DHS Wants to Overhaul System Storing Sensitive Critical Infrastructure Data

The Homeland Security Department is looking to overhaul a decade-old system for collecting sensitive information from the nation’s critical infrastructure operators that generates reams of paperwork and that the agency says has fallen behind the times.

The Protected Critical Infrastructure Information Program, or PCII, stores security reviews and other information submitted by private companies that operate in one of 16 key industries. They include telecommunications, nuclear power plants, manufacturing, energy, health care and transportation.

“After 10 years of operation, changes are needed to transition the managing of submissions, access, use, dissemination and safeguarding” of the sensitive data “to state-of-the-art technology that operates within an electronic environment,” DHS Secretary Jeh Johnson wrote in a Federal Register notice set to be published April 21.

DHS is taking suggestions on how it should more fully automate the process companies use to submit information.  

Currently, when critical infrastructure sector companies share information with DHS, they have to include an “express statement” that explains each piece of information is being submitted and a “certification statement” that includes contact information and a few other fields.

DHS is also looking into whether it should update the rules to allow submissions in “purely electronic format” that would simplify the submission of large data sets “potentially indicating a compromise of a critical information system,” the notice stated.

In particular, DHS is looking into using the electronic exchange protocols  -- STIX and TAXII -- that power machine-to-machine sharing of cyberthreat information with a broad array of private sector companies. The 2015 Cybersecurity Act allowed DHS to receive cyberthreat tips from the private sector and to automatically share them and other so-called threat signatures with federal agencies and private companies.

Additionally, the notice asks whether DHS should consider sharing critical infrastructure data submitted by companies with foreign governments “to support the critical infrastructure protection and resilience efforts of the United States and partner governments.”

The 2002 Critical Infrastructure Protection Act first authorized DHS to collect sensitive information voluntarily submitted by private companies about their security practices and potential vulnerabilities. The 2015 legislation updated the critical infrastructure program to specifically include the reporting of “cybersecurity risks and incidents.”

The system has also come under some criticism. A 2011 inspector general found fault with the safeguards used to protect system data.

More recently, Rep. Devin Nunes, R-Calif., chairman of the House Intelligence Committee, said during a hearing last year the database hasn’t actually been audited since 2006.