediaas a potentially hostile or disruptive ele-ment in crisis communications.

• The media tend to regard public officials astrying to “hide the ball” regarding threatinformation or emergency preparednessplanning and resource allocations.

• This shared perception deprives themedia of important subject matterexpertise and relationships important toit in communicating with the publicduring an incident.

• And this shared perception diminishesthe ability of government to use themedia as effectively as it might to com-municate accurate, timely and action-able information to the public duringan incident.

Pre-incident communications are needed inorder to improve public communications in acrisis.

• News organizations need coverage plansbefore an incident so that they can getthe story right.

• News organizations need emergency plansand protective gear to protect their ownfirst responder personnel.

• News organizations need contingencyplans to continue operating if theirbroadcasting, publishing or servercapacities are damaged or destroyed.

• News organizations need ready-to-use,off-the-shelf access to scientific, emer-gency management and other expertisecritical to reporting on an incident.

• Government public information offi-cials need to know which reporters willcover which element of an incident.

• Government public information officersneed to know logistical needs of themedia in order to provide publicupdates.

• Government public information officersneed to have a fully-informed, respon-sive media in order to provide action-able information to the public.

PART THREE – PARTNERING WITH THE MEDIA

The government and the media are neither“partners” nor “adversaries” in crisis communi-cations; the relationship is subtle and dynamic.

• During an incident, the media playboth an informational and accountabil-ity role.

• At the outset of an incident, the mediareport information concerning the inci-dent and its immediate causes; as theincident progresses, the media report onthe failures in the prevention systemthat allowed the incident to occur; atsome point, the media begin to investi-gate who is to blame for the breakdownin the prevention system.

• Both the government and the mediamust understand that each of these rolesis distinct and valuable, but that duringa crisis, communication to the public ofaccurate, timely and actionable informa-tion is critical to life and property andtakes priority.

• After-action reports, whether by thegovernment in its self-improvement roleor by the media in its investigatory andaccountability roles, are valuable tools aswell.

Different media have different roles, staffing,skills, and training in crisis communications:

• Local broadcast media carry lion’s shareof role in informational period, but areleast prepared or staffed

• National broadcast media play second-ary role in information phase, but aremost staffed and skilled

• Print media play greater role in laterstages

• National 24-hour cable media are fasterbut, with more time to fill, tend to “fill”with speculation

• Talk radio, relying on listener input, aresometimes source of unfounded rumors

If an “official” government spokesperson cannotor does not have a prompt answer to a mediainquiry, the media will find some “unnamedsource” or “outside expert” to provide it.

Government public information officers needa clear system to monitor press reports andcorrect erroneous reports or unconfirmedrumors.

As a consequence, government and the mediafind it difficult to work together in communicat-ing consistent, accurate, timely and actionableinformation to the public during an incident.

Yet, media and media personnel are “civic mind-ed” and may be “force multipliers” in engagingpublic in preparedness and incident response andrecovery.

Failure of a well-understood working relation-ship between government and media may leavethe public:

• less prepared prior to crisis,• more anxious during a crisis and thus less

responsive to government protectiveaction recommendations, and

• slower as consumers, employees andfamilies to recover from the effects of anincident.

A well-understood working relationshipbetween the Government and a well-informedmedia can provide timely, accurate and action-able information to the public and a reassuringsense that Government and business leaders areworking well together to manage the responseto an incident and its consequences.

II. From “Media and First Response Program”to a Sustained Partnership

The Government and local media shouldtransform their current limited “media andfirst response program” into a sustained cam-paign in all of the top UASI media markets toenable key officials and local media personnelto better understand their respective roles andbehaviors in providing information to thepublic during a crisis.



38



39

• Doing so will develop working relation-ships between government and mediapersonnel that will enable a more trustedsharing of information during the earlystages of an incident, including the bet-ter understanding and handling ofambiguous threat or incident informa-tion and of information that may besensitive and important.

• This campaign should include table-topexercises, editorial board briefings, back-ground sessions with on-air anchors, writ-ers, general and beat reporters, traffic andweather reporters, assignment editors,bookers, producers, local public healthofficials, first responders, elected officials,local FBI personnel, others responsible forlocal emergency operations.

To assure that those relationships are sustainedand that media expertise and readiness ismaintained, this program should put in placea local team in each market to maintain a con-tinuing series of exchanges between govern-ment and local media.

• Complacency is a powerful force under-mining continuing readiness.

• Continuing attention to proper govern-ment/media relationships can also extendto “all-hazards” events.

III. Need for Regular Background Briefings

Government officials, at both the nationaland local levels, should conduct regular,ongoing background briefings for members ofthe media.

• Background briefings should include:potential scenarios regarding man-madeor natural disasters, means by whichany available threat or warning informa-tion will be delivered, default preventiveand protective measures to be taken bythe public, consistent terminology foralternative protective action measures(e.g., shelter-in-place versus evacuation;in-place quarantine versus “see doctor”),scientific background information andknown experts in the relevant fields,logistics of government briefings duringcrisis, possible technologies available tothe media for the receipt and display ofcrisis-related information and protectivemeasures for first-responding mediapersonnel.

• During these briefings, the mediashould identify its needs for logisticalinformation, subject matter expertiseand personal protective requirementsin various crisis scenarios.

IV. Role of Local Officials and TrustedAuthorities

Regular press briefings should be scheduledby local elected officials and trusted authori-ties (public and private) immediately uponlearning of an incident.

• Communications to the public shouldbe a critical priority in incidentresponse activities.

Even if information is ambiguous, uncon-firmed or incomplete, government andPrivate Sector officials should be briefing thepress on what is known, what is not known,what is being done by emergency responsepersonnel to respond to the incident andwhat protective action, if any, is being rec-ommended to the public.

• Public information officials should beincluded as a senior member in allaspects of incident planning andresponse activities.

• Local elected leaders should undergocontinuing crisis communicationstraining.

The ability to sustain public trust and to setappropriate public expectations in a crisis iscritical to increasing the prospect of a pre-dictable public response to recommendedprotective actions and to minimize econom-ic and social impacts of an incident throughrapid recovery and resiliency.

• Working with the media, professionalstandards should be developed for“confirmed” and “unconfirmed” tagsin crisis reports, and clear “rumor con-trol” protocols should be developed toassure the accuracy and timely deliveryof actionable information to the public.

• During and after a crisis, the govern-ment should issue regular updates onthe consequences of the incident,including deaths, injuries, economicand foreign policy impacts.



40

After-action reports following an incidentshould include an assessment of the nature,quality and management of public communica-tions regarding the incident, including findingsregarding the public awareness, understandingand assessment of the incident, the protectiveactions the public understood it was to takeduring the incident and the timeliness, accuracyand action-orientation of the information thatwas communicated to the public.

V. Refining the Homeland Security AdvisorySystem

The color-coded threat notification systemshould be significantly modified because itdoes not provide actionable information tothe public.

• Available threat information importantto the public should be made public, butit should also be made clear what actionsshould be taken by elected officials andfirst responders, businesses in potentially-impacted sectors or regions or by the public.

• If no action is to be taken by the public,it should be made clear why the warninglevel is being changed.

The Department should organize and supporta national community-based threat and pre-paredness campaign, working with local mediapartners, to engage employers and citizens inreporting local suspicious activity and inenhancing their own preparedness.

• Locally-executed campaigns, using localmedia and local community organizations,are more likely to change behavior than anational media campaign alone.

• Locally-reported suspicious activity, care-fully crafted to avoid privacy concerns, canbe better quality-assessed by local lawenforcement and will relieve overburdenednational hotlines.

Recommendations6. DHS should pro-actively invest in a better

informed and more engaged media throughspecific targeted programs aimed at devel-oping a stronger working relationship

between the government, the media and thePrivate Sector in major incidents. (M/A)

• Upon completion of an assessment, thegovernment and local media should scaletheir existing National Academies ofScience media engagement program into asustained campaign in all UASI (UrbanAreas Security Initiative) media markets.

• Government officials at both the nationaland local levels should conduct a systematicprogram of background briefings for mem-bers of local media including, among otherthings, the National Response Plan andNational Incident Management System,potential threat and response scenarios, sci-entific information regarding biological,chemical and radiological materials, a glos-sary of homeland security and citizen pro-tective actions, and other FAQs.

• Local elected officials and trusted authori-ties (public and Private Sector) should betrained on how to conduct press briefingsduring an incident in order to provide (1)timely and actionable information andprotective action recommendations to thePrivate Sector and the public and (2)contextual material needed to maintainpublic order and confidence.

• DHS, local elected officials and nationaland local media should develop protocolsfor the timely confirmation or correctionof unconfirmed information or rumorsduring the course of an incident.

7. The Homeland Security Advisory Systemshould be refined to provide more specific guid-ance to the Private Sector and to the public,including changes in warning levels. (M)

• Warning levels should be adjustable on asector-specific, geographic or time-limitedbasis (or on another basis, as appropriate).

• Warning level changes should include aspecific advisory to the public regardingthe purpose for the change and the steps,if any, that the public is expected to takeas a result of such a change.

• DHS, State and local officials and thePrivate Sector should meet, confer anddevelop common understandings andexpectations regarding the readiness or pre-paredness levels associated with differentwarning levels.

• Any refinement of the Advisory Systemshould be accompanied by a clear, easy-to-understand public communications plan.

2SR Second Stage ReviewAMA American Medical AssociationAPA Administrative Procedure ActAPRSAC Academe, Policy and Research Senior

Advisory CommitteeBZPP Buffer Zone Protection PlanCBI Confidential Business InformationCBP Customs and Border ProtectionCDC Centers for Disease Control and PreventionCEII Critical Energy Infrastructure InformationCI/KR Critical Infrastructure/Key ResourcesCII Critical Infrastructure InformationCIIA Critical Infrastructure Information ActCIO Chief Information OfficerCIPO Critical Infrastructure Programs OfficeCITF Critical Infrastructure Task ForceC-TPAT Customs-Trade Partnership Against

TerrorismCWC Chemical Weapons Convention DEA Drug Enforcement AdministrationDHS Department of Homeland SecurityDOE Department of EnergyDOJ Department of JusticeDOT Department of TransportationDPA Defense Production ActEAS Emergency Alert SystemEPA Environmental Protection AgencyERSAC Emergency Response Senior Advisory

CommitteeFAA Federal Aviation AdministrationFACA Federal Advisory Committee ActFAQ Frequently Asked QuestionFBI Federal Bureau of InvestigationFCC Federal Communications CommissionFEMA Federal Emergency Management AgencyFERC Federal Energy Regulatory CommissionFIG Field Intelligence Group

FinCEN Financial Crimes EnforcementNetwork

FOIA Freedom of Information ActFOUO For Official Use OnlyFTC Federal Trade CommissionGAO Government Accountability OfficeGCC Government Coordinating CouncilGSA General Services AdministrationHSA Homeland Security ActHHS Health and Human ServicesHSAC Homeland Security Advisory CouncilHSAS Homeland Security Advisory SystemHSIN Homeland Security Information

NetworkHSIN-CI Homeland Security Information

Network-Critical InfrastructureHSISA Homeland Security Information

Sharing ActHSOC Homeland Security Operations CenterHSPD-7 Homeland Security Presidential

Directive 7I&W Indications and WarningIA Information Analysis IAIP Information Analysis and

Infrastructure ProtectionICD Infrastructure Coordination DivisionIP Infrastructure ProtectionISAC Information Sharing and Analysis

CenterISE Information Sharing EnvironmentISP Internet Service ProviderIT Information TechnologyJRIES Joint Regional Information Exchange

SystemJTTF Joint Terrorism Task ForceLERG Local Exchange Routing GuideMTSA Maritime Transportation Security Act



41

GLOSSARY OFACRONYMS

MOA Memorandum of AgreementNAWAS National Warning SystemNCAS National Cyber Alert SystemNCC National Coordinating CenterNCS National Communications SystemNCSD National Cyber Security DivisionNDA Non-Disclosure AgreementNDAC Network Design and Analysis

CapabilityNIAC National Infrastructure Advisory

CouncilNICC National Infrastructure Coordinating

CenterNIMS National Incident Management SystemNIPC National Infrastructure Protection

CenterNIPP National Infrastructure Protection PlanNOAA National Oceanic and Atmospheric

AdministrationNRP National Response PlanNS/EP National Security/Emergency

PreparednessNSIE National Security Information

ExchangeNSTAC National Security Telecommunications

Advisory CommitteeOMB Office of Management and BudgetOSAC Overseas Security Advisory CouncilOSHA Occupational Safety and Health

AdministrationPCII Protected Critical Infrastructure

InformationPSD Protective Security DivisionPSO Private Sector OfficePVTSAC Private Sector Senior Advisory

Committee

RAMCAP Risk Analysis and Management forCritical Asset Protection

RSPA Research and Special ProjectsAdministration

SAV Site Assistance VisitSBU Sensitive But Unclassified SCC Sector Coordinating CouncilSIOC Strategic Information and Operations

CenterSLSAC State and Local Officials Senior

Advisory CommitteeSSA Sector Specific AgencySSI Sensitive Security InformationSSP Sector Specific PlanTSA Transportation Security AdministrationUASI Urban Areas Security InitiativeUSCERT United States Computer Emergency

Response Team WAWAS Washington Area Warning SystemY2K Year 2000



42

PRIVATE SECTOR INFORMATIONSHARING TASK FORCE

Chair, Mayor Patr ick McCrory(HSAC)

Vice Chair, Herb Kel leher(HSAC, PVTSAC)

Mayor Karen Anderson(SLSAC)

Dick Andrews(HSAC, ERSAC)

Sheri f f Michael Carona(ERSAC)

James Dunlap(SLSAC)

Donna Finn(SLSAC)

Chief Michael Freeman(ERSAC)

Ellen Gordon(ERSAC)

Steve Gross(PVTSAC)

Dr. Doug Huntt(PVTSAC)

Chief Phi l Keith(ERSAC)

Monica Luechtefe ld(PVTSAC)

Paul Maniscalco(ERSAC)

Commiss ioner Karen Mil ler(SLSAC)

Mayor Donald Plusquel l ic(SLSAC)

Jack Real l(ERSAC)

Rick Stephens(PVTSAC)

George Vradenburg(PVTSAC)

Jack Wil l iams(PVTSAC)

HSAC STAFF

Daniel OstergaardExecut ive Director, HSAC

Candace Stol tzDirector, Pr ivate Sector Informat ionShar ing Task Force

Jef f GaynorMike MironKatie Knapp

SUBJECT MATTER EXPERTS

Drew ArenaVerizon Communicat ions

Laurence W. BrownEdison Electr ic Inst i tute

Barbara CochranRadio-Telev i s ion News DirectorsAssociat ion

John CohenOffice of the Governor, MA

James W. Conrad, Jr.American Chemistr y Counci l

Greg GwashThe Boeing Company

Neil Gal lagherBank of America

Ava A. HarterDow Chemica l



43

Attachment A



44

Dick Ket lerSouthwest Air l ines

Maurice McBrideNational Petrochemica l & Ref inersAssociat ion

Susan NeelyAmerican Beverage Associat ion

Tom PrinceBlackwel l Sanders Peper Mart in,LLP

Frank SesnoSchool of Publ ic Pol icy/George Mason Univers i ty

Steve WheelerLockheed Mart in Aeronaut icsCompany



45

PUBLIC/PRIVATE INFORMATION SHARINGPROCESS

Below is an outline that attempts to map exist-ing channels for security-related informationflows. Included information covers: the flowof information in both directions between gov-ernment and the Private Sector on warnings,threats or reports of manmade or natural emer-gencies, accidents, criminal acts, and attacks, aswell as information on design, location, andfunction of elements of the nation’s criticalinfrastructure. Not included is informationflowing in either direction regarding rulemak-ing and the promulgation of regulations, northat contained in press releases, briefings andother aspects of general public affairs activities.

