The Government Accountability Office released a report last week entitled “Information Sharing: DHS Should Take Steps to Encourage More Widespread Use of Its Program to Protect and Share Critical Infrastructure Information.” The report provides an interesting overview of the Program Office that is responsible for implementing the Critical Infrastructure Information Act, and the challenges facing DHS in its efforts to engage the private sector on critical infrastructure protection. From the report:
DHS faces a number of challenges that impede the private sectorâ€™s willingness to share sensitive information. These challenges include defining specific government needs for CII, determining how the information will be used, assuring the private sector that the information will be protected and who will be authorized to have access to it, and demonstrating to critical infrastructure owners the benefits of sharing the information. For example, DHS has not defined its specific needs nor has it determined how it will use information submitted under the program. In addition, DHS has not yet used the information to issue any advisories, alerts, or warnings. This lack of specificity and use has impeded the willingness of potential submitters to provide their sensitive information to DHS. If DHS were able to surmount these challenges, it and other government users may begin to overcome the lack of trust that critical infrastructure owners have in the governmentâ€™s ability to use and protect their sensitive information.
To encourage more individuals, private sector entities, and state and local governments that own the critical infrastructure to submit information under the program so that more entities will have access to the information they may need to protect these assets, we are recommending that the Secretary of Homeland Security take a number of actions, including better defining the CII needs of the department and other federal agencies with critical infrastructure responsibilities, defining how DHS and the other agencies will use the information received from the private sector, and expanding efforts to use incentives to encourage more users.
The recent decision to create the Critical Infrastructure Partnership Advisory Council is one response to the concerns addressed in this report, but it’s only a first step. For example, DHS needs to develop and publish a clearly-articulated framework about how it receives, uses, protects, and ultimately deletes externally-acquired information, so that private sector entities have a clearer sense of what happens to sensitive corporate information after it is transmitted to the Department.