By Michael Tankersley
June 28, 2003
More than 90 percent of the facilities that are considered critical to defending our country from a crippling attack by criminals, hostile foreign governments or terrorists are controlled by private businesses. These so-called "critical infrastructures" include transportation systems, energy and water production and distribution facilities, and the computer and telecommunications systems that are vital to financial transactions, trade and law enforcement.
Therefore, it is not surprising that government needs information from these private businesses to successfully develop plans for protecting the country from attack. What may come as a surprise is that businesses acknowledge they place their business interests above public safety when it comes to sharing this information and consciously withhold information that would help the government enhance security.
Businesses are reluctant to share this information because they fear liability or adverse publicity. The information may disclose illegal, reckless or negligent conduct, or it may reveal practices that should be regulated in the interest of public safety but have not drawn the attention of officials or the public because too little is known about them.
In particular, businesses say they fear public disclosure of the information under the Freedom of Information Act and similar laws. Although these laws do not require the disclosure of trade secrets, confidential financial information or other commercially sensitive records that businesses submit to the government, these laws do not protect businesses when the information reveals embarrassing misconduct or indifference to public safety.
In the statute creating the Department of Homeland Security, Congress could have addressed business' resistance to disclosing information about critical infrastructures by requiring them to tell the government what they know, even if it is unpleasant. Instead, Congress bowed to the business community's efforts to use private information about critical infrastructures to obtain more limitations on business accountability.
The statute creates something akin to a confessional in which a business can give the government embarrassing information, but the government cannot use the information to remedy misconduct and cannot disclose it to the public. Three special restrictions are imposed on "critical infrastructure information" that qualifies for protection under the Act: (1) the information is exempt from public disclosure under the FOIA and similar laws that would otherwise require governmental entities to share what they know with the public; (2) neither government authorities nor private parties may directly use the information in a civil action; and (3) "leaks" are discouraged by making it a crime for federal employees to divulge the information in a manner not authorized by law.
However, Congress did not completely yield to businesses' wishes on this issue. The protections described above apply only if special conditions are satisfied, including requirements that the information not be "customarily in the public domain," and be submitted "voluntarily" to the Department of Homeland Security. Although the statute limits use of the information in "civil" proceedings, government authorities are permitted to use the information to pursue criminal misconduct, and it can be disclosed to Congress. Perhaps most importantly, the restrictions in the statute do not affect the ability of government authorities or private parties to use information that they obtain separate from voluntary submissions to the Department of Homeland Security that meet all the conditions for protection under this statute.
Even with these restrictions, the statute may diminish our security by allowing businesses to avoid liability and accountability. If a company discloses that it has failed to take appropriate precautions to protect nuclear materials or dangerous chemicals from accidents or sabotage, allowing the company to avoid public outcry by making it a crime for federal officials to even disclose these dangers to the communities at risk will not promote security. If a company decides not to spend the funds necessary to remove threats to public safety because it believes that it can obtain immunity by confessing to the Department of Homeland Security, security will be undermined -- not promoted.
The Bush administration is moving toward making the situation even worse by proposing implementing procedures that would expand secrecy for critical infrastructure information. For example, although Congress authorized special restrictions only for information voluntarily submitted to the Department of Homeland Security, the administration has proposed regulations that would extend the restrictions to information submitted to other federal agencies as long as the submitter said that it wanted the information forwarded to Homeland Security officials. The administration's procedures also suggest that federal agencies that obtain critical infrastructure information through their own investigation cannot disclose it to the public unless a law compelled the submission of this information.
Moreover, the administration's proposed procedures discourage federal, state and local authorities from using information submitted by businesses in two circumstances in which Congress clearly contemplated that it would be used -- to further criminal investigations and prosecutions, and to protect critical infrastructure or protected systems. If the information is not used for these purposes, the supposed benefits of encouraging businesses to submit information on infrastructure security will become illusory.
The Bush administration's proposed procedures need to be re-drafted so that they conform to the limitations imposed by Congress and do not encourage businesses to use the Homeland Security Act as a vehicle to avoid accountability. The Homeland Security statute adopts a dubious policy of offering businesses some protection as an incentive to do what they already should be doing, namely providing the government with information that would help protect vital computer networks, transportation systems, energy plants or similar infrastructure. This policy should not be distorted by adopting procedures that create further impediments to government officials and the public obtaining and using such information.