For each entry, the qualitative or quantitativesense of the number of reporting/disseminatingentities; the frequency and volume ofreports/releases; and whether they are mandato-ry or voluntary in nature will all vary. In addi-tion, certain restrictions are placed bystatute/rule/Executive Order/policy on theinformation’s use by the recipient entity (publicor private) and the ability of that entity toshare it further.

I. From Government to Private SectorA. From State to Local GovernmentsB. From Federal Government

i. Department of Homeland Security1. IAIP

• ISACs, USCERT.• HSIN (HSIN has multiple customers

at different levels. i.e. JRIES is forLaw Enforcement and StateHomeland Security Advisory, whileHSIN-CI’s primary mission focus isthe Private Sector).

• Warnings/Threat level.

2. FEMA• Emergency Alert System (EAS): dis-

semination of alert and warning mes-sages, Presidential messaging to thenation, and state/local use. EASoperates at the national level through34 Primary Entry Point broadcast sta-tions.

• National Warning System (NAWAS):created to rapidly notify emergencymanagement officials of impendingor threatened attack or accidentalmissile launch on the United States.The three types of civil warnings sup-ported by NAWAS are: (1) naturaland technological emergency warn-ing; (2) attack warning; and (3) fall-out warning.

• Washington Area Warning System(WAWAS): a 24-hour alert and warn-ing system for the Washington DCarea that coordinates federal and cityemergency operations in the Nation’sCapital.

3. U.S. Secret Service; Financial CrimesTask Force

4. U.S. Coast Guard• Local Area Maritime Security

Committees composed of federal andnon-Federal port partners.

• Local Command Centers.• Captains of the Ports.• Liaison at interagency operations

centers.• Electronic bulletins.• 3 Interagency command centers

located at San Diego, Norfolk andCharleston (SC).

5. Private Sector Office• HSIN-CI: Established and continued

expansion to private sector members.

Attachment B



46

• HSAS: Provided outreach/notifica-tion and coordination of private sec-tor leaders to changes in level.

• Ready-Business: Shaped content,messaging, outreach and partnershipsfor campaign to enhance private sec-tor preparedness and business conti-nuity.

• US-Visit: Fostered information andissue exchanges for the transportationcommunities on the rollout, impactand benefits of the Program.

ii. Department of CommerceNational Oceanic and AtmosphericAdministration (NOAA) encompassesthe National Weather Service.

iii. Department of Justice• FBI: InfraGuard is part of HSIN-CI.• https://www.swern.gov/ privatesec-

tor/InfraGard.php.• Wanted lists; Joint Terrorism Task

Forces.• HSIN-CI, HSOC is currently send-

ing Joint FBI/DHS Sector. • Bulletins via HSIN-CI.

iv. Department of TransportationFederal Aviation Administration (FAA)

v. Department of Energyvi. Department of Health and Human

ServicesCenters for Disease Control (CDC)

vii. Nuclear Regulatory Commission

II. From Private Sector to GovernmentA. To State & Local Governments

i. Emergency Management Agenciesii. Utility Regulators

B. To Federal Governmenti. Department of Homeland Security1. IAIP

• Infrastructure Analysis (IA): analyzesintelligence from the United StatesPrivate Sector entities for informationregarding homeland security. IA alsocollaborates with the Private Sectorby: ensuring that the appropriatethreat information with homelandsecurity implications reaches PrivateSector officials that protect theAmerican citizenry and critical infra-

structure; and producing threat relatedinformation bulletins and advisoriesfor Private Sector critical infrastructureowners and operators.

• Infrastructure Protection (IP): in part-nership with IA and the Private Sector,protects America’s critical infrastruc-ture through the following:

• Infrastructure Coordination Division(ICD)—serving as the hub of infra-structure expertise by sustaining coresector capabilities, maintaining opera-tional awareness, and fostering work-level relationships with the PrivateSector, and State and local governments.

• National InfrastructureCoordinating Center (NICC): a24x7 watch operation center thatmaintains operational and situa-tional awareness of the nation’scritical infrastructure key resources(CI/KR) sectors. The NICC pro-vides a centralized mechanism andprocess for information sharingand coordination between andamong government, SectorCoordinating Councils (SCCs),Government CoordinatingCouncils (GCCs), and otherindustry partners.

• Infrastructure Coordination andAnalysis Office: comprised ofSector Specialists who have expert-ise and/or established contacts inthe CI/KR sectors. Additionally,Sector Specialists analyze opera-tional and situational informationthat is provided by the NationalInfrastructure Coordinating Center(NICC) to determine incident-related impacts to the CI/KR sectors.

• Critical Infrastructure ProgramsOffice (CIPO): supports informa-tion sharing and collaborationthrough sector partnership models.The owners and operators of theCI/KRs form the cornerstone of theSector Partnership Model. Thesestakeholders own, operate, build,and invest in the assets that providethe vital functions of the sector.

• Sector Coordinating Councils(SCCs): Under the NationalInfrastructure Protection Plan(NIPP), there are 17 SCCs thatassemble all the different actors inthe Private Sector to instill informa-tion sharing. DHS personnel workwith asset owners and operators toidentify vulnerabilities and provideoptions for consideration.

• Information Sharing and AnalysisCenters (ISACs): created in theidentified critical infrastructure sec-tors to coordinate industry andindustry-government sector datasharing and analysis regarding vul-nerabilities and incidents.

• Protected Critical InfrastructureInformation (PCII) Program: allowsDHS to receive protected and qual-ifying information from disclosureand to be used by DHS, otheragencies, State and local govern-ments for securing critical infra-structure.

• Protective Security Division (PSD)—reduces the nation’s vulnerability to ter-rorism by developing and coordinatingplans to protect critical infrastructureand denying use of our infrastructure asa weapon. PSD is also the SectorSpecific Agency (SSA) for five sectors:Commercial, Nuclear, Chemical,Dams, and Emergency Services.

• National Asset Database: the repos-itory of U.S. assets among the 17CI/KR sectors.

• Sector Specific Plan (SSP): eachSCC develops a SSP.

• Buffer Zone Protection Programs(BZPPs) and Site Assistance Visit(SAV): performs SAV site specificwrite-ups called CommonCharacteristics and VulnerabilitiesReports for a particular sector orsegment of that sector.

• National Communication System(NCS)—assists in the planning for, andprovision of, national security andemergency preparedness communica-tions for the Federal Government underall circumstances.

• National SecurityTelecommunications AdvisoryCommittee (NSTAC): providesindustry-based advice and expertiseto the President on issues and prob-lems related to implementingnational security and emergency pre-paredness (NS/EP) communicationspolicy. NSTAC is composed of upto 30 industry chief executives repre-senting the major communicationsand network service providers andinformation technology, finance, andaerospace companies.

• National Security InformationExchange (NSIE): established as aforum in which Government andindustry share information in a trust-ed and confidential environment.

• National Coordinating Center(NCC): a joint industry-govern-ment operation encompassing theU.S. telecommunications industryand Federal Government organiza-tions involved in responding to theFederal Government’s NS/EPtelecommunications service require-ments. The operational arm of theNCC is its 24 x 7 watch and analy-sis operation, the “NCC Watch.”

• Communications-ISAC: facilitatesvoluntary collaboration and infor-mation sharing among its partici-pants in the communications sector.

• National Cyber Security Division(NCSD)—acts as the single nationalpoint of contact for the public andPrivate Sector regarding cyber securityissues, including outreach, awareness,training, and the National AssetDatabase.

• USCERT: partners between DHSand the public and Private Sectorsto protect the nation's Internetinfrastructure. US-CERT coordi-nates defense against and responsesto cyber attacks across the nation.

• The National Cyber Alert System:US-CERT established a NationalCyber Alert System in January2004 to provide information to thepublic and the Private Sector.



47

• The US-CERT Portal: a secure,web-based collaborative systemthat allows US-CERT to sharesensitive cyber-related informationwith government and industrymembers.

• The US-CERT Control SystemsCenter: plays a vital role in mostcritical cyber systems in thenation’s infrastructure.

• US-CERT Public Website: servesas a critical function to providegovernment, Private Sector organi-zations, and the public with infor-mation they need to improve theirability to protect their informationsystems and infrastructures.

• The National Cyber Alert System(NCAS): an operational part ofthe US-CERT Response Systemthat delivers targeted, timely, andactionable information about inci-dent and threats in a series ofperiodic “cyber tips,” “best prac-tices,” and “how-to” guidancemessages.

2. National Emergency ManagementNational Response Plan

3. HSIN-CI: uses the FBI’s TIPs programon all websites, where members and thegeneral public can submit informationto both DHS (HSOC) and FBI(SIOC) via this internet tool. The FBIthen sends the report to JTTF andFIGs for investigation, while DHScoordinates with IA; and the followingweb link: https://www.swern.gov.

4. Transportation Safety Commission5. U.S. Coast Guard Local Command

Centers; Captains of the Port NationalResponse Center 1-800-424-8802

6. DHS Law Enforcement Agencies U.S.7. Private Sector Office

• Initiated exchanges of economic datafrom multiple private sector groupsand companies as well as FederalDepartments (Commerce, Labor,Agriculture) to assist PSO analyses onthe economic impact of DHS policiesand regulations (i.e. air transit pro-gram; advance passenger informationsystems, border wait times, etc).

ii. Department of Justice1. U.S. Attorney’s Office; Grand JuryInvestigations2. Infraguard; JTTFs3. Bureau of Alcohol Tobacco &

FirearmsFirearms and Explosives Info

iii. Department of Energyiv. Department of Transportation

1. FAAv. Department of the Treasury

1. FINCEN Suspicious transactionreporting; Bank Secrecy Act

vi. Department of Health and HumanServices

vii. Federal Communication Commissionviii. Nuclear Regulatory Commissionix. Environmental Protection Agency

Releases/spills toxic materials



48

Introduction

I. Executive Summary

II. The Freedom of Information Act

A. “Other Laws” Exemption

B. National Security Exemption

C. Law Enforcement Exemption

D. Confidential BusinessInformation Exemption

1. The exemption

2. Concerns about the exemption

a. Is it really discretionary?

b. Will courts follow Critical Mass?

c. Is security information really“commercial or financial”?

d. The culture of disclosure

E. “Risk of Circumvention” Exemption

III. “Protections” that Aren’t, Really

IV. Other Laws that May Protecta Business’s Security Information

A. Laws Applicable to Particular Classesof Business Activities

1. Larger public drinking water systems

2. Facilities and vessels regulated under theMaritime Transportation Security Act

3. Shippers and carriers of hazardous materi-als required to prepare security plans

4. Facilities regulated under the ChemicalWeapons Convention Implementation Act

5. Facilities regulated by the Federal EnergyRegulatory Commission

B. The Critical Infrastructure Information Act

1. Background

2. Scope

3. Information Protections

4. Implementation Issues

5. No “Polluter Secrecy”



49

Attachment C

1Assistant General Counsel, American Chemistry Council. The author very much appreciates the helpful comments he receivedon earlier drafts of this article from Dion Casey, Transportation Security Administration; Daniel Metcalfe, Department of Justice;and James O’Reilly, University of Cincinnati College of Law. Staff of the Department of Homeland Security’s Protected CriticalInfrastructure Information Program declined to comment officially. All opinions and any errors contained herein are exclusivelythe author’s.

PROTECTING PRIVATE SECURITY-RELATED INFORMATIONFROM DISCLOSURE BY GOVERNMENT AGENCIES

JAMES W. CONRAD, JR.1

TABLE OF CONTENTS



50

C. Sensitive Security Information

1. Background

2. Scope

3. Operation

a. SSI is partially self-implementing

b. SSI can be submitted voluntarilyto the federal government

c. Persons able to obtain SSI

d. The SSI rules bind private persons

Conclusion



51

Most of this nation’s critical infrastructure isprivately held. It has become commonplace todescribe information about the security of thesebusinesses – i.e., their vulnerabilities and the securi-ty measures they have taken – as a roadmap to ter-rorists. And yet this characterization is apt.Security vulnerability assessments and securityplans are among the most sensitive documents thatcould ever be prepared about a facility, whetherthat facility is a chemical plant, a dam or railroadstorage yard. Comparable information about trans-portation modalities like trucking or rail may poseeven greater risks, given their ubiquity and thegreat distances over which shipments may be vul-nerable. Security vulnerability assessments andplans generally describe the worst possible conse-quences that could result from an attack; where,when and how to attack to produce those conse-quences; and what steps the business has taken todeter or delay such an attack, or to minimize theconsequences. A terrorist planning such an attackcould not have a more useful guide.

In some cases federal, state or local law mayrequire a privately-held business to prepare thesesorts of reports. In other cases, the business owneror operator may have done so voluntarily, pursuantto an industry initiative such as the chemical indus-try’s Responsible Care®‚ Security Code.2 Finally, theowner or operator may have independently recog-nized that its facilities or distribution methodscould be an attractive target, and that potentiallegal liability or simply common sense impelled itto take protective measures.

