Eleven years into its existence, communication is still a fundamental challenge for the Department of Homeland Security (DHS). Sure, we see TSA screeners at airports every day, and there is a local FEMA office you can reach out to in the event of an emergency. However, for owners and operators "critical" infrastructure facilities, meaningful outreach to DHS can still at times be a challenge. You will always be able to find someone to talk to at DHS, but whether the conversation will actually be "meaningful" is a different story.
Case in point: DHS administered a program known as the "Chemical Facility Anti-Terrorism Standards" law, or CFATS. Under CFATS, certain facilities in the United States can be regulated -- and thus be directed to meet certain security benchmarks -- based on the presence of specific chemicals.
CFATS has had its ups and downs over the years for a variety of reasons, including some errors on the part of DHS. What has been most disconcerting however has been the lack of a true "appeals" process for facilities covered by the CFATS law. In other words, once DHS determines that a company was regulated under the CFATS law, no clear cut path exists for the regulated company to say "hey, this isn't right." Why is that? Well, simply stated, the rules implementing CFATS don't directly allow for such a discussion. There certainly are other ways to go about having such a conversation, but one would have expected DHS to provide a direct and straightforward appeals process.
Fortunately, given another bite at the apple, DHS got it right in the context of cybersecurity. As many readers know, Section 9 of Executive Order (E.O.) 13636 directs the Secretary of Homeland Security to identify critical infrastructure where "a cybersecurity incident could reasonably result in catastrophic regional or national effects on public health or safety, economic security, or national security." The DHS Secretary is then directed to confidentially notify each entity that it has been identified.
Interestingly, unlike under the CFATS law, owners and operators of critical infrastructure as defined under E.O. 13636 are entitled to use a "process through which owners and operators of critical infrastructure may submit relevant information and request reconsideration of identifications."
Just last week DHS announced the process by which companies could appeal their designation as "critical infrastructure." Under this process, designated entities can submit new information about the criticality of the location defined as such. The entity must submit the reconsideration request in writing, and can also request a meeting with DHS personnel to discuss the decision to include its facility or facilities on the critical infrastructure list. DHS will undertake a review process subject to specific timelines, although if a request and supporting information is not received by May 15th, then the request will be processed as part of the 2015 annual review of identified covered critical infrastructure facilities.
Putting aside the procedural aspects of this review process, the mere fact that DHS has created this process is a very valuable step. To put it bluntly, identifying "critical infrastructure" in any context is difficult. When deciding whether infrastructure is "critical" for cybersecurity purposes, it can be especially difficult. The task is made even more difficult by the fact that cyber interdependencies are extremely nuanced, and no one government employee much less team of employees can hope to the full picture of how all the digital pieces fit together. That is why it is critical for companies to be able to pull together their own information and arguments and present them to DHS.
The success of this program will ultimately be determined by how well DHS manages the appeal process and whether it errs on the side of inclusion on the "critical infrastructure" list. After all, setting up this process is all well and good, but if DHS takes the position that getting off the list is difficult to do, then you will have a situation where the exception swallows the rule.
Let's hope that is not the case, and that DHS will view this for what it is: an opportunity to gain a better picture of cyber critical infrastructure and help focus limited security resources.