Another familiar mantra is that security is ashared responsibility between the public and privatesectors. In order to discharge this responsibility,both sectors need to share information with eachother. Indeed, security planning – particularly inthe area of response – cannot be conducted effec-tively unless each sector is aware of the other’s capa-bilities and has cooperated in defining scenarios,roles and actions. This means that a government

agency with responsibility for the security of aparticular type of infrastructure is likely to wantto be able to review and discuss security docu-ments prepared by those businesses. It might alsowant to obtain a copy for its files – and it mayhave the power to do so. Finally, effective securityplanning may require that the federal governmentbe able to share this information – in a controlledfashion – with state or local governments, or evenwith other private actors involved in securing theasset in question.

This article addresses what sorts of legal protec-tions may exist to prevent the public release of aprivate business’s security documents once theyare in the possession of an executive branchagency of the federal government. It also notes:

• when these protections may impose obliga-tions on the business submitting the infor-mation, not just the government; and

• when these protections envision the gov-ernment sharing information with certainnon-Federal governments or private enti-ties for homeland security purposes, whilenot releasing it to the public at large.This concept requires a major culturalshift from the traditional binary notionthat information is either publicly releasedor held only by government -- but thisshift may be crucially important forensuring security.

The article focuses on legal protections avail-able at the federal level, though it also points outwhen these protections extend to documents inthe hands of state or local agencies. As the discus-sion reveals, this area of the law is particularlycomplicated, not only because of the number andcomplexity of laws involved, and their interac-tions, but also by the distracting pervasiveness oflabels that have some practical, though not consis-tent, meaning within government agencies, butyet provide no legal basis for withholding infor-mation from disclosure.

INTRODUCTION

2See http://www.rctoolkit.com/security.asp.

And in most cases, the government can “write forrelease” by summarizing sensitive information orabstracting from it in a way that does not createundue risks. (Indeed, critical infrastructure represen-tatives frequently complain that the governmentshould do this more often with threat informationthat it possesses.) On the other hand, while differentpeople will draw the line at different places, ulti-mately all (or virtually all) observers would agree thatthere are circumstances in which security-relatedinformation provided by private entities to the gov-ernment must be protected from unrestricted publicrelease. This article addresses whether and how wellthat purpose can be served under existing law.

I. EXECUTIVE SUMMARY

FOIA. The Freedom of Information Act isthe starting point for any analysis of whetheran executive branch agency must or maywithhold a particular document from publicdisclosure. FOIA requires an agency torelease a record in its possession uponrequest by any member of the public unlessan exemption applies. Five FOIA exemp-tions are potentially applicable to businesssecurity information:

“Other Laws” (exemption (b)(3)): FOIAdoes not apply where another law prohibitsan agency from disclosing a document orestablishes particular criteria for withholdingthat type of information. Several of theselaws are potentially applicable to businesssecurity information, and are summarizedunder “Other Statutes” below. A businessconcerned about the security of its informa-tion in the hands of the government shouldalways check to see whether one or more ofthese laws applies.

The article begins by discussing the Freedom ofInformation Act, which provides the overallframework for deciding when the federal govern-ment may or must protect information from pub-lic disclosure. It focuses particularly on severalexemptions from disclosure under FOIA. Thenext part of the article addresses a variety of labelsthat may appear to justify withholding informa-tion but really do not. Finally, the article explainsat varying lengths a number of statutes that givethe government the ability to protect certain typesof security information from public release. Thispart of the article focuses on two recent and con-troversial programs regarding “critical infrastruc-ture information” and “sensitive security informa-tion.”

This article does not attempt to provide anexhaustive description of every program or authorityit discusses. Readers interested in how they may beaffected by the topics discussed below are encour-aged to review the underlying laws or rules beforemaking important decisions about them.

Finally, let me emphasize that the purpose ofthis article is not to promote the greatest possiblewithholding of private security-related informationfrom release by the government. The 9/11Commission,3 the official in charge of classifica-tion policy across the federal government,4 andcommentators writing in this journal5 all haveexpressed concern that the government overclassi-fies or otherwise restricts from disclosure informa-tion that safely could — and should — bedisclosed to the public in order to effectuate long-standing principles of open government. Certainlysome privately-generated information is “security-related” and yet could be made public withoutjeopardizing the security of the generator or others.



52

2See http://www.rctoolkit.com/security.asp.3National Commission on Terrorist Attacks upon the United States, THE 9/11 COMMISSION REPORT 417 (2004).4J. William Leonard, Director, Information Security Oversight Office, National Archives & Records Administration, “InformationSharing and Protection: A Seamless Framework or Patchwork Quilt?” Remarks at the National Classification ManagementSociety’s Annual Training Seminar, Salt Lake City, Utah (June 13, 2003), available athttp://www.fas.org/sgp/isoo/ncms061203.html.

5Christina E. Wells, “National Security Information and the Freedom of Information Act,” 56 ADMIN. L. REV. 1195, 1198-1205(2004).

National Security (exemption (b)(1)):Documents classified for national securityreasons are exempt from disclosure underFOIA. There is no formal process for a busi-ness to request that information it submits tothe government be classified, however, andaccess to classified documents is strictly lim-ited. This exemption is unlikely to be usefulto most businesses in most cases.

Law Enforcement (exemption (b)(7)(F)):FOIA exempts from disclosure informationgenerated for civil or criminal law enforce-ment purposes the release of which couldjeopardize the life or physical safety of a per-son. This exemption may well be applicableto business security information submitted tothe government, provided that the informa-tion can be said to have been generated forpurposes of enforcing some law, federal orstate. This proviso is most easily accom-plished where the agency in question has theauthority to enforce some law relevant tohomeland security. There may be somequestion whether all components of theDepartment of Homeland Security (DHS)have this authority.

Confidential Business Information (exemp-tion (b)(4)): Between FOIA and the TradeSecrets Act, it is a crime for a governmentemployee to release confidential commercialinformation about a business. For the mostpart, information about the security of abusiness should fall into that category.Moreover, the federal government’s position– and the law in the D.C. Circuit – is thatbusiness information that is voluntarily sub-mitted to an agency will be protected fromrelease so long as it is the kind of informa-tion the business would not customarilyrelease. Thus, this exemption should bebroadly useful in protecting business securityinformation from being released by a federalagency. However, this conclusion is not freefrom doubt in any given case, and a businesswould do well to determine if any othergrounds exist for the government withhold-ing the business’s security information fromrelease.

“Risk of Circumvention” (exemption(b)(2)): Most federal jurisdictions protectgovernment information whose effectivenessrequires that it be maintained confidential.The government is relying on this exemp-tion to protect security-related informationthat it generates, whether about public orprivate infrastructure. It is questionable,however, whether this exemption would beof any use to protect documents that aregenerated privately and submitted to thegovernment, especially if the substance ofthe report has not been integrated into agovernment document.

Protections that Aren’t. The federal govern-ment maintains different levels and types ofsafeguards for various categories of informa-tion, depending principally on the agency inquestion. Common example categories are“sensitive but unclassified” (SBU) and “forofficial use only” (FOUO). While agenciesmay in fact handle such information careful-ly to avoid inadvertent release, these labelsdo not provide a basis for an agency to with-hold a document from release in response toa FOIA request. Information must fall intoa FOIA exemption to be withheld.

Other Statutes. Numerous statutes provide abasis, under the (b)(3) exemption noted above,for agencies to withhold business security-relat-ed information from public disclosure.

Specific statutory exemptions exist for:• Larger public drinking water

systems;• Facilities and vessels regulated under

the Maritime TransportationSecurity Act;

• Shippers and carriers of hazardousmaterials required to prepare securi-ty plans; and

• Facilities regulated under theChemical Weapons ConventionImplementation Act.

While it does not have a special basis forwithholding information from release, theFederal Energy Regulatory Commissionhas established innovative rules for manag-ing FOIA-exempt information submittedby facilities it regulates.



53

Two other programs, established by statute,provide a basis for exempting security-related information across a wide range ofbusinesses. Businesses should always con-sider the possible applicability of these pro-grams:

Critical infrastructure information(CII). This program, administered byDHS, protects security-related infor-mation about critical infrastructurewhen it is voluntarily submitted toDHS. This program provides anunprecedented level of protection,although partly as a result it has beenslow to get up and running. It hasgreat potential, however, to enable fed-eral, state and local governments toshare, in a secure fashion, informationabout the assets they need to protect.This law has been strongly challengedby those who believe it will lead toundue secrecy or even immunity fromenforcement under other laws. Infact, however, the law and its imple-menting rules have been carefullycrafted to avoid those outcomes.

Sensitive Security Information (SSI).This program, administered by boththe Department of Transportationand the Transportation SecurityAdministration, enables these agenciesto protect from disclosure informationthey obtain or generate the release ofwhich could jeopardize the safety orsecurity of transportation. Private sec-tor representatives may be able tohave access to SSI on a need-to-know

basis under a nondisclosure agree-ment. The SSI rules are also self-implementing, meaning that classes ofinformation are SSI by definition,without anyone having to apply forsuch treatment. As with classifiedinformation, private entities possessingSSI have legal obligations to protect it– even if it is their own information.

II. THE FREEDOM OF INFORMATIONACT

The starting point for any analysis ofwhether an executive branch agency mayor must release information in its posses-sion is the Freedom of Information Act orFOIA.6 This law provides the overarchingframework for deciding whether a federalagency may refuse to publicly disclose adocument. Enacted in 1966, and sparkinga series of other “open government” laws,FOIA generally embodies a Congressionalpolicy decision that all government“records” should be made publicly available– some automatically, and the rest (includ-ing, potentially, private security records)upon request by any person.7

Assuming a federal agency comes intopossession of a business’s security report,therefore, the default position is that thereport is available to a FOIA requester,unless the report is covered by one ofFOIA’s exemptions from disclosure.FOIA has nine exemptions, of which fiveare potentially relevant to businesses’ secu-rity information.8 Each is discussed below.How useful any of them may prove to bein a given case is uncertain, however, forseveral important reasons:



54

65 U.S.C § 552. All federal agencies have issued regulations governing their implementation of FOIA. FOIA does not apply tothe legislative or judicial branches of the federal government (or, thus, to entities within those branches like the GovernmentAccountability Office (GAO)).

7“Any” person in this case really means any person, whether or not a U.S. citizen, and without any requirement to provide,much less substantiate, a need for the record. See U.S. DOJ, FOIA GUIDE AND PRIVACY ACT OVERVIEW 44-47 (2004 edition),available at http://www.usdoj.gov/oip/foi-act.htm. This comprehensive document is issued every other year by the JusticeDepartment’s Office of Information & Privacy, which coordinates the development and implementation of, and compliancewith, FOIA policy throughout the executive branch. It provides useful insight into the government’s position on FOIA issues.Much of this article’s discussion of FOIA is derived from it. Another valuable reference is JAMES T. O’REILLY, FEDERAL INFOR-MATION DISCLOSURE (Thomson West 3d. ed 2000).

8FOIA also contains three “exclusions” that flatly forbid release of information, but they are unlikely to be relevant to privatesecurity information. (Two concern criminal investigations or proceedings and the third addresses certain classified informa-tion possessed by the FBI. See 5 U.S.C. § 552(c).)



55

• First, the exemptions are from FOIA’smandate to disclose, meaning that thegovernment retains the discretionunder FOIA to disclose exempt infor-mation, unless some other legal author-ity affects the agency’s power to releaseit.9 Many such authorities exist in thesecurity area, fortunately, and are notedbelow where relevant.

• Second, most FOIA exemptions havebeen construed narrowly by agenciesand courts in their efforts to effectuateCongress’s openness policy. Agenciesnow in the business of obtaining orreviewing private security informationgenerally have indicated an intentionto apply relevant FOIA exemptionsaggressively, and the JusticeDepartment has stated its intent todefend exemption decisions “unlessthey lack a sound legal basis.”10

• Still, whether an agency will protect agiven document is its decision to make,and whether a court will agree is obvi-ously uncertain. This difficulty is com-pounded by the fact that different fed-eral circuits can and do construedFOIA differently, and a lawsuit seekingto compel disclosure of a business’ssecurity information could be filed by aplaintiff anywhere he or she resides.11

• Finally, each exemption has its ownpeculiarities, deriving from statutorylanguage and years of evolving (anddivergent) agency practice and judicialinterpretations.

As a practical matter, it seems reasonable toassume that a court, faced with deciding whetherto release information that the federal governmentargues should be protected to avoid facilitating aterrorist attack, would find some FOIA exemptionto apply. Nonetheless, the upshot is that FOIAand its exemptions alone are not, in the view of

many, an ideal solution to concerns about protect-ing business security information. For this reason,since 9/11 Congress has enacted or amended sev-eral other statutes, and federal agencies have issuedseveral regulations, to provide greater measures ofprotection for some kinds of security-related docu-ments. These other statutes and regulations aresummarized in Part A immediately below and dis-cussed in Part V of this article.

A. The “Other Laws” Exemption

The most reliable FOIA exemptionpotentially relevant to private securityinformation is the “(b)(3)” exemption,which exempts from FOIA’s disclosuremandate any information the release ofwhich is controlled by another federallaw. In essence, this exemption ensuresthat FOIA does not override any otherlaw that either “(A) requires that thematters be withheld from the public insuch a manner as to leave no discretionon the issue, or (B) establishes particularcriteria for withholding or refers to par-ticular types of matters to be with-held.”12 A multitudeof statutes come inthrough this door. Some of these areoutright prohibitions on release, usingunambiguous language like “shall not bedisclosed,” and many include civil oreven criminal penalties for governmentemployees who violate them.13 Othersspeak of documents “being exempt fromdisclosure” under FOIA, and may allowdisclosure under certain circumstances.A business concerned about protectinginformation it might provide to the gov-ernment should first determine whetherany of these laws apply. Several of themare applicable to private security informa-tion, and are discussed in Part V below.

9Even more exasperating, only some of these other authorities flatly forbid the federal government from releasing certaininformation under any circumstances. Many of them merely provide that information “is exempt” from disclosure under FOIA,and in the view of the Justice Department, at least, such a law does not necessarily deprive the government of the discretionto disclose the information outside of FOIA if the other statute permits such discretionary disclosure. See FOIA GUIDE, supranote 9, at 229-31 and 683-91, esp. p. 684. This may be an academic point, since agencies generally treat a statute sayingthat information is “exempt” from disclosure under FOIA as a flat prohibition on disclosure in all cases.

10Memorandum from John Ashcroft, Attorney General, for Heads of all Federal Departments and Agencies (Oct. 12, 2001),available at http://www.usdoj.gov/oip/foiapost/2001foiapost19.htm.

11See 5 U.S.C. § 552(a)(4)(B).12Id. § 552(b)(3).13See, e.g., the Trade Secrets Act and the Chemical Weapons Convention Implementation Act, discussed respectively in foot-notes 42 and 72 and accompanying text.



56

B. National Security Exemption

FOIA exempts from disclosure docu-ments that have been properly classifiedfor reasons of national defense or foreignpolicy.14 Thus, government records thatare “top secret,” “secret” or “confidential”need not be disclosed under FOIA – andin fact other authorities establish a rangeof sanctions if they are.15 While on firstblush this “(b)(1)” exemption mightseem an ideal way for the government toprotect privately-generated “homelandsecurity” documents like vulnerabilityassessments from release while in thegovernment’s possession, classificationactually has a number of serious limita-tions:

• Only some federal agencies can classifya document. The only way a docu-ment can become classified is if afederal agency that has “original clas-sification authority” affirmatively actsto classify it.16 While theDepartment of Homeland Security(DHS) and most other federal agen-cies have this authority, some donot.17 A private entity cannot classifyits own document. Nor is there anyestablished process for private entitiesto request an agency to classify a doc-ument.

• Access to classified documents is verytightly controlled. Once a documenthas been classified, the only peoplewho can see it are those who have:

145 U.S.C. § 552(b)(1). The current authorities governing the classification of documents are Executive Order 12958, as amend-ed by E.O. 13292 (68 Fed. Reg. 15315, March 28, 2003), and rules issued pursuant to those orders by the National Archives& Records Administration’s Information Security Oversight Office, located at 32 C.F.R. Part 2001. E.O. 12958 explicitly refer-ences information that “reveal[s] current vulnerabilities of systems, installations, infrastructures, or projects relating to nation-al security.” Id. § 3.3(b)(8).

15Sanctions for unauthorized disclosure of classified documents are discussed in Sections 4.1(b) and 5.5 of E.O. 12958.Criminal penalties exist for certain disclosures of classified information. E.g., 18 U.S.C. §§ 641, 793(d), 798; 50 U.S.C. § 783.

16E.O. 12958, § 1.1(a)(1).17For example, EPA only recently received this authority.18E.O. 12958, § 4.1(a).19The statute enacted last year to implement some of the 9/11 Commission’s recommendations contains provisions intended toimprove the number and timeliness of security clearances. See 50 U.S.C. § 435b. An inherent part of the delay is that,among the federal law enforcement personnel who conduct or manage the process, doing background checks is oftenregarded as boring, low-status work compared with the more results-oriented work most of them signed up expecting to do.

20See E.O. 12968 (1995).21See 50 U.S.C. § 435b(d).

• an active security clearance at therequisite level (e.g., “secret” levelfor documents that have beenclassified at the secret or confi-dential level)

• a need to know; and• signed a nondisclosure agree-

ment (NDA).18

• No one else can see the document –even the person who prepared it. Thatmeans that if a private person with-out a security clearance prepared avulnerability assessment of his facilityand submitted it to a governmentagency, and the agency classified thedocument, the submitter could notget it back. Obviously, this is notconducive to effective security orinformation sharing.

And meeting the first two access require-ments is not easy or quick. First, there isa tremendous backlog of persons seekingsecurity clearances: more than threeyears after 9/11, federal agencies withclassification authority still do not haveadequate resources or budgets to processthe many applications that they haveaccepted. And the requisite backgroundchecks – the source of most of the delay– will always take some degree of time.19

Many applications have languished forlong periods of time. And even if a per-son does have a clearance from one fed-eral agency, other federal agencies haveoften been disinclined to accept themreadily, even though they have beenlegally bound by executive order20 – andnow a federal statute21 – to grant such“reciprocity.”

Second, it is not necessarily easy or sim-ple to get a federal agency to agree thatyou have a need to know. As the 9/11Commission and other critics have point-ed out, the classified world has evolvedover the years into one where individualagencies are loathe to share informationwith each other, much less with private-sector individuals.22 (The Commission’sreport calls for a new, “need to share” cul-ture, and the statute passed by Congresslast December to implement many ofthose recommendations contains provi-sions intended to create an “informationsharing environment.”23)

Third, agency rules and proceduresregarding access to classified documentsare quite burdensome and cumbersome.Someone who meets the three require-ments for access listed above has to con-struct an appropriately secure facilitywhere the documents must remain at alltimes, with access controls and record-keeping requirements.24 People cannoteven discuss classified information over thetelephone unless they have secure telecom-munications capabilities, which are expen-sive and time-consuming to install.25

Finally, persons who violate these rules, orthe terms of their NDA, can face very seri-ous consequences – even if they arefamous, as individuals such as Sandy Bergerand John Deutsch have demonstrated.26

It should thus be obvious that classification isa very poor tool for promoting the securityof private businesses.



57

C. Law Enforcement Exemption

Another FOIA exemption of partial usein protecting private security documentsis the one covering information compiledfor civil or criminal law enforcement pur-poses (conventionally referred to as “lawenforcement sensitive” information).This exemption applies to a half-dozencategories of documents, but one is ofparticular relevance to the facility securitypredicament: records the release ofwhich “could reasonably be expected toendanger the life or physical safety of anyindividual.”27 While this “(b)(7)”exemption was originally crafted to pro-tect law enforcement personnel, it hasbeen broadly interpreted to justify agen-cies’ refusing to disclose law enforcementrecords whenever their release could rea-sonably be expected to result in harm toany person.28 In the homeland securitycontext, a federal court recently held thatBureau of Reclamation “inundationmaps” detailing areas that might beflooded if the Hoover or Glen CanyonDams failed catastrophically were coveredby this exemption because disclosure ofthe maps “could reasonably place at riskthe life or physical safety of . . . individu-als,” communities, or infrastructuredownstream of the dams.29 A business’ssecurity vulnerability assessment couldwell fall into this category also, andindeed federal agencies have made knowntheir intention to assert this defensewhere relevant.30

229/11 COMMISSION REPORT, supra note 3, at 416-419.23Id.; see also 6 U.S.C. § 485.24See 32 C.F.R. §§ 2001.41(b), 2001.43. These are often referred to as “secure compartmentalized information facilities” or“SCIFs.”

25Id. §§ 2001.41(c), 2001.49. These are often called “secure telecommunications units” or “STUs.”26See note 15 supra. E.g., “Berger Will Plead Guilty to Taking Classified Paper,” Washington Post, A1 (April 1, 2005).275 U.S.C § 552(b)(7)(F).28FOIA GUIDE, supra note 7, at 660 n. 20.29See Living Rivers, Inc. v. United States Bureau of Reclamation, 272 F. Supp. 2d 1313, 1321-22 (D. Utah 2003).30For example, when the FBI housed the National Infrastructure Protection Center (NIPC), it stated that it would assert thisdefense, among others, if anyone sought information supplied by private facilities regarding threats or similar incidents.



58

The problem with this exemption is thatit can only be asserted when the privateinformation in question could plausiblybe argued to be have been generated orcompiled in connection with some lawenforcement purpose. This is likely tobe only sporadically true in the securitycontext. Most notably, the FBI has gen-eral authority to investigate violations offederal law, and so could plausibly assertthis exemption in a range of cases.Another prominent example is the CoastGuard, which has authority to enforcethe Maritime Transportation SecurityAct (MTSA), applicable to facilities andvessels that may be involved in a mar-itime transportation incident.31 TheCoast Guard is mandated to receive,review and approve security plans (whichinclude vulnerability assessments) underthe MTSA, and thus could reasonablyassert this exemption, particularly to theextent it was using the report as part ofan investigation or enforcement actionunder the law. Other types of businesseswhose security is subject to enforceablefederal authority include:

• Larger public drinking water systems(regulated by EPA under the SafeDrinking Water Act);32

• Shippers and carriers of hazardousmaterials required to prepare trans-portation security plans (regulatedby DOT’s Research and SpecialProjects Administration (RSPA)under the Hazardous MaterialsTransportation Act);33

• Facilities manufacturing or storingcertain drug precursors (regulated bythe DOJ’s Drug EnforcementAdministration under theControlled Substances Act);34 and

• Facilities manufacturing or storingcertain chemical weapons precursors(regulated principally by theCommerce Department’s Bureau ofIndustrial Security under theChemical Weapons ConventionImplementation Act).35

(Apart from the law enforcement con-text, these laws often also provide anindependent basis for the government towithhold information from disclosure, asdiscussed in Part IV.A below.)

U.S. Customs & Border Protection(CBP), located within DHS, has author-ity to enforce a host of customs and for-eign trade-related statutes. While noneof these laws directly authorize it to regu-late the security of trade-related facilitiesor distribution mechanisms, CBPadministers a voluntary program (the“Customs-Trade Partnership AgainstTerrorism” or C-TPAT) through whichparticipants obtain preferential treatmentunder these laws (e.g., reduced inspec-tions) in exchange for submitting toCBP detailed information about theirsecurity programs (which CBP protectsfrom disclosure) and acceding to CBPverification of those programs.36

On the other hand, many facilitieswhose security could be important arenot subject to any of the laws referencedabove, and many federal agencies do nothave law enforcement authority associat-ed with facility security. Most problem-atic, the Department of HomelandSecurity (DHS)’s Directorate ofInformation Analysis and Infrastructure

31The MTSA is 46 U.S.C. §§ 70101-70117. The Coast Guard’s implementing rules are located at 33 C.F.R. Parts 101-106.32See 42 U.S.C. § 300i-2.33DOT’s authority to regulate hazardous materials transportation security is found at 49 U.S.C. § 5103(b). The security planrules are located at 49 C.F.R. Part 172.34The Controlled Substances Act is codified at 28 U.S.C. §§ 801-971, and DEA’s rules are codified at 21 C.F.R Parts 1300-1316.35The CWCIA is found at 22 U.S.C. §§ 6701- 6771. BIS’s rules are at 15 C.F.R. Parts 710-72236See http://www.customs.gov/xp/cgov/import/commercial_enforcement/ctpat/.

exploring the usefulness of this approachin connection with “Buffer ZoneProtection Plans” that it is developing, incoordination with state and local author-ities, for especially critical facilities.

D. Confidential Business InformationExemption

1. The exemption

Although much maligned by some,one FOIA exemption does offerpotential protection to any privatebusiness: the “(b)(4)” exemption for“trade secrets and commercial orfinancial information [that is] privi-leged or confidential” – a.k.a. “confi-dential business information” or CBI.The landmark Critical Mass case inter-preting this exemption holds thatwhere the information in question isvoluntarily supplied to the agency, theonly question an agency need ask iswhether the information is “of a kindthat would customarily not bereleased to the public by the personfrom whom it was obtained.”40 Sinceno business in its right mind wouldcustomarily release actionable securityinformation to the public, this meansthat voluntarily submitted privatesecurity information should categori-cally be covered by this exemption.And, as noted above, all informationsubmitted to DHS’s IAIP is voluntarilysubmitted, since IAIP has no power tocompel the submission of information.

Protection (IAIP), the federal officebroadly charged with securing thenation’s critical infrastructure and keyresources – and the lead or “sector-specif-ic” agency for the chemical, transporta-tion, emergency services, postal and ship-ping sectors,37 has no specific authorityto investigate or enforce any law. Thereis some basis to argue that all DHS com-ponents are law enforcement agencies,but that conclusion is not assured.38 IfIAIP were not viewed as a law enforce-ment agency, it could only assert the lawenforcement sensitive exemption to theextent the information in question hadbeen compiled for purposes of enforcinga law, like those listed above, that someother governmental entity had authorityover. This is not an ideal arrangementfor the agency that is most commonly inthe position of receiving (or requesting)facility security documents.

Importantly, however, the (b)(7) exemp-tion applies in connection with theenforcement of any law — federal, stateor local. Clearly, all levels of governmenthave important roles to play in enforcinglaws that protect private operations fromthe actions of terrorists or other crimi-nals. To the extent that a federal entitylike IAIP possesses information that isalso possessed by state or local lawenforcement — or is able to share infor-mation with such entities — the federalagency may be able to assert the (b)(7)exemption premised on the enforcementof state or local laws. IAIP is reportedly



59

37See Homeland Security Presidential Directive/HSPD-7 (Dec. 17, 2003), § 11, available athttp://www.whitehouse.gov/news/releases/2003/12/20031217-5.html.

38The Homeland Security Act provides that the Secretary of Homeland Security “shall be deemed to be a Federal lawenforcement . . . official,” but it is unclear whether that grant is universal or limited to the three statutes referencedin that provision, and whether it automatically flows down to all DHS components. See 6 U.S.C. § 122(c).

395 U.S.C § 552(b)(4).40Critical Mass Energy Project v. NRC, 975 F.2d 871, 879 (D.C. Cir. 1992)(en banc). See generally FOIA GUIDE, supra note 7, at281-84. The Justice Department and most courts have concluded that information can be voluntarily submitted even wherean agency has the power to require its submittal, if the submission was not made in response to exercise of that authority.See FOIA GUIDE at 284-99.

41See Executive Order 12600 (June 23, 1987), 52 Fed. Reg. 23781 (June 25, 1987).4218 U.S.C. § 1905. Many environmental statutes have similar protections for CBI (e.g., 7 U.S.C. § 136h (FIFRA), but it is ques-tionable whether business security information would be covered by one of those statutes. The federal hazardous wasteregulations require access control at hazardous waste treatment, storage and disposal facilities (see 40 C.F.R. §§ 264.14,265.24), but beyond that, environmental laws and rules do not to the author’s knowledge address security.

43E.g., CNA Financial Corp. v. Donovan, 830 F.2d 1132, 1151 (D.C. Cir. 1987). See generally FOIA GUIDE, supra note 7, at 358-60.44See FOIA GUIDE, supra note 7, at 284-304. The Tenth Circuit adopted the Critical Mass distinction between voluntary andinvoluntary submission in Utah v. U.S. Dep’t of Interior, 256 F.3d 967, 969 (10th Cir. 2001), although both sides in that caseagreed that the submission involved was an involuntary one.

45See FOIA GUIDE, supra note 7, at 299-300.46See 5 U.S.C. § 552(a)(4)(B).47National Parks & Conservation Ass’n v. Morton, 498 F.2d 765, 767 (D.C. Cir. 1974).

Pursuant to Executive Order, all feder-al agency FOIA regulations providethat the agency will notify a submitterif someone has requested informationprovided by the submitter for whichthe submitter has claimed CBI protec-tion, giving the submitter a reasonableperiod of time to object. If the agencydetermines to release the informationnotwithstanding an objection, theagency must notify the submitter inadvance of a specified release date sothe submitter can file a “reverse FOIA”lawsuit to block release.41

2. Concerns about the exemption

While the (b)(4) exemption, as con-strued in Critical Mass, would seem toprovide clear protection for voluntari-ly-submitted business security informa-tion, many representatives of privateinterests have expressed skepticismabout whether this is really the case.As discussed below, some of these concernsare probably unfounded or overwrought,but others have at least some merit.

a. Is it really discretionary?

Some representatives of potentialCBI submitters note with concernthe seemingly discretionary nature ofthe CBI exemption – meaning thatan agency may, but is not requiredto, refuse to disclose informationcovered by that (or any other) FOIAexemption. While this is technicallytrue, looking only within the fourcorners of FOIA, it is also true thatcourts have construed the federalTrade Secrets Act42 to be coextensive

with the CBI exemption.43 Thismeans that if information falls with-in the scope of the CBI exemption,it is a federal crime – a felony, in fact– for a federal employee to release itunder FOIA. So the “discretionary”nature of the (b)(4) exemptionshould not be a basis for concernamong would-be submitters – but itis, in the author’s experience, bysome who do not appreciate theTrade Secrets Act angle.

b. Will courts follow Critical Mass?

A second basis for concern is that theCritical Mass decision, while of greatpersuasive precedential value, is onlybinding precedent within the D.C.Circuit. While other federal districtcourts and one circuit have followedit,44 it is not necessarily the law of theentire homeland. Indeed, districtcourts in California, Maine, NewYork, and Virginia have refused tofollow it absent its adoption by theirrespective circuit courts.45 As notedearlier, a lawsuit seeking to compeldisclosure of a business’s security plancould be filed by a plaintiff anywherehe or she resides.46

Thus it is entirely possible that acourt somewhere in the U.S. woulddecline to follow Critical Mass andinstead direct the agency to followprior law, which required agencies toassay whether disclosure would likely“impair the Government’s ability toobtain necessary information in thefuture” or “cause substantial harm tothe competitive position of the per-son from whom the information wasobtained.”47 Needless to say, many are



60

48American Airlines, Inc. v. Nat’l Mediation Bd, 588 F.2d 863, 870 (2d Cir. 1978). See generally FOIA GUIDE, supra note 7,at 271-73

49Chicago Tribune v. FAA, No. 97 C 2363, 1998 WL 242611, at *3 (N.D. Ill. May 7, 1998).505 U.S.C § 552(b).51Id. § 552(b)(2).52See FOIA GUIDE, supra note 7, at 204-26, U.S. DOJ, FOIA Update, Vol. X, No. 3, at 3-4 (“OIP Guidance: ProtectingVulnerability Assessments Through Application of Exemption 2.”).

uncomfortable risking the disclosureof vital information on outcome ofsuch subjective tests.

c. Is security information really“commercial or financial”?

A third basis may be that potentialsubmitters do not think of security-related information as “commercial”or “financial” information, since forthe most part it does not involvecost or price data, product formulas,or other sorts of information thatwould typically be regarded as valu-able to competitors. Obviously,information regarding security meas-ures a business has taken could wellbe competitively sensitive, as coulddata on process modifications aplant made to reduce the inherenthazard it presents. More generally,most courts have concluded that“commercial” information coversanything “pertaining or relating to ordealing with commerce.”48 However,one federal district court has con-cluded that “factual information[supplied to the FAA by airlines]regarding the nature and frequencyof in-flight medical emergencies”was not commercial information.49

The uncertainty about how suchcases might apply to threat informa-tion, and potentially some vulnera-bility information, is a cause for con-cern.

d. The culture of disclosure

Finally, some potential submitters areno doubt put off by associations thatthey have with the (b)(4) exemptionderiving from their experience with it

in other contexts. Many agencies,especially EPA, have zealously fol-lowed judicial admonitions to inter-pret exemptions from FOIA narrow-ly. Persons who are familiar withthese agencies’ policies and practiceslikely will impute them to DHS orother agencies and be reluctant totrust those agencies with such sensi-tive information. This concern isheightened by FOIA’s requirementthat agencies release “reasonably seg-regable portion[s] of a record.”50 Asubmitter cannot therefore assumethat an entire document will be with-held from disclosure just because oneor more portions of it contain CBI.Indeed, in such a case, the submittermay anticipate arguments with theagency – if such a document isrequested under FOIA – about por-tions whose CBI status is debatable.

For all these reasons, the (b)(4)exemption is both (a) potentiallyapplicable to a broad range of busi-ness security information but (b) ofsomewhat uncertain reliability.

E. “Risk of Circumvention” Exemption

A somewhat unlikely FOIA exemptionthat may have limited utility in protect-ing private security documents is the“(b)(2)” exemption protecting records“relating solely to the internal personnelrules and practices of an agency.”51 Overthe years, many courts have interpretedthis exemption to cover not only ministe-rial agency papers (so called “low 2”materials), but also “high 2” materials:i.e., those “predominantly internal”records that are effective only if theyremain confidential.52



61

53U.S. DOJ, FOIA Post (Oct. 15, 2001), available at http://www.usdoj.gov/oip/foiapost/2001foiapost19.htm. See also FOIA GUIDE,supra note 7, at 214-15, 223-26.

54See Living Rivers, supra note 29, 292 F. Supp. 2d at 1317 (maps not sufficiently related to Bureau's "internal personnel rulesand practices").

to the government, the exemption mightapply if the substance of the privatereport was integrated into a governmentreport. It may also be that a facilityowner could prepare a report in sufficientcooperation or partnership with the gov-ernment that the exemption would apply.However, establishing agreement amongthe relevant government officials – andtheir counsel – on the legal defensibilityof this approach, and the mechanics ofmaking it work, could be long andinvolved process. Thus this exemption isnot likely to be of reliable use in protect-ing privately-generated assessments.

III. PROTECTIONS THAT AREN’T,REALLY

Understanding the rules for when govern-ment agencies can withhold information iscomplicated by the existence of several labelsthat, while frequently referenced by govern-ment agencies seeking to protect informa-tion, do not actually authorize those agen-cies to withhold records from release underFOIA.

Many government documents are promi-nently captioned “For Official Use Only,” or“FOUO,” and contain legends like this one:

Warning: This document is FOR OFFI-CIAL USE ONLY (U//FOUO). It con-tains information that may be exemptfrom public release under the Freedomof Information Act (5 U.S.C. 552).It is to be controlled, stored, handled,transmitted, distributed, and disposed ofin accordance with [agency] policy relat-ed to FOUO information and is not tobe released to the public or other person-nel who do not have a valid “need-to-know” without prior approval of anauthorized [agency] official. No portionof this document should be furnished tothe media, either in written or verbalform.



62

Immediately after 9/11, the JusticeDepartment advised other federal agenciesthat this exemption is “well-suited forapplication to the sensitive informationcontained in vulnerability assessments,”and that agencies should “avail themselvesof the full measure of Exemption 2’s pro-tection for their critical infrastructureinformation as they continue to gathermore of it, and assess its heightened sensi-tivity, in the wake of the September 11terrorist attacks.”53

DOJ’s interpretation of Exemption 2applies clearly to vulnerability assess-ments and other security informationthat a government agency generatesitself, and would seem to apply even ifthe critical infrastructure that is the sub-ject of the report is privately owned.Since 9/11, DHS and other agenciesfrom time to time have been requestinginformation from private entities thatthe agencies can roll up or incorporateinto sectoral or regional analyses theagencies are preparing, and this exemp-tion should be useful in protecting thatinformation when supplied for such pur-poses. This exemption would also seemapplicable to analyses developed by fed-eral agencies regarding a single facility;e.g., a Buffer Zone Protection Plan pre-pared by DHS or a DHS contractorregarding a privately-held oil refinery.

On the other hand, not all circuit courtshave adopted the “high 2” concept, and adistrict court recently refused to apply itto “inundation maps” prepared by theBureau of Reclamation illustrating areasbelow the Hoover and Glen CanyonDams that could be affected by cata-strophic failures of the dams.54 Moreover,it is not at all clear whether this exemp-tion could apply to a report developed bya private business. Since cases have inter-preted the exemption as applying toreports that are “predominantly internal”

FOUO, SBU and similar labels are basicallyintra- or intergovernmental tools for “safe-guarding” documents; i.e., ensuring thatthey are closely held and not disseminatedmore broadly than intended.55 These labelshave originated in a variety of ways,56 andhave neither any government-wide defini-tion or any agency whose job it is to inter-pret them.57 These labels typically trigger aset of agency rules or procedures – whichcould include sanctions for employees whoviolate them – to physically or practicallylimit access to information. But they arenot themselves a legal basis for denyingaccess to the documents under FOIA, ifsomeone asks for them.58

Many documents that are exempt fromFOIA are labeled FOUO or SBU so thatgovernment employees don’t inadvertentlyrelease them. But many FOIA-releasabledocuments are also labeled FOUO or SBU.This is not necessarily bad, but it is confus-ing. And many, perhaps most, governmentemployees do not understand these distinc-tions, adding to the confusion.59



63

55Other common labels that do not necessarily correlate with any FOIA exemption are: “Official Use Only” (OUO), “SensitiveHomeland Security Information” (SHSI), “Limited Official Use” (LOU), “Safeguarding Information” (SGI), “UnclassifiedControlled Nuclear Information” (UNCI), and “restricted data.”

56For example, “sensitive but unclassified” appears to have first been used, by Congress at least, in the Computer Security Actof 1987. See 15 U.S.C. § 278g-3(d)(4); see generally Wells, supra note 5, at 1209-1212.

57A post-9/11 memo jointly issued by the National Archives’ Information Security Oversight Office (ISOO) and the JusticeDepartment urges all federal departments and agencies to “maintain and control” “sensitive but unclassified information,”balancing “[t]he need to protect such sensitive information from inappropriate disclosure” and “the benefits that result fromthe open and efficient exchange of scientific, technical and like information.” Memorandum from Laura Kimberly, ISOO andRichard Huff and Daniel Metcalfe, DOJ, regarding ”Safeguarding Information Regarding Weapons of Mass Destruction andother Sensitive Records Related to Homeland Security” (March 21, 2002), available at http://usdoj.gov/oip/foiapost/2002foia-post10.htm. The memorandum provides no guidance, however, regarding what constitutes SBU information.

58See FOIA GUIDE, supra note 7, at 190-191.59Wells, supra note 5, argues that increased use of labels like SBU will lead to overwithholding, 56 ADMIN. L. REV. at 1212,and to overclassification, id. at 1211, and expresses concern that courts will “defer to . . . government claims” when “’sensi-tive but unclassified’ withholdings are made in the name of national security,” id. at 1212. It does seem likely that anagency faced with a FOIA request for a document that is labeled SBU will be more inclined than otherwise to look for aplausible basis for withholding it. This is intentional, and as a result agencies should exercise some judgment and notapply such labels routinely. On the other hand, an agency still must identify a defensible FOIA exemption before withholdingan “SBU” document, since there is no “SBU” exemption. It seems unlikely, moreover, that an agency would choose to clas-sify a document that it has already determined is unclassified. And a court cannot “defer to . . . ‘sensitive but unclassified’withholdings,“ since as just noted SBU is not a basis for withholding a document from disclosure.

While this language sounds grave-ly important and may triggervisions of locked file cabinets andarmed guards, FOUO does notrepresent a category of informa-tion that is exempt from releaseunder FOIA. If no FOIA exemp-tion applies, an FOUO documentwould have to be produced inresponse to a FOIA request thatadequately describes it.

A similarly intimidating but legally ineffec-tual label that is commonly used in and outof government is “Sensitive ButUnclassified,” or “SBU.” As described inPart II.B above, there are three types of clas-sified information: top secret, secret, andconfidential. A document properly classifiedat one of these levels is exempt from disclo-sure under FOIA thanks to the (b)(1)exemption. But there is no “sensitive butunclassified” exemption to FOIA – an“SBU” document that does not fall into areal FOIA exemption is just as releasableunder FOIA as an office holiday partyannouncement.



64

safely expect that future such laws –e.g., chemical facility security legisla-tion – will also have detailed informa-tion protections.61 This part of the arti-cle discusses four such laws, as well astwo innovative programs for managingsecurity sensitive information related toenergy infrastructure

1. Larger public drinking water systems

The Safe Drinking Water Act requiresthese systems to certify to EPA thatthey have conducted vulnerabilityassessments, and to provide it withthose assessments.62 The identity of afacility submitting an assessment andthe date of the certification must bemade public.63 Otherwise, however,EPA must develop protocols to ensurethat these assessments, and informa-tion derived from them, are kept in asecure location, and EPA is prohibitedfrom making this information “avail-able to anyone other than an individ-ual designated by the [EPA]Administrator.64 (Designated individ-uals need not be government employ-ees.) Criminal penalties are providedif such an individual knowingly orrecklessly releases the information inan unauthorized fashion.65 The lawfurther provides that covered drinkingwater systems do not have to providethese assessments to a state or localentity “solely by reason of the require-ment” that they submit them to EPA66

III. OTHER LAWS THAT MAYPROTECT A BUSINESS’SSECURITY INFORMATION

As noted earlier, the (b)(3) exemption fromFOIA protects documents from beingreleased when some other statute governstheir disclosure. A number of these arespecifically designed to protect security-sen-sitive information. Because these laws large-ly were enacted after 9/11, rules implement-ing them are still new or not yet complete,and the responsible agencies in most casesare still struggling to determine their scopeand operation – as are organizations thatgenerate or may possess covered informa-tion. Part A below summarizes informationprotections applicable to particular types offacilities or operations. Parts B and Cdescribe two much more broadly applicableregulatory programs for protecting twokinds of information: “CriticalInfrastructure Information” and “SensitiveSecurity Information.”

A. Laws Applicable to Particular Classesof Business Activities

As Part II.C above explained, the “lawenforcement” exemption from FOIA mayapply where particular agencies have theability to regulate security at particulartypes of facilities or transportation modali-ties. The laws granting such authorityoften contain their own information pro-tections applicable to information generat-ed pursuant to their authorities.60 One can

60Neither the Controlled Substances Act nor DEA’s implementing regulations (see footnote 35 and accompanying text) containparticular information protections. Since DEA is part of the Department of Justice, security-related information supplied toDEA would be subject to DOJ’s FOIA regulations and procedures and protected to the extent it fell into one of the FOIAexemptions above in Parts III.B-E above (national security, law enforcement, CBI or anticircumvention).

61For example, S. 994, the “Chemical Facilities Security Act” reported by the Senate Environment & Public Works Committee onMay 11, 2004 contained protections possibly exceeding those provided by any other statute for unclassified information. See§§ 3(i), 4(e), 7(c).

62See 42 U.S.C. § 300i-2(a)(2).63Id. § 300i-2(a)(3).64Id. § 300i-2(a)(5).65Id. § 300i-2(a)(6)(A). Such an individual can disclose the information (i) to another designated individual, (ii) for purposesof conducting inspections or taking actions in response to imminent hazards, or (iii) in administrative or judicial enforcementactions under the act. Id.

66Id. § 300i-2(a)(4). This provision was designed to preempt state or local laws that say, in effect, ‘you must submit to usanything you have to submit to EPA.’

— but it does not prevent state orlocal entities from passing enactmentsthat specifically require submission ofthese assessments. The law alsoauthorizes designated individuals whoare government employees to “discussthe contents of a vulnerability assess-ment” with state or local officials.67

2. Facilities and vessels regulated bythe Maritime TransportationSecurity Act

The MTSA declares that, “[n]otwith-standing any other provision of law,information developed under [it] isnot required to be disclosed to thepublic, including . . . facility securityplans, vessel security plans . . . portvulnerability assessments; and . . .other information related to securityplans, procedures or programs for ves-sels or facilities authorized under [it].68

Scattered provisions of the CoastGuard’s MTSA rules flesh out thisdeclaration (which does not requireregulations to be effective) by statingthat various types of information gen-erated under the MTSA are “sensitivesecurity information” (“SSI”) underregulations jointly published by theDOT and the Transportation SecurityAdministration (TSA).69 The SSIrules – which impose obligations onthe generators of this information, notjust agencies – are discussed in PartIV.C below.

3. Shippers and carriers of hazardousmaterials required to preparesecurity plans

Shippers and carriers of certain haz-ardous materials required byDOT/RSPA rules to prepare trans-

portation security plans are notrequired to submit those plans toDOT. DOT has stated that it“[g]enerally . . . will not collect orretain security plans,” and that its

Inspectors . . . generally will nottake copies with them or requirecompanies to submit securityplans.70 In the rare instance thatRSPA enforcement personnelidentify a need to collect a copy ofa security plan, or if a companyvoluntarily submits a copy of itssecurity plan, we will analyze allapplicable laws and Freedom ofInformation Act exemptions todetermine whether the informa-tion or portions of information inthe security plan can be withheldfrom release. Prior to submissionof a security plan to DOT in theseunusual instances, companiesshould follow the procedures in 49CFR 105.30 [the DOT FOIArules] for requesting confidentiali-ty. Under those procedures, acompany should identify andmark the information it believesis confidential and explain why.We will then determine whetherthe information may be released orprotected under the law.71

Obviously this language is not terriblyreassuring to hazmat businesses.However, there is a compelling argu-ment that hazmat security plansobtained by or provided to DOT asdescribed above are currently protect-ed by the SSI rules referenced in theprevious section (discussing theMTSA). Also, DOT and TSA intendto propose amendments to those rulesto expressly reference land modes oftransportation. Both these issues arediscussed in Part IV.C below.



65

67Id. § 300i-2(a)(6)(B).6846 U.S.C. § 70103(c)(7).69E.g., 33 C.F.R. § 105.400(c) (stating that facility security plans are SSI).7068 Fed. Reg. 14517 (March 25, 2003).71Id.

7222 U.S.C. § 6744(a).73Id. § 6713(g). BIS’s rules implementing these provisions are at 15 C.F.R. Part 718.7422 U.S.C. § 6744(b)(1).75Id. § 6744(b)(2).76Id. § 6744(b)(3).77Id. § 6744(b)(4).78See 18 C.F.R. §§ 388.112 & .11379Id. § 388.113(c)(1). FERC’s definition of “critical infrastructure” closely tracks the definition in DHS’s Critical InfrastructureInformation Act rules. See note 91 infra.

4. Facilities regulated under theChemical Weapons ConventionImplementation Act

The Chemical Weapons ConventionImplementation Act provides that any“confidential business information” sup-plied to or otherwise acquired by theUnited States government under the Actor the Convention “shall not be dis-closed” under FOIA.72 “Confidentialbusiness information” is defined underthe Act to include CBI as defined underFOIA (see Part II.D above), and specifi-cally also includes “any plant designprocess, technology, or operatingmethod,” which could well include plantsecurity practices or procedures.73

Exceptions to this prohibition allow thegovernment to supply CBI:

• to the CWC Technical Secretariat orother states who are parties to theConvention (which has its own“Annex on the Protection ofConfidential Information”);74

• to Congressional committees andsubcommittees, upon written requestof the chair or ranking member(though committees and staff areprohibited from disclosing this infor-mation except as required or author-ized by law);75

• to other federal agencies for enforce-ment of any law, or when relevant toany proceeding under any law (butin either case must be managed “insuch a manner as to preserve confi-dentiality to the extent practicablewithout impairing the proceed-ing”);76 or

• when the government determines itis in the national interest to do so.77

5. Activities regulated by the FederalEnergy Regulatory Commission

Shortly after 9/11, the Federal EnergyRegulatory Commission (FERC) ini-tiated two innovative, though contro-versial, approaches for managinginformation related to the security ofenergy infrastructure.78 Unlike theauthorities discussed above, theseapproaches do not provide a separatebasis for withholding informationfrom disclosure. However, they areworth discussing in the interest ofcompleteness.

First, FERC has established specialFOIA rules for “Critical EnergyInfrastructure Information” (CEII),defined as information about criticalinfrastructure that:

• relates to the production, genera-tion, transportation, transmission ordistribution of energy;

• “could be useful to a person inplanning an attack on criticalinfrastructure”;

• is exempt from disclosure underFOIA; and

• does not simply give the locationof the infrastructure.79

The CEII program does not expandthe scope of information exempt fromFOIA, since it only applies to infor-mation that already falls into a FOIAexemption (usually, the (b)(4) exemp-tion for CBI). In fact, the purpose ofthe CEII rules is actually to facilitatethe limited, but not general, disclo-sure of information that FERC couldsimply refuse to release to anyone.



66

80Id. § 388.112(b).81Id. § 388.113(d)(2).82Id. §§ 388.112(d), (e).83Id. § 388.112(a)(3).84Id. § 388.112(b)(1).85Id. See 68 Fed. Reg. 46457 (Aug. 6, 2003).866 U.S.C. §§ 131-34.87Id. § 133(e).8869 Fed. Reg. 8074 (Feb. 20, 2004). The website for the PCII Program is www.dhs.gov/pcii.

Under the rules, a person submittinginformation to FERC – whether vol-untarily or not – who believes itsinformation qualifies as CEII mustfile, along with the information, astatement justifying special treatmentof the information.80 Persons who cansubstantiate why they need particularCEII (typically, to participate in aratemaking or similar FERC proceed-ing involving the infrastructure inquestion) can be given access to it,provided they provide FERC withpersonally identifying informationand, at the discretion of FERC’s CEIICoordinator, sign a nondisclosureagreement.81 As with any FOIArequest for CBI, FERC will providethe submitter of information with fiveday’s notice of the request (in case thesubmitter wants to object) and fivedays notice of a decision to release (incase the submitter wants to sue).82

The CEII rules do not require a per-son claiming CEII treatment forinformation to abide by any safe-guarding or similar obligations.Presumably, if a CEII submitter madethat information widely available,FERC would not protect it as CEII ifsomeone later requested it.

Second, FERC has created the catego-ry of “non-Internet public” informa-tion for “maps or diagrams that revealthe location of critical energy infra-structure . . . but do not rise to thelevel of CEII.”83 A submitter mustrequest “non-Internet public” treat-ment as it would CEII treatment.84

FERC treats “non-Internet public”

like any other public information,except that it does not include it in itsonline “Federal Energy RegulatoryRecords Information System.”85

B. The Critical InfrastructureInformation Act

1. Background

As the nation prepared for Y2K, thefederal government sought to per-suade computer-dependent “criticalinfrastructures” like banking, telecom-munications and electric power toshare information with it about theirvulnerabilities and preparedness.These sectors had expressed reluctanceabout doing so, however, due to con-cerns about release of informationunder FOIA and state open recordslaws. The government’s need for suchinformation grew dramatically after9/11, and so legislation first draftedbefore that date found its way into theHomeland Security Act.

The “Critical InfrastructureInformation Act of 2002” (CIIA)86

attempts to encourage critical infra-structure sectors to share security-related information with DHS byproviding the information with anunprecedented type of protection.While the CIIA merely required DHSto “establish uniform procedures” forimplementing it by February 2003,87

DHS chose to go through rulemak-ing. As a result, final CIIA rules werenot issued until a year later.88



67

89A trade press article reported that DHS had received only six CII submissions in the first three months the program wasoperative. “Response slow to DHS protected info sharing,” GOVERNMENT COMPUTER NEWS, May 24, 2004.

90The full definition is “information not customarily in the public domain and related to the security of critical infrastructure orprotected systems--

(A) actual, potential, or threatened interference with, attack on, compromise of, or incapacitation of critical infrastructureor protected systems by either physical or computer-based attack or other similar conduct (including the misuse of orunauthorized access to all types of communications and data transmission systems) that violates Federal, State, or locallaw, harms interstate commerce of the United States, or threatens public health or safety;(B) the ability of any critical infrastructure or protected system to resist such interference, compromise, or incapacitation,including any planned or past assessment, projection, or estimate of the vulnerability of critical infrastructure or aprotected system, including security testing, risk evaluation thereto, risk management planning, or risk audit; or(C) any planned or past operational problem or solution regarding critical infrastructure or protected systems, includingrepair, recovery, reconstruction, insurance, or continuity, to the extent it is related to such interference, compromise, orincapacitation.”

6 U.S.C. § 131(3). “Protected system--(A) means any service, physical or computer-based system, process, or procedure that directly or indirectly affects theviability of a facility of critical infrastructure; and(B) includes any physical or computer-based system, including a computer, computer system, computer or communica-tions network, or any component hardware or element thereof, software program, processing instructions, or informationor data in transmission or storage therein, irrespective of the medium of transmission or storage.”

Id. § 131(6).91The statutory definition references the USA PATRIOT Act definition, which does not mention any industry by name. See 6U.S.C. § 101(4), referencing 42 U.S.C. § 5195c(e). The CIIA rules define “critical infrastructure” as “systems and assets,whether physical or virtual, so vital to the United States that the[ir] incapacity or destruction . . . would have a debilitatingimpact on security, national economic security, national public health or safety, or any combination of those matters.” 6C.F.R. § 29.2.

92They are: information technology; telecommunications; chemicals; transportation systems, including mass transit, aviation,maritime, ground/surface, and rail and pipeline systems; emergency services; postal and shipping; agriculture and food;public health and healthcare; drinking water and water treatment systems; energy, including oil and gas and electric power;banking and finance, the defense industrial base; and national monuments and icons. See HSPD/7, supra note 37, at 3-4.

936 U.S.C. § 131(7)(A).

As things are turning out, the veryprotections offered, particularly crim-inal liability for government employ-ees, have slowed implementation ofthe law,89 driven a very cautiousapproach to implementation, and (asa result) led many to question its use-fulness. In view of the substantialprotections the law offers, however,business owners and operators shouldcarefully consider seeking its protec-tions in applicable situations.

The CIIA has engendered a smallstorm of controversy, but in theauthor’s judgment its critics are eithermistaken or at least overwrought, asdiscussed below. Their criticisms areall the more remarkable, moreover,given how slowly the statute has beenimplemented and how little it isapparently being used.

2. Scope

The CIIA applies to “critical infra-structure information” that is “volun-tarily” submitted to the “ProtectedCritical Infrastructure Information(PCII) Program” at DHS/IAIP.

• “Critical infrastructure information”basically means information notcustomarily in the public domainregarding threats, vulnerabilitiesand related problems or solutionsaffecting critical infrastructure orthe physical or cyber resources thatsupport it.90 “Critical infrastruc-ture” is defined very obliquely inthe law and DHS’s rules,91 but thePresident has identified about adozen critical sectors, most ofwhich are privately held.92

• “Voluntarily” means not inresponse to DHS’s exercise of itspower to compel access to or sub-mission of the information.93



68

• The Homeland Security Act doesnot give DHS any general powerto do this, though various ele-ments of DHS (e.g., the CoastGuard) have that power.

The rules carefully distinguishbetween “critical infrastructure infor-mation” and “protected critical infra-structure information” (PCII), but inthe author’s view this distinction ismore confusing than helpful and isnot perpetuated in this article.

3. Information Protections

The law creates a variety of protectionsapplicable to critical infrastructureinformation that is submitted to DHS,including the identity of the submitter.(DHS is also applying these protec-tions to transmittal documents.) Theprotections encompass:94

• FOIA exemption. The informa-tion is exempt from disclosureunder FOIA. Criminal penaltiesare established for federal employ-ees who “knowingly” release theinformation.95

• Preemption of state and local openrecords laws. The information isalso exempt from disclosureunder any state or local ‘FOIA’ or“sunshine” laws.

• Ex parte exclusion. The informa-tion is not subject to disclosureby operation of any rules about“ex parte” communications withagency officials.

• Civil liability protection. If sub-mitted in “good faith,” the sub-mitted information cannot itselfbe used “directly” in any federal,state or local civil enforcementaction, or in any private civil law-suit, in federal or state court. (Itcould be used in a criminalaction.) Presumably, the same“information,” in the sense offacts or data, could be used “indi-rectly” in a governmental or pri-vate civil case if the plaintiffobtained the information inde-pendently; i.e., in some waybesides getting it from DHS.96

(For example, a plaintiff may beable to obtain a copy of the samedocument, through discovery,directly from the submittingparty.97 )

• No waiver of privilege. The sub-mitter cannot be held, by the actof submitting information, tohave waived any privileges or pro-tections supplied to it by law(e.g., attorney-client privilege,work-product doctrine, tradesecret protection).

• Restrictions on sharing and use.DHS can share the informationwithin the federal governmentand with state and local govern-ment — and contractors workingfor them — but all of these enti-ties can only use it for purposesof:

• infrastructure protection; or• investigating or prosecuting

crimes.



69

94All of these bullets are derived from 6 U.S.C. § 133(a)(1) unless otherwise noted. Explicitly (or, presumably, implicitly) all ofthese protections can be waived by the consent of the submitter. See note 111 infra.

95Id. § 133(f ).96This is DOJ’s interpretation of the issue. See USDOJ, FOIA Post (2/27/94), available at http://www.usdoj.gov/oip/foiapost/2004foiapost6.htm (“What must be remembered is that the same industry information can exist in two counterpart forms,identical in whole or in part. . . .”).

97See note 123 infra and accompanying text.

DHS can also give it to Congress orthe GAO, presumably upon request.

The CIIA rules also lay out detailedphysical and procedural protectionsregarding safeguarding of the informa-tion.98 These protections do not applyto information submitters, who remainfree to release or otherwise handle theirCII as they choose.99

The CIIA was also intended to enablemembers of a critical infrastructuresector to meet and share sensitiveinformation frankly among themselvesand with DHS, whether throughInformation Sharing & AnalysisCenters (ISACs) or otherwise. It doesso in two ways not further discussed inthis article: an exemption from theFederal Advisory Committee Act100

and an oblique antitrust exemption.101

The author is unaware of either provi-sion being relied upon to date.

4. Implementation Issues

The Act and DHS’s rules establish acomplex and rigid process for submit-ting and sharing CII:

• At present, information must besubmitted in hard copy or ontangible electronic media. E-mailand oral submission is not gener-ally allowed now, though such“eSubmissions” capability isimminent, according to PCIIProgram staff.102 DHS hasworked out an arrangement toreceive electronic data on a con-tinuing basis from one criticalsector.

• DHS’s rules at present require infor-mation to be submitted directly tothe PCII Program; they do notallow “indirect” submissionsthrough other components of DHSor other federal agencies, thoughDHS has stated its intent to allowthis in the future.103 Private entitiescan submit information through an“information sharing and analysisorganization,” like an ISAC104

• To be eligible for protection,information must be accompa-nied by an “express statement”referencing the CIIA.105



70

986 C.F.R. §§ 29.7, 29.8.99As noted below (see note 112 infra and accompanying text), DHS will stop protecting CII if it becomes publicly availablethrough legal means.

100Communication of critical infrastructure information to DHS does not trigger the Federal Advisory Committee Act. 6 U.S.C. §133(b). Thus groups of industry sector representatives could meet with DHS to communicate CII without becoming subjectto the open meetings or other requirements of FACA. DHS does not seem to set much store by this provision, however. Inpart, the constricted process that DHS has created for accepting and “validating” CII has undercut its ability to use thisFACA exemption.

101The CIIA does not explicitly create an exemption from the antitrust laws. However, it does provide an indirect means ofaccomplishing that goal via a reference to the Defense Production Act of 1950 (DPA), 50 U.S.C. app. § 2158. See 6 U.S.C. §133(h). The DPA process is quite innovative, but also highly burdensome (in order to assure that the antitrust defense theDPA provides is not abused).

10269 Fed. Reg. 8077.103Id. at 8075.1046 U.S.C. § 131(7)(A).105Written information must be marked with language “substantially similar to the following: ‘This information is voluntarily

submitted to the Federal Government in expectation of protection from disclosure as provided by the provisions of theCritical Infrastructure Information Act of 2002.’” Id. § 133(a)(2). The statute allows oral information to be protected if sucha written statement is provided within a reasonable period. Id.

106Unless otherwise noted, this bullet is drawn from 6 C.F.R. § 29.6(e).107Under that act, destruction by agencies of records in their possession is governed by schedules promulgated by the National

Archives & Records Administration. See 44 U.S.C. § 3303a.1086 C.F.R. § 29.3(b).10969 Fed. Reg. 8078. PCII Program staff informally encourage portion marking of CII in large submissions, but they do so to

expedite the validation process, not because only the marked portions will be protected. 1106 C.F.R § 29.8(b).111The statute and rules do, somewhat inconsistently, speak of the ability of CII to be disclosed with the consent of the sub-

mitter (e.g., 6 U.S.C. §§ 133 (a)(1)(C), (D), & (E)(ii); 6 C.F.R. §§ 29.3(c), 29.8(d)(1), (f )(1)(i), (k)), but the rules never discussthe circumstances under which such consent might be sought. PCII Program staff generally express an intention never todisclose CII to nongovernmental entities for any purpose.

• Once the information is submit-ted, DHS reviews the informa-tion and “validates” it as protect-ed CII.106 (It protects the infor-mation presumptively as CIIpending that determination.)DHS will notify the submitter ofits determination. A source canwithdraw the information whilethe determination is pending.DHS may ask the submitter formore information to substantiateits CII claim, in which case thesubmitter has 30 days to respond.If DHS determines that theinformation does not qualify asCII, DHS says it will, at the sub-mitter’s direction, either maintainit without protection or destroy itin accordance with the FederalRecords Act.107 (But DHS willnot return the information to thesubmitter at that point.)

• If DHS determines that informa-tion, though not qualifying asCII, could be withheld underanother FOIA exemption, it willdo so in response to a FOIArequest.108 It may also retain (andsafeguard) information that itconsiders to be law enforcementsensitive or that it believes shouldbe classified. This latter assertionof authority has worried some,although it probably should notbe surprising.

• Where a submission containsportions that qualify as CII andportions that likely do not, DHS

does not require submitters to“portion mark” the CII-candidatesections (as many agencies requirewhen people submit informationthat is partially protected by otherFOIA exemptions — for exam-ple, CBI). Rather, DHS will safe-guard, and in the event of a FOIArequest withhold from disclosure,the entire submission.109

• The default generally establishedby the rules is that CII will bemaintained within DHS. Therules authorize DHS to share CIIwith other federal agencies, andwith state and local governments,that agree to provide the informa-tion with the same degree of pro-tection (state and local govern-ments must sign a standardmemorandum of agreement tothis effect).110

• DHS is considering piloting aprocess of “class” validations thatcould be issued in advance of anyparticular submission and thatwould then automatically applyto all submissions falling withinthat class.

• The CIIA and rules do not dis-cuss scenarios under which DHScould share protected CII withany nongovernmental entitybesides the submitter, even undera nondisclosure agreement, forpurposes of critical infrastructureprotection.111 While this may be



71

reassuring for most purposes, itdoes limit the ability of DHS andcritical infrastructure entities towork collaboratively. As discussedbelow, the rules regarding “sensitivesecurity information” do contem-plate such sharing and as a resultare potentially much more usefulfor public/private partnership.

• DHS will stop protecting CII if itdetermines that the informationwas customarily in the publicdomain, was required by law tobe submitted to DHS, or “is pub-licly available through legalmeans.” (Presumably “is” means“is” and not “is capable ofbecoming.”) DHS will informthe submitter if it makes thisdetermination.112

• The CIIA provides that “nothingin this [Act] may be construed tocreate a private right of action forenforcement of any provision ofthis Act.”113 Whatever this lan-guage means, it does not meanthat a submitter is prevented fromfiling a lawsuit to block DHSfrom disclosing information thatit has determined does not qualifyas CII. In establishing the rightto file analogous lawsuits to blockimminent disclosures under FOIA(so-called “reverse FOIA” law-suits), the Supreme Court madeclear that the ability to file themarises not as a result of some pri-vate right of action under FOIA

or the statute that supposedly pre-vents disclosure, but under theAdministrative Procedure Act,114

which generally authorizes judicialreview of any final agency actionnot otherwise reviewable.115

The complexity of the foregoingprocess has undoubtedly discourageduse of the statute. Also, DHS entitieswho might ask private entities to pro-vide them with information meetingthe definition of CII have generallyfailed to coordinate adequately withthe PCII Program Office, further lim-iting the statute’s use. The program’srollout has been excruciatingly slow,with little apparent action throughoutall of 2004. Finally, many potentialsubmitters remain unconvinced thatthe statute really offers any protectionover and above what might already beavailable under other authorities.This skepticism appears to be ground-ed less in any identifiable shortcom-ings of the law or rules than in twoconsequences of the their novelty: thelack of any judicial decisions uphold-ing DHS decisions to withhold, andlack of longstanding, personal trustrelationships between would-be sub-mitters and DHS officials. Only timecan address these factors.Notwithstanding all of the above, inthe author’s view the CIIA, appropri-ately implemented, remains a poten-tially powerful tool and one thatpotential submitters should considerthoughtfully.



72

1126 C.F.R. § 29.6(f ). The rules do not clearly explain what happens after DHS decides to stop protecting CII that it has former-ly been protecting. Arguably, it must follow the submitter’s prior instructions regarding destruction vs. maintenance subjectto release under FOIA. Id. § 29.6(e). The DHS PCII PROCEDURES MANUAL (Feb. 17, 2004) says if the PCII Program con-cludes that a protected document did not really warrant protection at the time of the Program’s initial determination, theProgram will ask the submitter what it should do with the information if it was never used. If the information has beenused, the Program will simply stop protecting it. Id. at 6-5 to 6-6.

1136 U.S.C. § 134.114Chrysler v. Brown, 441 U.S. 281, 293-94, 316-18 (1979). The Court expressly held that the statute assertedly blocking disclo-

sure in that case –- the Trade Secrets Act –- did not afford a “private right of action,” but the Court nonetheless authorizedjudicial review under the APA. Id. at 316-18.

115See 5 U.S.C. § 704.

116Wells, supra note 5, at 1214.117Rena Steinzor, “Democracies Die Behind Closed Doors: The Homeland Security Act and Corporate Accountability,” 12 KANSAS

J. LAW & PUB. POL’Y 641, 643 (Spring 2003).118See S. 622, 109th Cong., 1st Sess. (2005); S. 609, 108th Cong., 1st Sess. (2003).1196 U.S.C. § 133(d). The rules also clarify that submitters may not try to claim CII protections in required submissions they

make to other agencies. See 6 C.F.R. § 29.3. The rules do allow DHS to treat a document as CII even when the same doc-ument is also submitted to one of other agencies (see the last sentence of § 29.3) — but those other agencies would notbe bound by any CIIA prohibitions and could freely use that document in any otherwise authorized fashion, including releas-ing it publicly. See 6 U.S.C. § 133(c), 6 C.F.R. § 29.3(d).

1206 U.S.C. § 131(7)(B)(ii). The CIIA also does not protect information contained in registration statements filed with the SEC orfederal banking regulators or in disclosures associated with the sale of securities. Id. § 131(7)(B)(i).

121Id. § 133(c). 122Id.; see also 6 C.F.R. § 29.3(d).123That seems to be DHS’s interpretation of 6 U.S.C. §§ 133(c). See 6 C.F.R. § 29.3(d). If this is true, however, one wonders

why Congress included the words “or any third party” in part of the CIIA that prohibits DHS, “any other Federal, State orlocal authority, or any third party” from “directly” using CII in any civil action (see 6 U.S.C. § 133(a)(1)(C)) — especially sincenon-governmental parties have no lawful way to obtain CII from any government entity. Perhaps this language captures theprospect of third parties obtaining CII accidentally or improperly.

5. No “Polluter Secrecy”

Partly as a result of its facial potential,the CIIA has been roundly denouncedby the open-government and environ-mental communities as “likely tocause excessive secrecy regardinginformation only tangentially relatedto national security”116 and as possiblyleading to “a radical reversal of com-mon law tort liability and open gov-ernment requirements.”117 Bills havebeen introduced in both the 108thand 109th Congresses that wouldsubstantially curtail it.118 These criticsassert that its protections will alloworganizations to hide embarrassinginformation or worse. These claimsare generally wrong or hyperbolic, forthe reasons discussed below, and sug-gest that those involved are less con-cerned about the CIIA itself as theyare about using the CIIA to makelarger political points.

• Continued requirements to report.Regulated entities must continueto report to the Federal govern-ment any information that theyare required to report under anyother law.119 Information submit-ted or relied upon for permittingdecisions or in regulatory pro-ceedings is also not covered by

the CIIA.120 Any information soprovided to those other agenciescould be used by them in enforce-ment actions, since it would havebeen obtained independently ofthe CIIA.121

• Government access to information.Federal, state and local agencieswill continue to have all theirexisting powers under other lawsto obtain records and other infor-mation that regulated entities arerequired to make available tothem.122 This would seem toinclude information that states orlocal agencies – but not the feder-al government – require to bereported. Again, it would seemthat these documents (and theinformation they contain) couldbe used in enforcement actionsbecause they were independentlyobtained.

• Private access to information. Whilethe issue is less clear, it appears thatprivate litigants also retain under theCIIA whatever powers they haveunder other authorities to obtaincritical infrastructure informationdirectly from submitters and to useit in lawsuits.123



73

124See 6 U.S.C. §§ 133(c); see also 6 C.F.R. § 29.6(f ).1256 U.S.C. § 131(3).126Id. § 133(a)(1)(C).127See 69 Fed. Reg. 8077.1285 U.S.C. § 1213.1296 C.F.R. § 29.8(f )(3). This provision is evidently premised on a savings clause in the Homeland Security Act stating that

nothing in that act (which includes the CIIA) overrides the Whistleblower Protection Act. See 6 U.S.C. § 463(2).130See 49 U.S.C. §§ 114(s)(1) (TSA), 40119(b)(1) (DOT). While the DOT language refers to transportation “safety” rather than

“security,” the difference is probably not legally significant. These two statutes also protect information the disclosure ofwhich would “[b]e an unwarranted invasion of privacy.” Id. §§ 114(s)(1)(A), 40119(b)(1)(A).

• Protections not applicable to public (orcustomarily public) information.Information that has already beendisclosed lawfully to the public can-not be “pulled back” or otherwiseprotected under the law.124

Information that is “customarily inthe public domain” is also not pro-tected.125

• Linkage to critical infrastructure. Inorder to be eligible for the protec-tions of the CIIA, DHS must deter-mine (through the validationprocess) that the information fits thedefinition of “critical infrastructureinformation.”

• Good faith requirement. For the civilliability protections to apply, theinformation must be submitted ingood faith.126 DHS dropped a pro-posal to make submitters certify thata submission was made in goodfaith, but DHS noted that false rep-resentations to it are a federalcrime.127

• Whistleblower protection. The CIIArules clarify that the PCII programdoes not supersede theWhistleblower Protection Act,128

and thus federal employees can dis-close CII without penalty if theyreasonably believe it evidences,among other things, a specific dan-ger to public health or safety.129

Business groups have also raised concernsabout how the CIIA will affect businesstransactions. For example, if company Awants information from company B,company B might require company A toagree not to submit that information as

CII. Some have predicted that compa-nies might also assert PCII status as a rea-son for not supplying information toother companies in transaction or in dis-covery, although in the latter case thisdefense would seem unavailing.

B. Sensitive Security Information

1. Background

In 1974, the Federal AviationAdministration was given the powerto prohibit the disclosure of infor-mation that, if released, could jeop-ardize the safety of passengers in airtransportation. This authority hasbeen revised and expanded twicesince that date. At present, bothDOT and TSA have statutoryauthority to issue regulations“[n]otwithstanding [FOIA]” that“prohibit[] disclosure of informationobtained or developed in ensuringsecurity” [DOT] or “in carrying outsecurity” [TSA] under authoritiesthey administer, if the Secretary ofTransportation or the AssistantSecretary of Homeland Security forTransportation SecurityAdministration decides that “disclos-ing the information would . . . reveala trade secret or privileged or confi-dential information; or . . . be detri-mental to transportation safety”[DOT] or “transportation security”[TSA].130



74

The two agencies have jointly issuedrules implementing this authority.131

For reasons not worth discussinghere, the current rules largely addressaviation security (regulated by TSA)and maritime security (regulated bythe Coast Guard under the MTSA –see Part IV.A.2 above). Land modesof transportation (e.g., rail and truck)are not expressly referenced in therules, but a few of the rules are writ-ten so generally that they apply inany transportation setting. (This isTSA and DOT’s view, as well as theauthor’s.) TSA and DOT intend topropose amendments that willexpand these joint regulations toapply to all modes.

The rules are substantially differentthan the CII rules, both in scopeand operation.

2. Scope

The rules have both general and partic-ular applicability. In general, they trackthe statutes by defining “sensitive secu-rity information” as “informationobtained or developed in the conductof security activities, including researchand development, the disclosure ofwhich TSA [or the Secretary of DOT]has determined would . . . [r]eveal tradesecrets or privileged or confidentialinformation obtained from any person;or . . . be detrimental to the security [orsafety] of transportation.”132

The rules also identify several ‘categori-cal inclusions’ – if information falls into

one of these categories, it is automati-cally SSI. Two of these categories arenot limited to aviation or maritimetransportation:• Vulnerability assessments . . . directed,

created, held, funded, or approved bythe DOT [or] DHS, or that will beprovided to DOT or DHS in sup-port of a Federal security program.”133

• “Threat information. Any informa-tion held by the Federal governmentconcerning threats against trans-portation or transportation systemsand sources and methods used togather or develop threat informa-tion, including threats against cyberinfrastructure.”134

The other categorical inclusions arerestricted to aviation and maritimesecurity. The rules list over a dozen,including:• “Security programs and contingency

plans . . . issued, established,required, received, or approved byDOT or DHS.” (“Security pro-grams,” at least, are largely limitedto aviation and maritimeoperations.135 ) These specificallyinclude vessel and maritime facilitysecurity plans.136

• “Security inspection or investigativeinformation . . . . Details of any secu-rity inspection or investigation of analleged violation of aviation or mar-itime transportation security require-ments of Federal law that couldreveal a security vulnerability . . . .”137

• “Security measures. Specific details ofaviation or maritime transportationsecurity measures, both operationaland technical, whether applieddirectly by the Federal governmentor another person . . . .”138



75

13149 C.F.R. Parts 15 (DOT) and 1520 (TSA), published at 69 Fed. Reg. 28066 (May 18, 2004).13249 C.F.R. §§ 15.5(a)(2) & (3), 1520.5(a) (2) & (3). As with the statutes authorizing the rules, the regulatory definition of SSI

also generally includes information the disclosure of which would “[c]onstitute an unwarranted invasion of privacy.” Id. §§15.5(a)(1), 1520.5(a)(1).

133Id. §§ 15.5(b)(5), 1520.5(b)(5) (emphasis in original).134Id. §§ 15.5(b)(7), 1520.5(b)(7) (emphasis in original).135Id. §§ 15.3, 1520.3. They also include “transportation-related automated system[s] or network[s] for information processing,

control and communications.” Id.136Id. §§ 15.5(b)(1), 1520.5(b)(1) (emphasis in original).137Id. §§ 15.5(b)(6), 1520.5(b)(6) (emphasis in original).138Id. §§ 15.5(b)(8), 1520.5(b)(8) (emphasis in original).

139Id. §§ 15.5(b)(10), 1520.5(b)(10) (emphasis in original).140Id. §§ 15.5(b)(12), 1520.5(b)(12) (emphasis in original).141Id. §§ 15.5(b)(14), 1520.5(b)(14) (emphasis in original).142Id. §§ 15.5(c), 1520.5(c).143Id. §§ 15.5(b), 1520.5(b).144As noted in Part IV.A.2 above, the Coast Guard has its own independent statutory authority to protect MTSA-related informa-

tion, but uses the SSI rules to implement that authority.14569 Fed. Reg. 28069.146The rules do provide that if information is properly submitted to the PCII Program and validated as PCII, the more restrictive

CII rules will apply, even if the information also qualifies as SSI. See 49 C.F.R. §§ 15.10(d), 1520.10(d).

• “Security training materials. Recordscreated or obtained for the purposeof training persons employed by,contracted with, or acting for theFederal government or another per-son to carry out any aviation ormaritime transportation securitymeasures required or recommendedby DHS or DOT.”139

• “Critical aviation or maritime infra-structure asset information. Any listidentifying systems or assets,whether physical or virtual, so vitalto the aviation or maritime trans-portation system that the incapacityor destruction of such assets wouldhave a debilitating impact on trans-portation security, if the list is —

(i) Prepared by DHS or DOT;or

(ii) Prepared by a State or localgovernment agency and sub-mitted by the agency toDHS or DOT.”140

• “Trade secret information . . . and[c]ommercial or financial information. . . obtained by DHS or DOT incarrying out aviation or maritimetransportation security responsibili-ties, but only if the source of theinformation does not customarilydisclose it to the public.”141

The rules authorize DOT or DHS todetermine that information hasstopped meeting the definition ofSSI.142 Even more interesting, the rulesenable either of these agencies to deter-mine that information is not SSI, eventhough it appears to fall into one ofthe categorical inclusions listed above,if it concludes that the informationthe information may be released inthe interest of public safety or in fur-therance of transportation security.143

3. Operation

a. SSI is partially self-implementing

As noted above, the SSI rulesdefine over a dozen categories ofinformation that are automaticallySSI. As a result, information thatclearly falls into these categories isSSI by definition, and qualifies forautomatic protection. Informationnot falling in these categories canbe SSI if DOT or TSA determinesthat it meets the statutory criteriafor SSI; i.e., that improper disclo-sure of the information would bedetrimental to transportation secu-rity. (Note: The DHS rules speakof TSA making these determina-tions on behalf of DHS, but inpractice the Coast Guard can anddoes make SSI determinations aswell.)144

b. SSI can be submitted voluntarily tothe federal government

The preamble to the SSI rulesattempts to distinguish the CIIrules by saying that SSI “for themost part . . . is created by TSA orthe Coast Guard or is required tobe submitted to” the federal gov-ernment, and that “informationconstituting SSI generally is notvoluntarily submitted . . . .”144

While these statements may betrue in part, it is also true thatinformation constituting SSI canbe, and has been, submitted vol-untarily to DOT or DHS. Andthe SSI rules do not prohibit this.146



76

147See 49 C.F.R. §§ 15.7(c), (d), (f ), (g), (h) & (k), 1520.7(c), (d), (f ), (g), (h) & (k).148See 49 C.F.R. §§ 15.7(l), 1520.7(l).149See 49 C.F.R. §§ 15.11(a), 1520.11(a). These two subsections originally spoke only of aviation and maritime activities, see 69

Fed. Reg. 28081, 28084-85, but that restriction was eliminated through a technical amendment, see 70 Fed. Reg. 1379 (Jan.7, 2005).

150See 49 C.F.R. §§ 15.11(b), 1520.11(b).

c. Persons able to obtain SSI

The SSI rules have been pur-posefully designed to facilitatethe protection by the federalgovernment of privately-held oroperated activities such as com-mercial aviation and maritimecommerce. As a result, the rulesallow DOT and DHS to makeSSI available to the relevantplayers in these areas. In themaritime security context, these“covered persons” include:

• owners, operators and char-terers of vessels required tohave a security plan;

• owners and operators offacilities required to have asecurity plan;

• persons participating onnational, area or port securi-ty committees;

• industry trade associationsrepresenting the foregoing (ifthey have entered into a non-disclosure agreement withDOT or DHS);

• DHS and DOT; and• persons employed by, con-

tracted to or acting for anyof the above.147

Apart from transportation mode, therules also provide that SSI can bemade available to any person forwhom a vulnerability assessment hasbeen “directed, created, held, funded,or approved by DHS or DOT,” orwho provides an assessment to eitherdepartment.148

In any case, access to specific SSI islimited to persons with a “need toknow” that SSI. Under the SSI rules,these include the following privatesector actors:

• persons carrying out, in trainingto carry out, or supervising, anytransportation security activitiesapproved, accepted, funded, rec-ommended or directed by DHSor DOT;

• persons providing technical orlegal advice to a covered personregarding any federal transporta-tion security requirements; and

• persons representing covered per-sons in connection with any judi-cial or administrative proceedingregarding those requirements.149

Federal employees can have access to SSIwhenever it is necessary for performanceof the employee’s official duties. Federalcontractors and grantees can have accessif it is necessary to performance of thecontract or grant.150

d. The SSI rules bind private persons

Like the procedures for classified infor-mation, but unlike all the other infor-mation protection authorities discussedin this article, the SSI rules imposeobligations on private sector personswho possess SSI — including the per-sons who generate the information inthe first place. These include:• Taking reasonable steps to safeguard

it from unauthorized disclosure (thisincludes storage in a secure contain-er, such as a locked desk or file cabi-net or in a locked room);



77



78

Security-related information supplied by a busi-ness to a federal executive branch agency may beprotected from public release under a number ofFOIA exemptions, as well as one or more otherstatutes or regulations, depending on the type ofbusiness, the subject matter of the information, thereason it was prepared, the agency to which it wassubmitted, whether it was submitted voluntarily,and a host of other factors. DOT/TSA “sensitivesecurity information” rules impose obligations onsubmitters regarding their handling of the sameinformation. A number of authorities envisioncontrolled sharing of information between the fed-eral government, on the one hand, and state andlocal governments and similarly-situated privateentities, on the other – a relatively unusual conceptbut one that can be valuable in promoting protec-tion of private infrastructure.

Several of the potentially applicable authoritiesprovide an unprecedented level of protection forprivate information in government hands. Howwell these protections will work, and in particularhow courts will interpret them, remains to be seen.To effectively secure the nation’s private criticalinfrastructure, it will be crucial that all involvedparties work together to maximize the effectivenessof these legal measures. This work will require rec-onciliation of three competing goals: (a) protectingsensitive information from public release; (b) shar-ing sensitive information, where appropriate,among the relevant public and private entities, and(c) ensuring that the first two goals do not lead tounnecessary withholding of truly nonsensitive andproperly public information.

CONCLUSION• Disclosing it only to coveredpersons who have a need toknow, unless otherwise author-ized in writing by TSA, theCoast Guard or the Secretaryof DOT;

• Complying with markingrequirements; and

• Reporting unauthorized dis-closures to the applicableDOT or DHS component.151

Many have complained that themarking requirements are overlyburdensome, as they require alengthy footer for every page.152

TSA and DOT have indicated thatthey may relax this requirement ina forthcoming rulemaking.

The rules provide that violationsof the SSI rules by private actorsare “grounds for a civil penaltyand other enforcement or correc-tive action” by the relevantagency. Notably, each agencywith authority regarding SSI isresponsible for policing the SSIrules. So, for example, the CoastGuard interprets and enforcescompliance with the SSI rules atMTSA-regulated facilities.

151See 49 C.F.R. §§ 15.9(a)(1), (2), (4) & (c), 1520.11(a)(1), (2), (4) & (c).152See 49 C.F.R. §§ 15.13(c), 1520.13(c).153See 49 C.F.R. §§ 15.17, 1520.17.



79

Attachment D1. Cyber Threats to U.S. Infrastructure

2. Terrorism

3. Biological Weapons of Mass Destruction1. Biological Weapons (BW) and dual-use or controlled technology transfers 2. Criminal, terrorist, and foreign government BW research and development capabilities, programs

and infrastructure 3. Methods of finance and exchange and transfer networks

4. Chemical Weapons of Mass Destruction 1. Chemical Weapons (CW) and dual-use or controlled technology transfers 2. Criminal, terrorist, and foreign government CW research and development capabilities, programs

and infrastructure 3. Methods of finance and exchange and transfer networks

5. Nuclear Weapons of Mass Destruction 1. Nuclear Weapons and dual-use or controlled technology transfers 2. Criminal, terrorist, and foreign government nuclear weapons research and development capabilities,

programs and infrastructure 3. Methods of finance and exchange and transfer networks

6. International Organized Crime 1. Alien smuggling and human trafficking 2. Money laundering and financial transactions in support of illegal activities 3. Other crime with homeland security implications, i.e. conspiracy with terrorists, illegal arms

trafficking, explosives theft

7. Illicit Drugs 1. Production, storage, movement and transfer of illicit and illegal drugs, and precursor materials and

equipment

8. Economic Stability and Trade 1. Efforts to circumvent U.S. restrictions on the trade of controlled technologies, equipment,

munitions and dual-use items

9. Energy Security 1. Indications and warnings of targeting or attacks on U.S. energy infrastructure

CATEGORIES OF SECURITY-RELATED INFORMATION SOUGHT BY GOVERNMENTFROM PRIVATE CRITICAL INFRASTRUCTURE ENTITIES

10. Money Laundering 1. Financial transactions in support of criminal activities, terrorism, drug trafficking, rogue states and

groups.

11. Demographics, Migration, and Population Movements 1. Immigration pressures on governments 2. Identity, origins, locations and characteristics of refugee and migrant groups 3. Surging population growth 4. Foreign governments reactions and policies toward such groups

12. Environmental and Natural Resources 1. Production, development, transport, and consumption of strategic natural resources, especially oil

and natural gas and resources 2. Production, release, illicit sale and disposal of pollutants and hazardous materials including their

potential human health effects

13. Agriculture and Food Security 1. Infectious disease of crops and domesticated animals 2. Research, development, testing and development of agriculture and food science technologies,

including geneticallymodified organisms

14. Infectious Disease and Health 1. Location and status of infectious diseases that threaten U.S. national security, economic interests

15. Humanitarian Disaster and Relief



80

homeland security private_sector

Documents

greater biastoward

salt lake

ty intelligenceinformation

define private

task force

task force

risk evaluation

federal energyregulatory